diff options
Diffstat (limited to 'src/whack/whack.h')
| -rw-r--r-- | src/whack/whack.h | 318 |
1 files changed, 318 insertions, 0 deletions
diff --git a/src/whack/whack.h b/src/whack/whack.h new file mode 100644 index 000000000..49ef67995 --- /dev/null +++ b/src/whack/whack.h @@ -0,0 +1,318 @@ +/* Structure of messages from whack to Pluto proper. + * Copyright (C) 1998-2001 D. Hugh Redelmeier. + * + * This program is free software; you can redistribute it and/or modify it + * under the terms of the GNU General Public License as published by the + * Free Software Foundation; either version 2 of the License, or (at your + * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. + * + * This program is distributed in the hope that it will be useful, but + * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY + * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License + * for more details. + * + * RCSID $Id: whack.h,v 1.16 2006/04/17 10:39:14 as Exp $ + */ + +#ifndef _WHACK_H +#define _WHACK_H + +#include <freeswan.h> + +#include <smartcard.h> + +/* Since the message remains on one host, native representation is used. + * Think of this as horizontal microcode: all selected operations are + * to be done (in the order declared here). + * + * MAGIC is used to help detect version mismatches between whack and Pluto. + * Whenever the interface (i.e. this struct) changes in form or + * meaning, change this value (probably by changing the last number). + * + * If the command only requires basic actions (status or shutdown), + * it is likely that the relevant part of the message changes less frequently. + * Whack uses WHACK_BASIC_MAGIC in those cases. + * + * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC. + * Otherwise certain version mismatches will not be detected. + */ + +#define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24) +#define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26) + +typedef struct whack_end whack_end_t; + +/* struct whack_end is a lot like connection.h's struct end + * It differs because it is going to be shipped down a socket + * and because whack is a separate program from pluto. + */ +struct whack_end { + char *id; /* id string (if any) -- decoded by pluto */ + char *cert; /* path string (if any) -- loaded by pluto */ + char *ca; /* distinguished name string (if any) -- parsed by pluto */ + char *groups; /* access control groups (if any) -- parsed by pluto */ + ip_address + host_addr, + host_nexthop, + host_srcip; + ip_subnet client; + + bool key_from_DNS_on_demand; + bool has_client; + bool has_client_wildcard; + bool has_port_wildcard; + bool has_srcip; + bool has_natip; + bool modecfg; + bool hostaccess; + certpolicy_t sendcert; + char *updown; /* string */ + u_int16_t host_port; /* host order */ + u_int16_t port; /* host order */ + u_int8_t protocol; + char *virt; + }; + +typedef struct whack_message whack_message_t; + +struct whack_message { + unsigned int magic; + + /* for WHACK_STATUS: */ + bool whack_status; + bool whack_statusall; + + + /* for WHACK_SHUTDOWN */ + bool whack_shutdown; + + /* END OF BASIC COMMANDS + * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC. + */ + + /* name is used in connection, ca and initiate */ + size_t name_len; /* string 1 */ + char *name; + + /* for WHACK_OPTIONS: */ + + bool whack_options; + + lset_t debugging; /* only used #ifdef DEBUG, but don't want layout to change */ + + /* for WHACK_CONNECTION */ + + bool whack_connection; + bool whack_async; + bool ikev1; + + lset_t policy; + time_t sa_ike_life_seconds; + time_t sa_ipsec_life_seconds; + time_t sa_rekey_margin; + unsigned long sa_rekey_fuzz; + unsigned long sa_keying_tries; + + /* For DPD 3706 - Dead Peer Detection */ + time_t dpd_delay; + time_t dpd_timeout; + dpd_action_t dpd_action; + + /* note that each end contains string 2/5.id, string 3/6 cert, + * and string 4/7 updown + */ + whack_end_t left; + whack_end_t right; + + /* note: if the client is the gateway, the following must be equal */ + sa_family_t addr_family; /* between gateways */ + sa_family_t tunnel_addr_family; /* between clients */ + + char *ike; /* ike algo string (separated by commas) */ + char *pfsgroup; /* pfsgroup will be "encapsulated" in esp string for pluto */ + char *esp; /* esp algo string (separated by commas) */ + + /* for WHACK_KEY: */ + bool whack_key; + bool whack_addkey; + char *keyid; /* string 8 */ + enum pubkey_alg pubkey_alg; + chunk_t keyval; /* chunk */ + + /* for WHACK_MYID: */ + bool whack_myid; + char *myid; /* string 7 */ + + /* for WHACK_ROUTE: */ + bool whack_route; + + /* for WHACK_UNROUTE: */ + bool whack_unroute; + + /* for WHACK_INITIATE: */ + bool whack_initiate; + + /* for WHACK_OPINITIATE */ + bool whack_oppo_initiate; + ip_address oppo_my_client, oppo_peer_client; + + /* for WHACK_TERMINATE: */ + bool whack_terminate; + + /* for