updated list of ESP and AH algorithms

[strongswan.git] / src / libfreeswan / ipsec_policy.h

#ifndef _IPSEC_POLICY_H
/*
 * policy interface file between pluto and applications
 * Copyright (C) 2003              Michael Richardson <mcr@freeswan.org>
 * 
 * This library is free software; you can redistribute it and/or modify it
 * under the terms of the GNU Library General Public License as published by
 * the Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/lgpl.txt>.
 * 
 * This library is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU Library General Public
 * License for more details.
 *
 * RCSID $Id$
 */
#define _IPSEC_POLICY_H         /* seen it, no need to see it again */


/*
 * this file defines an interface between an application (or rather an
 * application library) and a key/policy daemon. It provides for inquiries
 * as to the current state of a connected socket, as well as for general
 * questions.
 *
 * In general, the interface is defined as a series of functional interfaces,
 * and the policy messages should be internal. However, because this is in
 * fact an ABI between pieces of the system that may get compiled and revised
 * seperately, this ABI must be public and revision controlled.
 *
 * It is expected that the daemon will always support previous versions.
 */

#define IPSEC_POLICY_MSG_REVISION (unsigned)200305061

enum ipsec_policy_command {
  IPSEC_CMD_QUERY_FD       = 1,
  IPSEC_CMD_QUERY_HOSTPAIR = 2,
  IPSEC_CMD_QUERY_DSTONLY  = 3,
};

struct ipsec_policy_msg_head {
  u_int32_t ipm_version;
  u_int32_t ipm_msg_len;  
  u_int32_t ipm_msg_type;
  u_int32_t ipm_msg_seq;
};

enum ipsec_privacy_quality {
  IPSEC_PRIVACY_NONE     = 0,
  IPSEC_PRIVACY_INTEGRAL = 4,   /* not private at all. AH-like */
  IPSEC_PRIVACY_UNKNOWN  = 8,   /* something is claimed, but details unavail */
  IPSEC_PRIVACY_ROT13    = 12,  /* trivially breakable, i.e. 1DES */
  IPSEC_PRIVACY_GAK      = 16,  /* known eavesdroppers */
  IPSEC_PRIVACY_PRIVATE  = 32,  /* secure for at least a decade */
  IPSEC_PRIVACY_STRONG   = 64,  /* ridiculously secure */
  IPSEC_PRIVACY_TORTOISE = 192, /* even stronger, but very slow */
  IPSEC_PRIVACY_OTP      = 224, /* some kind of *true* one time pad */
};

enum ipsec_bandwidth_quality {
  IPSEC_QOS_UNKNOWN = 0,       /* unknown bandwidth */
  IPSEC_QOS_INTERACTIVE = 16,  /* reasonably moderate jitter, moderate fast.
                                  Good enough for telnet/ssh. */
  IPSEC_QOS_VOIP        = 32,  /* faster crypto, predicable jitter */
  IPSEC_QOS_FTP         = 64,  /* higher throughput crypto, perhaps hardware
                                  offloaded, but latency/jitter may be bad */
  IPSEC_QOS_WIRESPEED   = 128, /* expect to be able to fill your pipe */
};

/* moved from programs/pluto/constants.h */
/* IPsec AH transform values
 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
 * and in http://www.iana.org/assignments/isakmp-registry
 */
enum ipsec_authentication_algo {
  AH_NONE         = 0,
  AH_MD5          = 2,
  AH_SHA          = 3,
  AH_DES          = 4,
  AH_SHA2_256     = 5,
  AH_SHA2_384     = 6,
  AH_SHA2_512     = 7,
  AH_RIPEMD       = 8,
  AH_AES_XCBC_MAC = 9,
  AH_RSA          = 10
};

