updated list of ESP and AH algorithms
[strongswan.git] / src / libfreeswan / ipsec_policy.h
1 #ifndef _IPSEC_POLICY_H
2 /*
3 * policy interface file between pluto and applications
4 * Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
5 *
6 * This library is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU Library General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
10 *
11 * This library is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
14 * License for more details.
15 *
16 * RCSID $Id$
17 */
18 #define _IPSEC_POLICY_H /* seen it, no need to see it again */
19
20
21 /*
22 * this file defines an interface between an application (or rather an
23 * application library) and a key/policy daemon. It provides for inquiries
24 * as to the current state of a connected socket, as well as for general
25 * questions.
26 *
27 * In general, the interface is defined as a series of functional interfaces,
28 * and the policy messages should be internal. However, because this is in
29 * fact an ABI between pieces of the system that may get compiled and revised
30 * seperately, this ABI must be public and revision controlled.
31 *
32 * It is expected that the daemon will always support previous versions.
33 */
34
35 #define IPSEC_POLICY_MSG_REVISION (unsigned)200305061
36
37 enum ipsec_policy_command {
38 IPSEC_CMD_QUERY_FD = 1,
39 IPSEC_CMD_QUERY_HOSTPAIR = 2,
40 IPSEC_CMD_QUERY_DSTONLY = 3,
41 };
42
43 struct ipsec_policy_msg_head {
44 u_int32_t ipm_version;
45 u_int32_t ipm_msg_len;
46 u_int32_t ipm_msg_type;
47 u_int32_t ipm_msg_seq;
48 };
49
50 enum ipsec_privacy_quality {
51 IPSEC_PRIVACY_NONE = 0,
52 IPSEC_PRIVACY_INTEGRAL = 4, /* not private at all. AH-like */
53 IPSEC_PRIVACY_UNKNOWN = 8, /* something is claimed, but details unavail */
54 IPSEC_PRIVACY_ROT13 = 12, /* trivially breakable, i.e. 1DES */
55 IPSEC_PRIVACY_GAK = 16, /* known eavesdroppers */
56 IPSEC_PRIVACY_PRIVATE = 32, /* secure for at least a decade */
57 IPSEC_PRIVACY_STRONG = 64, /* ridiculously secure */
58 IPSEC_PRIVACY_TORTOISE = 192, /* even stronger, but very slow */
59 IPSEC_PRIVACY_OTP = 224, /* some kind of *true* one time pad */
60 };
61
62 enum ipsec_bandwidth_quality {
63 IPSEC_QOS_UNKNOWN = 0, /* unknown bandwidth */
64 IPSEC_QOS_INTERACTIVE = 16, /* reasonably moderate jitter, moderate fast.
65 Good enough for telnet/ssh. */
66 IPSEC_QOS_VOIP = 32, /* faster crypto, predicable jitter */
67 IPSEC_QOS_FTP = 64, /* higher throughput crypto, perhaps hardware
68 offloaded, but latency/jitter may be bad */
69 IPSEC_QOS_WIRESPEED = 128, /* expect to be able to fill your pipe */
70 };
71
72 /* moved from programs/pluto/constants.h */
73 /* IPsec AH transform values
74 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
75 * and in http://www.iana.org/assignments/isakmp-registry
76 */
77 enum ipsec_authentication_algo {
78 AH_NONE = 0,
79 AH_MD5 = 2,
80 AH_SHA = 3,
81 AH_DES = 4,
82 AH_SHA2_256 = 5,
83 AH_SHA2_384 = 6,
84 AH_SHA2_512 = 7,
85 AH_RIPEMD = 8,
86 AH_AES_XCBC_MAC = 9,
87 AH_RSA = 10
88 };
89
90 /* IPsec ESP transform values
91 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
92 * and from http://www.iana.org/assignments/isakmp-registry
93 */
94
95 enum ipsec_cipher_algo {
96 ESP_NONE = 0,
97 ESP_DES_IV64 = 1,
98 ESP_DES = 2,
99 ESP_3DES = 3,
100 ESP_RC5 = 4,
101 ESP_IDEA = 5,
