49ef67995691e4549fbf60f0699a022707fa2d92
[strongswan.git] / src / whack / whack.h
1 /* Structure of messages from whack to Pluto proper.
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 *
14 * RCSID $Id: whack.h,v 1.16 2006/04/17 10:39:14 as Exp $
15 */
16
17 #ifndef _WHACK_H
18 #define _WHACK_H
19
20 #include <freeswan.h>
21
22 #include <smartcard.h>
23
24 /* Since the message remains on one host, native representation is used.
25 * Think of this as horizontal microcode: all selected operations are
26 * to be done (in the order declared here).
27 *
28 * MAGIC is used to help detect version mismatches between whack and Pluto.
29 * Whenever the interface (i.e. this struct) changes in form or
30 * meaning, change this value (probably by changing the last number).
31 *
32 * If the command only requires basic actions (status or shutdown),
33 * it is likely that the relevant part of the message changes less frequently.
34 * Whack uses WHACK_BASIC_MAGIC in those cases.
35 *
36 * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC.
37 * Otherwise certain version mismatches will not be detected.
38 */
39
40 #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
41 #define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26)
42
43 typedef struct whack_end whack_end_t;
44
45 /* struct whack_end is a lot like connection.h's struct end
46 * It differs because it is going to be shipped down a socket
47 * and because whack is a separate program from pluto.
48 */
49 struct whack_end {
50 char *id; /* id string (if any) -- decoded by pluto */
51 char *cert; /* path string (if any) -- loaded by pluto */
52 char *ca; /* distinguished name string (if any) -- parsed by pluto */
53 char *groups; /* access control groups (if any) -- parsed by pluto */
54 ip_address
55 host_addr,
56 host_nexthop,
57 host_srcip;
58 ip_subnet client;
59
60 bool key_from_DNS_on_demand;
61 bool has_client;
62 bool has_client_wildcard;
63 bool has_port_wildcard;
64 bool has_srcip;
65 bool has_natip;
66 bool modecfg;
67 bool hostaccess;
68 certpolicy_t sendcert;
69 char *updown; /* string */
70 u_int16_t host_port; /* host order */
71 u_int16_t port; /* host order */
72 u_int8_t protocol;
73 char *virt;
74 };
75
76 typedef struct whack_message whack_message_t;
77
78 struct whack_message {
79 unsigned int magic;
80
81 /* for WHACK_STATUS: */
82 bool whack_status;
83 bool whack_statusall;
84
85
86 /* for WHACK_SHUTDOWN */
87 bool whack_shutdown;
88
89 /* END OF BASIC COMMANDS
90 * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
91 */
92
93 /* name is used in connection, ca and initiate */
94 size_t name_len; /* string 1 */
95 char *name;
96
97 /* for WHACK_OPTIONS: */
98
99 bool whack_options;
100
101 lset_t debugging; /* only used #ifdef DEBUG, but don't want layout to change */
102
103 /* for WHACK_CONNECTION */
104
105 bool whack_connection;
106 bool whack_async;
107 bool ikev1;
108
109 lset_t policy;
110 time_t sa_ike_life_seconds;
111 time_t sa_ipsec_life_seconds;
112 time_t sa_rekey_margin;
113 unsigned long sa_rekey_fuzz;
114 unsigned long sa_keying_tries;
115
116 /* For DPD 3706 - Dead Peer Detection */
117 time_t dpd_delay;
118 time_t dpd_timeout;
119 dpd_action_t dpd_action;
120
121 /* note that each end contains string 2/5.id, string 3/6 cert,
122 * and string 4/7 updown
123 */
124 whack_end_t left;
125 whack_end_t right;
126
127 /* note: if the client is the gateway, the following must be equal */
128 sa_family_t addr_family; /* between gateways */
129 sa_family_t tunnel_addr_family; /* between clients */
130
131 char *ike; /* ike algo string (separated by commas) */
132 char *pfsgroup; /* pfsgroup will be "encapsulated" in esp string for pluto */
133 char *esp; /* esp algo string (separated by commas) */
134
135 /* for WHACK_KEY: */
136 bool whack_key;
137 bool whack_addkey;
138 char *keyid; /* string 8 */
139 enum pubkey_alg pubkey_alg;
140 chunk_t keyval; /* chunk */
141
142 /* for WHACK_MYID: */
143 bool whack_myid;
144 char *myid; /* string 7 */
145
146 /* for WHACK_ROUTE: */
147 bool whack_route;
148
149 /* for WHACK_UNROUTE: */
150 bool whack_unroute;
151
152 /* for WHACK_INITIATE: */
153 bool whack_initiate;
154
155 /* for WHACK_OPINITIATE */
156 bool whack_oppo_initiate;
157 ip_address oppo_my_client, oppo_peer_client;
158
159 /* for WHACK_TERMINATE: */
160 bool whack_terminate;
161
162 /* for WHACK_DELETE: */
163 bool whack_delete;
164
165 /* for WHACK_DELETESTATE: */
166 bool whack_deletestate;
167 so_serial_t whack_deletestateno;
168
169 /* for WHACK_LISTEN: */
170 bool whack_listen, whack_unlisten;
171
172 /* for WHACK_CRASH - note if a remote peer is known to have rebooted */
173 bool whack_crash;
174 ip_address whack_crash_peer;
175
176 /* for WHACK_LIST */
177 bool whack_utc;
178 lset_t whack_list;
179
180 /* for WHACK_PURGEOCSP */
181 bool whack_purgeocsp;
182
183 /* for WHACK_REREAD */
184 u_char whack_reread;
185
186 /* for WHACK_CA */
187 bool whack_ca;
188 bool whack_strict;
189
190 char *cacert;
191 char *ldaphost;
192 char *ldapbase;
193 char *crluri;
194 char *crluri2;
195 char *ocspuri;
196
197 /* for WHACK_SC_OP */
198 sc_op_t whack_sc_op;
199 int inbase, outbase;
200 char *sc_data;
201
202 /* space for strings (hope there is enough room):
203 * Note that pointers don't travel on wire.
