1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
|
#ifndef _IPSEC_POLICY_H
/*
* policy interface file between pluto and applications
* Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
*
* This library is free software; you can redistribute it and/or modify it
* under the terms of the GNU Library General Public License as published by
* the Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
*
* This library is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
* License for more details.
*
* RCSID $Id: ipsec_policy.h 3839 2008-04-18 11:25:37Z andreas $
*/
#define _IPSEC_POLICY_H /* seen it, no need to see it again */
/*
* this file defines an interface between an application (or rather an
* application library) and a key/policy daemon. It provides for inquiries
* as to the current state of a connected socket, as well as for general
* questions.
*
* In general, the interface is defined as a series of functional interfaces,
* and the policy messages should be internal. However, because this is in
* fact an ABI between pieces of the system that may get compiled and revised
* seperately, this ABI must be public and revision controlled.
*
* It is expected that the daemon will always support previous versions.
*/
#define IPSEC_POLICY_MSG_REVISION (unsigned)200305061
enum ipsec_policy_command {
IPSEC_CMD_QUERY_FD = 1,
IPSEC_CMD_QUERY_HOSTPAIR = 2,
IPSEC_CMD_QUERY_DSTONLY = 3,
};
struct ipsec_policy_msg_head {
u_int32_t ipm_version;
u_int32_t ipm_msg_len;
u_int32_t ipm_msg_type;
u_int32_t ipm_msg_seq;
};
enum ipsec_privacy_quality {
IPSEC_PRIVACY_NONE = 0,
IPSEC_PRIVACY_INTEGRAL = 4, /* not private at all. AH-like */
IPSEC_PRIVACY_UNKNOWN = 8, /* something is claimed, but details unavail */
IPSEC_PRIVACY_ROT13 = 12, /* trivially breakable, i.e. 1DES */
IPSEC_PRIVACY_GAK = 16, /* known eavesdroppers */
IPSEC_PRIVACY_PRIVATE = 32, /* secure for at least a decade */
IPSEC_PRIVACY_STRONG = 64, /* ridiculously secure */
IPSEC_PRIVACY_TORTOISE = 192, /* even stronger, but very slow */
IPSEC_PRIVACY_OTP = 224, /* some kind of *true* one time pad */
};
enum ipsec_bandwidth_quality {
IPSEC_QOS_UNKNOWN = 0, /* unknown bandwidth */
IPSEC_QOS_INTERACTIVE = 16, /* reasonably moderate jitter, moderate fast.
Good enough for telnet/ssh. */
IPSEC_QOS_VOIP = 32, /* faster crypto, predicable jitter */
IPSEC_QOS_FTP = 64, /* higher throughput crypto, perhaps hardware
offloaded, but latency/jitter may be bad */
IPSEC_QOS_WIRESPEED = 128, /* expect to be able to fill your pipe */
};
/* moved from programs/pluto/constants.h */
/* IPsec AH transform values
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
* and in http://www.iana.org/assignments/isakmp-registry
*/
enum ipsec_authentication_algo {
AH_NONE = 0,
AH_MD5 = 2,
AH_SHA = 3,
AH_DES = 4,
AH_SHA2_256 = 5,
AH_SHA2_384 = 6,
AH_SHA2_512 = 7,
AH_RIPEMD = 8,
AH_AES_XCBC_MAC = 9,
AH_RSA = 10
};
/* IPsec ESP transform values
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