102 ESP_CAST = 6,
103 ESP_BLOWFISH = 7,
104 ESP_3IDEA = 8,
105 ESP_DES_IV32 = 9,
106 ESP_RC4 = 10,
107 ESP_NULL = 11,
108 ESP_AES = 12,
109 ESP_AES_CTR = 13,
110 ESP_AES_CCM_8 = 14,
111 ESP_AES_CCM_12 = 15,
112 ESP_AES_CCM_16 = 16,
113 ESP_UNASSIGNED_17 = 17,
114 ESP_AES_GCM_8 = 18,
115 ESP_AES_GCM_12 = 19,
116 ESP_AES_GCM_16 = 20,
117 ESP_SEED_CBC = 21,
118 ESP_CAMELLIA = 22,
119 ESP_SERPENT = 252,
120 ESP_TWOFISH = 253
121 };
122
123 /* IPCOMP transform values
124 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
125 */
126
127 enum ipsec_comp_algo {
128 IPSCOMP_NONE = 0,
129 IPCOMP_OUI = 1,
130 IPCOMP_DEFLATE = 2,
131 IPCOMP_LZS = 3,
132 IPCOMP_LZJH = 4
133 };
134
135 /* Identification type values
136 * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
137 */
138
139 enum ipsec_id_type {
140 ID_IMPOSSIBLE= (-2), /* private to Pluto */
141 ID_MYID= (-1), /* private to Pluto */
142 ID_NONE= 0, /* private to Pluto */
143 ID_IPV4_ADDR= 1,
144 ID_FQDN= 2,
145 ID_USER_FQDN= 3,
146 ID_IPV4_ADDR_SUBNET= 4,
147 ID_IPV6_ADDR= 5,
148 ID_IPV6_ADDR_SUBNET= 6,
149 ID_IPV4_ADDR_RANGE= 7,
150 ID_IPV6_ADDR_RANGE= 8,
151 ID_DER_ASN1_DN= 9,
152 ID_DER_ASN1_GN= 10,
153 ID_KEY_ID= 11
154 };
155
156 /* Certificate type values
157 * RFC 2408 ISAKMP, chapter 3.9
158 */
159 enum ipsec_cert_type {
160 CERT_NONE= 0,
161 CERT_PKCS7_WRAPPED_X509= 1,
162 CERT_PGP= 2,
163 CERT_DNS_SIGNED_KEY= 3,
164 CERT_X509_SIGNATURE= 4,
165 CERT_X509_KEY_EXCHANGE= 5,
166 CERT_KERBEROS_TOKENS= 6,
167 CERT_CRL= 7,
168 CERT_ARL= 8,
169 CERT_SPKI= 9,
170 CERT_X509_ATTRIBUTE= 10,
171 CERT_RAW_RSA_KEY= 11
172 };
173
174 /* a SIG record in ASCII */
175 struct ipsec_dns_sig {
176 char fqdn[256];
177 char dns_sig[768]; /* empty string if not signed */
178 };
179
180 struct ipsec_raw_key {
181 char id_name[256];
182 char fs_keyid[8];
183 };
184
185 struct ipsec_identity {
186 enum ipsec_id_type ii_type;
187 enum ipsec_cert_type ii_format;
188 union {
189 struct ipsec_dns_sig ipsec_dns_signed;
190 /* some thing for PGP */
191 /* some thing for PKIX */
192 struct ipsec_raw_key ipsec_raw_key;
193 } ii_credential;
194 };
195
196 #define IPSEC_MAX_CREDENTIALS 32
197
198 struct ipsec_policy_cmd_query {
199 struct ipsec_policy_msg_head head;
200
201 /* Query section */
202 ip_address query_local; /* us */
203 ip_address query_remote; /* them */
204 u_short src_port, dst_port;
205
206 /* Answer section */
207 enum ipsec_privacy_quality strength;
208 enum ipsec_bandwidth_quality bandwidth;
209 enum ipsec_authentication_algo auth_detail;
210 enum ipsec_cipher_algo esp_detail;
211 enum ipsec_comp_algo comp_detail;
212
213 int credential_count;
214
215 struct ipsec_identity credentials[IPSEC_MAX_CREDENTIALS];
216 };
217
218 #define IPSEC_POLICY_SOCKET "/var/run/pluto.info"
219
220 /* prototypes */
221 extern err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result);
222 extern err_t ipsec_policy_init(void);
223 extern err_t ipsec_policy_final(void);
224 extern err_t ipsec_policy_readmsg(int policysock,
225 unsigned char *buf, size_t buflen);
226 extern err_t ipsec_policy_sendrecv(unsigned char *buf, size_t buflen);
227 extern err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result);
228
229
230 extern const char *ipsec_policy_version_code(void);
231 extern const char *ipsec_policy_version_string(void);
232
233 #endif /* _IPSEC_POLICY_H */