204 * 1 connection name [name_len]
205 * 2 left's name [left.host.name.len]
206 * 3 left's cert
207 * 4 left's ca
208 * 5 left's groups
209 * 6 left's updown
210 * 7 right's name [left.host.name.len]
211 * 8 right's cert
212 * 9 right's ca
213 * 10 right's groups
214 * 11 right's updown
215 * 12 keyid
216 * 13 myid
217 * 14 cacert
218 * 15 ldaphost
219 * 16 ldapbase
220 * 17 crluri
221 * 18 crluri2
222 * 19 ocspuri
223 * 20 ike
224 " 21 esp
225 * 22 rsa_data
226 * plus keyval (limit: 8K bits + overhead), a chunk.
227 */
228 size_t str_size;
229 char string[2048];
230 };
231
232 /* Codes for status messages returned to whack.
233 * These are 3 digit decimal numerals. The structure
234 * is inspired by section 4.2 of RFC959 (FTP).
235 * Since these will end up as the exit status of whack, they
236 * must be less than 256.
237 * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
238 */
239 enum rc_type {
240 RC_COMMENT, /* non-commital utterance (does not affect exit status) */
241 RC_WHACK_PROBLEM, /* whack-detected problem */
242 RC_LOG, /* message aimed at log (does not affect exit status) */
243 RC_LOG_SERIOUS, /* serious message aimed at log (does not affect exit status) */
244 RC_SUCCESS, /* success (exit status 0) */
245
246 /* failure, but not definitive */
247
248 RC_RETRANSMISSION = 10,
249
250 /* improper request */
251
252 RC_DUPNAME = 20, /* attempt to reuse a connection name */
253 RC_UNKNOWN_NAME, /* connection name unknown or state number */
254 RC_ORIENT, /* cannot orient connection: neither end is us */
255 RC_CLASH, /* clash between two Road Warrior connections OVERLOADED */
256 RC_DEAF, /* need --listen before --initiate */
257 RC_ROUTE, /* cannot route */
258 RC_RTBUSY, /* cannot unroute: route busy */
259 RC_BADID, /* malformed --id */
260 RC_NOKEY, /* no key found through DNS */
261 RC_NOPEERIP, /* cannot initiate when peer IP is unknown */
262 RC_INITSHUNT, /* cannot initiate a shunt-oly connection */
263 RC_WILDCARD, /* cannot initiate when ID has wildcards */
264 RC_NOVALIDPIN, /* cannot initiate without valid PIN */
265
266 /* permanent failure */
267
268 RC_BADWHACKMESSAGE = 30,
269 RC_NORETRANSMISSION,
270 RC_INTERNALERR,
271 RC_OPPOFAILURE, /* Opportunism failed */
272
273 /* entry of secrets */
274 RC_ENTERSECRET = 40,
275
276 /* progress: start of range for successful state transition.
277 * Actual value is RC_NEW_STATE plus the new state code.
278 */
279 RC_NEW_STATE = 100,
280
281 /* start of range for notification.
282 * Actual value is RC_NOTIFICATION plus code for notification
283 * that should be generated by this Pluto.
284 */
285 RC_NOTIFICATION = 200 /* as per IKE notification messages */
286 };
287
288 /* options of whack --list*** command */
289
290 #define LIST_NONE 0x0000 /* don't list anything */
291 #define LIST_ALGS 0x0001 /* list all registered IKE algorithms */
292 #define LIST_PUBKEYS 0x0002 /* list all public keys */
293 #define LIST_CERTS 0x0004 /* list all host/user certs */
294 #define LIST_CACERTS 0x0008 /* list all ca certs */
295 #define LIST_ACERTS 0x0010 /* list all attribute certs */
296 #define LIST_AACERTS 0x0020 /* list all aa certs */
297 #define LIST_OCSPCERTS 0x0040 /* list all ocsp certs */
298 #define LIST_GROUPS 0x0080 /* list all access control groups */
299 #define LIST_CAINFOS 0x0100 /* list all ca information records */
300 #define LIST_CRLS 0x0200 /* list all crls */
301 #define LIST_OCSP 0x0400 /* list all ocsp cache entries */
302 #define LIST_CARDS 0x0800 /* list all smartcard records */
303
304 #define LIST_ALL LRANGES(LIST_ALGS, LIST_CARDS) /* all list options */
305
306 /* options of whack --reread*** command */
307
308 #define REREAD_NONE 0x00 /* don't reread anything */
309 #define REREAD_SECRETS 0x01 /* reread /etc/ipsec.secrets */
310 #define REREAD_CACERTS 0x02 /* reread certs in /etc/ipsec.d/cacerts */
311 #define REREAD_AACERTS 0x04 /* reread certs in /etc/ipsec.d/aacerts */
312 #define REREAD_OCSPCERTS 0x08 /* reread certs in /etc/ipsec.d/ocspcerts */
313 #define REREAD_ACERTS 0x10 /* reread certs in /etc/ipsec.d/acerts */
314 #define REREAD_CRLS 0x20 /* reread crls in /etc/ipsec.d/crls */
315
316 #define REREAD_ALL LRANGES(REREAD_SECRETS, REREAD_CRLS) /* all reread options */
317
318 #endif /* _WHACK_H */