* and from http://www.iana.org/assignments/isakmp-registry
*/
enum ipsec_cipher_algo {
ESP_NONE = 0,
ESP_DES_IV64 = 1,
ESP_DES = 2,
ESP_3DES = 3,
ESP_RC5 = 4,
ESP_IDEA = 5,
ESP_CAST = 6,
ESP_BLOWFISH = 7,
ESP_3IDEA = 8,
ESP_DES_IV32 = 9,
ESP_RC4 = 10,
ESP_NULL = 11,
ESP_AES = 12,
ESP_AES_CTR = 13,
ESP_AES_CCM_8 = 14,
ESP_AES_CCM_12 = 15,
ESP_AES_CCM_16 = 16,
ESP_UNASSIGNED_17 = 17,
ESP_AES_GCM_8 = 18,
ESP_AES_GCM_12 = 19,
ESP_AES_GCM_16 = 20,
ESP_SEED_CBC = 21,
ESP_CAMELLIA = 22,
ESP_SERPENT = 252,
ESP_TWOFISH = 253
};
/* IPCOMP transform values
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
*/
enum ipsec_comp_algo {
IPSCOMP_NONE = 0,
IPCOMP_OUI = 1,
IPCOMP_DEFLATE = 2,
IPCOMP_LZS = 3,
IPCOMP_LZJH = 4
};
/* Identification type values
* RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
*/
enum ipsec_id_type {
ID_IMPOSSIBLE= (-2), /* private to Pluto */
ID_MYID= (-1), /* private to Pluto */
ID_NONE= 0, /* private to Pluto */
ID_IPV4_ADDR= 1,
ID_FQDN= 2,
ID_USER_FQDN= 3,
ID_IPV4_ADDR_SUBNET= 4,
ID_IPV6_ADDR= 5,
ID_IPV6_ADDR_SUBNET= 6,
ID_IPV4_ADDR_RANGE= 7,
ID_IPV6_ADDR_RANGE= 8,
ID_DER_ASN1_DN= 9,
ID_DER_ASN1_GN= 10,
ID_KEY_ID= 11
};
/* Certificate type values
* RFC 2408 ISAKMP, chapter 3.9
*/
enum ipsec_cert_type {
CERT_NONE= 0,
CERT_PKCS7_WRAPPED_X509= 1,
CERT_PGP= 2,
CERT_DNS_SIGNED_KEY= 3,
CERT_X509_SIGNATURE= 4,
CERT_X509_KEY_EXCHANGE= 5,
CERT_KERBEROS_TOKENS= 6,
CERT_CRL= 7,
CERT_ARL= 8,
CERT_SPKI= 9,
CERT_X509_ATTRIBUTE= 10,
CERT_RAW_RSA_KEY= 11
};
/* a SIG record in ASCII */
struct ipsec_dns_sig {
char fqdn[256];
char dns_sig[768]; /* empty string if not signed */
};
struct ipsec_raw_key {
char id_name[256];
char fs_keyid[8];
};
struct ipsec_identity {
enum ipsec_id_type ii_type;
enum ipsec_cert_type ii_format;
union {
struct ipsec_dns_sig ipsec_dns_signed;
/* some thing for PGP */
/* some thing for PKIX */
struct ipsec_raw_key ipsec_raw_key;
} ii_credential;
};
#define IPSEC_MAX_CREDENTIALS 32
struct ipsec_policy_cmd_query {
struct ipsec_policy_msg_head head;
/* Query section */
ip_address query_local; /* us */
ip_address query_remote; /* them */
u_short src_port, dst_port;
/* Answer section */
enum ipsec_privacy_quality strength;
enum ipsec_bandwidth_quality bandwidth;
enum ipsec_authentication_algo auth_detail;
enum ipsec_cipher_algo esp_detail;
enum ipsec_comp_algo comp_detail;
int credential_count;
struct ipsec_identity credentials[IPSEC_MAX_CREDENTIALS];
};
#define IPSEC_POLICY_SOCKET "/var/run/pluto.info"
/* prototypes */
extern err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result);
extern err_t ipsec_policy_init(void);
extern err_t ipsec_policy_final(void);
extern err_t ipsec_policy_readmsg(int policysock,
unsigned char *buf, size_t buflen);
extern err_t ipsec_policy_sendrecv(unsigned char *buf, size_t buflen);
extern err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result);
extern const char *ipsec_policy_version_code(void);
extern const char *ipsec_policy_version_string(void);
#endif /* _IPSEC_POLICY_H */
|