src/whack/whack.h

   1 /* Structure of messages from whack to Pluto proper.
   2  * Copyright (C) 1998-2001  D. Hugh Redelmeier.
   3  *
   4  * This program is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License as published by the
   6  * Free Software Foundation; either version 2 of the License, or (at your
   7  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   8  *
   9  * This program is distributed in the hope that it will be useful, but
  10  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  11  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * for more details.
  13  *
  14  * RCSID $Id: whack.h,v 1.16 2006/04/17 10:39:14 as Exp $
  15  */
  16
  17 #ifndef _WHACK_H
  18 #define _WHACK_H
  19
  20 #include <freeswan.h>
  21
  22 #include <smartcard.h>
  23
  24 /* Since the message remains on one host, native representation is used.
  25  * Think of this as horizontal microcode: all selected operations are
  26  * to be done (in the order declared here).
  27  *
  28  * MAGIC is used to help detect version mismatches between whack and Pluto.
  29  * Whenever the interface (i.e. this struct) changes in form or
  30  * meaning, change this value (probably by changing the last number).
  31  *
  32  * If the command only requires basic actions (status or shutdown),
  33  * it is likely that the relevant part of the message changes less frequently.
  34  * Whack uses WHACK_BASIC_MAGIC in those cases.
  35  *
  36  * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC.
  37  * Otherwise certain version mismatches will not be detected.
  38  */
  39
  40 #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
  41 #define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26)
  42
  43 typedef struct whack_end whack_end_t;
  44
  45 /* struct whack_end is a lot like connection.h's struct end
  46  * It differs because it is going to be shipped down a socket
  47  * and because whack is a separate program from pluto.
  48  */
  49 struct whack_end {
  50     char *id;           /* id string (if any) -- decoded by pluto */
  51     char *cert;         /* path string (if any) -- loaded by pluto  */
  52     char *ca;           /* distinguished name string (if any) -- parsed by pluto */
  53     char *groups;       /* access control groups (if any) -- parsed by pluto */
  54     ip_address
  55         host_addr,
  56         host_nexthop,
  57         host_srcip;
  58     ip_subnet client;
  59
  60     bool key_from_DNS_on_demand;
  61     bool has_client;
  62     bool has_client_wildcard;
  63     bool has_port_wildcard;
  64     bool has_srcip;
  65     bool has_natip;
  66     bool modecfg;
  67     bool hostaccess;
  68     certpolicy_t sendcert;
  69     char *updown;               /* string */
  70     u_int16_t host_port;        /* host order */
  71     u_int16_t port;             /* host order */
  72     u_int8_t protocol;
  73     char *virt;
  74  };
  75
  76 typedef struct whack_message whack_message_t;
  77
  78 struct whack_message {
  79     unsigned int magic;
  80
  81     /* for WHACK_STATUS: */
  82     bool whack_status;
  83     bool whack_statusall;
  84
  85
  86     /* for WHACK_SHUTDOWN */
  87     bool whack_shutdown;
  88
  89     /* END OF BASIC COMMANDS
  90      * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
  91      */
  92
  93     /* name is used in connection, ca and initiate */
  94     size_t name_len;    /* string 1 */
  95     char *name;
  96
  97     /* for WHACK_OPTIONS: */
  98
  99     bool whack_options;
 100
 101     lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
 102
 103     /* for WHACK_CONNECTION */
 104
 105     bool whack_connection;
 106     bool whack_async;
 107     bool ikev1;
 108
 109     lset_t policy;
 110     time_t sa_ike_life_seconds;
 111     time_t sa_ipsec_life_seconds;
 112     time_t sa_rekey_margin;
 113     unsigned long sa_rekey_fuzz;
 114     unsigned long sa_keying_tries;
 115
 116     /* For DPD 3706 - Dead Peer Detection */
 117     time_t dpd_delay;
 118     time_t dpd_timeout;