WHACK_DELETE: */ + bool whack_delete; + + /* for WHACK_DELETESTATE: */ + bool whack_deletestate; + so_serial_t whack_deletestateno; + + /* for WHACK_LISTEN: */ + bool whack_listen, whack_unlisten; + + /* for WHACK_CRASH - note if a remote peer is known to have rebooted */ + bool whack_crash; + ip_address whack_crash_peer; + + /* for WHACK_LIST */ + bool whack_utc; + lset_t whack_list; + + /* for WHACK_PURGEOCSP */ + bool whack_purgeocsp; + + /* for WHACK_REREAD */ + u_char whack_reread; + + /* for WHACK_CA */ + bool whack_ca; + bool whack_strict; + + char *cacert; + char *ldaphost; + char *ldapbase; + char *crluri; + char *crluri2; + char *ocspuri; + + /* for WHACK_SC_OP */ + sc_op_t whack_sc_op; + int inbase, outbase; + char *sc_data; + + /* space for strings (hope there is enough room): + * Note that pointers don't travel on wire. + * 1 connection name [name_len] + * 2 left's name [left.host.name.len] + * 3 left's cert + * 4 left's ca + * 5 left's groups + * 6 left's updown + * 7 right's name [left.host.name.len] + * 8 right's cert + * 9 right's ca + * 10 right's groups + * 11 right's updown + * 12 keyid + * 13 myid + * 14 cacert + * 15 ldaphost + * 16 ldapbase + * 17 crluri + * 18 crluri2 + * 19 ocspuri + * 20 ike + " 21 esp + * 22 rsa_data + * plus keyval (limit: 8K bits + overhead), a chunk. + */ + size_t str_size; + char string[2048]; +}; + +/* Codes for status messages returned to whack. + * These are 3 digit decimal numerals. The structure + * is inspired by section 4.2 of RFC959 (FTP). + * Since these will end up as the exit status of whack, they + * must be less than 256. + * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully. + */ +enum rc_type { + RC_COMMENT, /* non-commital utterance (does not affect exit status) */ + RC_WHACK_PROBLEM, /* whack-detected problem */ + RC_LOG, /* message aimed at log (does not affect exit status) */ + RC_LOG_SERIOUS, /* serious message aimed at log (does not affect exit status) */ + RC_SUCCESS, /* success (exit status 0) */ + + /* failure, but not definitive */ + + RC_RETRANSMISSION = 10, + + /* improper request */ + + RC_DUPNAME = 20, /* attempt to reuse a connection name */ + RC_UNKNOWN_NAME, /* connection name unknown or state number */ + RC_ORIENT, /* cannot orient connection: neither end is us */ + RC_CLASH, /* clash between two Road Warrior connections OVERLOADED */ + RC_DEAF, /* need --listen before --initiate */ + RC_ROUTE, /* cannot route */ + RC_RTBUSY, /* cannot unroute: route busy */ + RC_BADID, /* malformed --id */ + RC_NOKEY, /* no key found through DNS */ + RC_NOPEERIP, /* cannot initiate when peer IP is unknown */ + RC_INITSHUNT, /* cannot initiate a shunt-oly connection */ + RC_WILDCARD, /* cannot initiate when ID has wildcards */ + RC_NOVALIDPIN, /* cannot initiate without valid PIN */ + + /* permanent failure */ + + RC_BADWHACKMESSAGE = 30, + RC_NORETRANSMISSION, + RC_INTERNALERR, + RC_OPPOFAILURE, /* Opportunism failed */ + + /* entry of secrets */ + RC_ENTERSECRET = 40, + + /* progress: start of range for successful state transition. + * Actual value is RC_NEW_STATE plus the new state code. + */ + RC_NEW_STATE = 100, + + /* start of range for notification. + * Actual value is RC_NOTIFICATION plus code for notification + * that should be generated by this Pluto. + */ + RC_NOTIFICATION = 200 /* as per IKE notification messages */ +}; + +/* options of whack --list*** command */ + +#define LIST_NONE 0x0000 /* don't list anything */ +#define LIST_ALGS 0x0001 /* list all registered IKE algorithms */ +#define LIST_PUBKEYS 0x0002 /* list all public keys */ +#define LIST_CERTS 0x0004 /* list all host/user certs */ +#define LIST_CACERTS 0x0008 /* list all ca certs */ +#define LIST_ACERTS 0x0010 /* list all attribute certs */ +#define LIST_AACERTS 0x0020 /* list all aa certs */ +#define LIST_OCSPCERTS 0x0040 /* list all ocsp certs */ +#define LIST_GROUPS 0x0080 /* list all access control groups */ +#define LIST_CAINFOS 0x0100 /* list all ca information records */ +#define LIST_CRLS 0x0200 /* list all crls */ +#define LIST_OCSP 0x0400 /* list all ocsp cache entries */ +#define LIST_CARDS 0x0800 /* list all smartcard records */ + +#define LIST_ALL LRANGES(LIST_ALGS, LIST_CARDS) /* all list options */ + +/* options of whack --reread*** command */ + +#define REREAD_NONE 0x00 /* don't reread anything */ +#define REREAD_SECRETS 0x01 /* reread /etc/ipsec.secrets */ +#define REREAD_CACERTS 0x02 /* reread certs in /etc/ipsec.d/cacerts */ +#define REREAD_AACERTS 0x04 /* reread certs in /etc/ipsec.d/aacerts */ +#define REREAD_OCSPCERTS 0x08 /* reread certs in /etc/ipsec.d/ocspcerts */ +#define REREAD_ACERTS 0x10 /* reread certs in /etc/ipsec.d/acerts */ +#define REREAD_CRLS 0x20 /* reread crls in /etc/ipsec.d/crls */ + +#define REREAD_ALL LRANGES(REREAD_SECRETS, REREAD_CRLS) /* all reread options */ + +#endif /* _WHACK_H */ |