/* IPsec ESP transform values
 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
 * and from http://www.iana.org/assignments/isakmp-registry
 */

enum ipsec_cipher_algo {
  ESP_NONE          = 0,
  ESP_DES_IV64      = 1,
  ESP_DES           = 2,
  ESP_3DES          = 3,
  ESP_RC5           = 4,
  ESP_IDEA          = 5,
  ESP_CAST          = 6,
  ESP_BLOWFISH      = 7,
  ESP_3IDEA         = 8,
  ESP_DES_IV32      = 9,
  ESP_RC4           = 10,
  ESP_NULL          = 11,
  ESP_AES           = 12,
  ESP_AES_CTR       = 13,
  ESP_AES_CCM_8     = 14,
  ESP_AES_CCM_12    = 15,
  ESP_AES_CCM_16    = 16,
  ESP_UNASSIGNED_17 = 17,
  ESP_AES_GCM_8     = 18,
  ESP_AES_GCM_12    = 19,
  ESP_AES_GCM_16    = 20,
  ESP_SEED_CBC      = 21,
  ESP_CAMELLIA      = 22,
  ESP_SERPENT       = 252,
  ESP_TWOFISH       = 253
};

/* IPCOMP transform values
 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
 */

enum ipsec_comp_algo {
  IPSCOMP_NONE   = 0,
  IPCOMP_OUI     = 1,
  IPCOMP_DEFLATE = 2,
  IPCOMP_LZS     = 3,
  IPCOMP_LZJH    = 4
};

/* Identification type values
 * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1 
 */

enum ipsec_id_type {
  ID_IMPOSSIBLE=             (-2),      /* private to Pluto */
  ID_MYID=                   (-1),      /* private to Pluto */
  ID_NONE=                     0,       /* private to Pluto */
  ID_IPV4_ADDR=                1,
  ID_FQDN=                     2,
  ID_USER_FQDN=                3,
  ID_IPV4_ADDR_SUBNET=         4,
  ID_IPV6_ADDR=                5,
  ID_IPV6_ADDR_SUBNET=         6,
  ID_IPV4_ADDR_RANGE=          7,
  ID_IPV6_ADDR_RANGE=          8,
  ID_DER_ASN1_DN=              9,
  ID_DER_ASN1_GN=              10,
  ID_KEY_ID=                   11
};

/* Certificate type values
 * RFC 2408 ISAKMP, chapter 3.9
 */
enum ipsec_cert_type {
  CERT_NONE=                    0,
  CERT_PKCS7_WRAPPED_X509=      1,
  CERT_PGP=                     2,
  CERT_DNS_SIGNED_KEY=          3,
  CERT_X509_SIGNATURE=          4,
  CERT_X509_KEY_EXCHANGE=       5,
  CERT_KERBEROS_TOKENS=         6,
  CERT_CRL=                     7,
  CERT_ARL=                     8,
  CERT_SPKI=                    9,
  CERT_X509_ATTRIBUTE=          10,
  CERT_RAW_RSA_KEY=             11
};

/* a SIG record in ASCII */
struct ipsec_dns_sig {
  char fqdn[256];
  char dns_sig[768];     /* empty string if not signed */
};

struct ipsec_raw_key {
  char id_name[256];
  char fs_keyid[8];
};

struct ipsec_identity {
  enum ipsec_id_type     ii_type;
  enum ipsec_cert_type   ii_format;
  union {
    struct ipsec_dns_sig ipsec_dns_signed;
    /* some thing for PGP */
    /* some thing for PKIX */
    struct ipsec_raw_key ipsec_raw_key;
  } ii_credential;
};

#define IPSEC_MAX_CREDENTIALS 32

struct ipsec_policy_cmd_query {
  struct ipsec_policy_msg_head head;

  /* Query section */
  ip_address query_local;     /* us   */
  ip_address query_remote;    /* them */
  u_short src_port, dst_port;

  /* Answer section */
  enum ipsec_privacy_quality     strength;
  enum ipsec_bandwidth_quality   bandwidth;
  enum ipsec_authentication_algo auth_detail;  
  enum ipsec_cipher_algo         esp_detail;
  enum ipsec_comp_algo           comp_detail;

  int                            credential_count;

  struct ipsec_identity credentials[IPSEC_MAX_CREDENTIALS];
};

#define IPSEC_POLICY_SOCKET "/var/run/pluto.info"

/* prototypes */
extern err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result);
extern err_t ipsec_policy_init(void);
extern err_t ipsec_policy_final(void);
extern err_t ipsec_policy_readmsg(int policysock,
                                  unsigned char *buf, size_t buflen);
extern err_t ipsec_policy_sendrecv(unsigned char *buf, size_t buflen);
extern err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result);


extern const char *ipsec_policy_version_code(void);
extern const char *ipsec_policy_version_string(void);

#endif /* _IPSEC_POLICY_H */