 119     dpd_action_t dpd_action;
 120
 121     /*  note that each end contains string 2/5.id, string 3/6 cert,
 122      *  and string 4/7 updown
 123      */
 124     whack_end_t left;
 125     whack_end_t right;
 126
 127     /* note: if the client is the gateway, the following must be equal */
 128     sa_family_t addr_family;    /* between gateways */
 129     sa_family_t tunnel_addr_family;     /* between clients */
 130
 131     char *ike;          /* ike algo string (separated by commas) */
 132     char *pfsgroup;     /* pfsgroup will be "encapsulated" in esp string for pluto */
 133     char *esp;          /* esp algo string (separated by commas) */
 134
 135     /* for WHACK_KEY: */
 136     bool whack_key;
 137     bool whack_addkey;
 138     char *keyid;        /* string 8 */
 139     enum pubkey_alg pubkey_alg;
 140     chunk_t keyval;     /* chunk */
 141
 142     /* for WHACK_MYID: */
 143     bool whack_myid;
 144     char *myid; /* string 7 */
 145
 146     /* for WHACK_ROUTE: */
 147     bool whack_route;
 148
 149     /* for WHACK_UNROUTE: */
 150     bool whack_unroute;
 151
 152     /* for WHACK_INITIATE: */
 153     bool whack_initiate;
 154
 155     /* for WHACK_OPINITIATE */
 156     bool whack_oppo_initiate;
 157     ip_address oppo_my_client, oppo_peer_client;
 158
 159     /* for WHACK_TERMINATE: */
 160     bool whack_terminate;
 161
 162     /* for WHACK_DELETE: */
 163     bool whack_delete;
 164
 165     /* for WHACK_DELETESTATE: */
 166     bool whack_deletestate;
 167     so_serial_t whack_deletestateno;
 168
 169     /* for WHACK_LISTEN: */
 170     bool whack_listen, whack_unlisten;
 171
 172     /* for WHACK_CRASH - note if a remote peer is known to have rebooted */
 173     bool whack_crash;
 174     ip_address whack_crash_peer;
 175
 176     /* for WHACK_LIST */
 177     bool whack_utc;
 178     lset_t whack_list;
 179
 180     /* for WHACK_PURGEOCSP */
 181     bool whack_purgeocsp;
 182
 183     /* for WHACK_REREAD */
 184     u_char whack_reread;
 185
 186     /* for WHACK_CA */
 187     bool whack_ca;
 188     bool whack_strict;
 189
 190     char *cacert;
 191     char *ldaphost;
 192     char *ldapbase;
 193     char *crluri;
 194     char *crluri2;
 195     char *ocspuri;
 196
 197     /* for WHACK_SC_OP */
 198     sc_op_t whack_sc_op;
 199     int inbase, outbase;
 200     char *sc_data;
 201
 202     /* space for strings (hope there is enough room):
 203      * Note that pointers don't travel on wire.
 204      *  1 connection name [name_len]
 205      *  2 left's name [left.host.name.len]
 206      *  3 left's cert
 207      *  4 left's ca
 208      *  5 left's groups
 209      *  6 left's updown
 210      *  7 right's name [left.host.name.len]
 211      *  8 right's cert
 212      *  9 right's ca
 213      * 10 right's groups
 214      * 11 right's updown
 215      * 12 keyid
 216      * 13 myid
 217      * 14 cacert
 218      * 15 ldaphost
 219      * 16 ldapbase
 220      * 17 crluri
 221      * 18 crluri2
 222      * 19 ocspuri
 223      * 20 ike
 224      " 21 esp
 225      * 22 rsa_data
 226      * plus keyval (limit: 8K bits + overhead), a chunk.
 227      */
 228     size_t str_size;
 229     char string[2048];
 230 };
 231
 232 /* Codes for status messages returned to whack.
 233  * These are 3 digit decimal numerals.  The structure
 234  * is inspired by section 4.2 of RFC959 (FTP).
 235  * Since these will end up as the exit status of whack, they
 236  * must be less than 256.
 237  * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
 238  */
 239 enum rc_type {
 240     RC_COMMENT,         /* non-commital utterance (does not affect exit status) */
 241     RC_WHACK_PROBLEM,   /* whack-detected problem */
 242     RC_LOG,             /* message aimed at log (does not affect exit status) */
 243     RC_LOG_SERIOUS,     /* serious message aimed at log (does not affect exit status) */
 244     RC_SUCCESS,         /* success (exit status 0) */
 245
 246     /* failure, but not definitive */
 247
 248     RC_RETRANSMISSION = 10,
 249
 250     /* improper request */
 251
 252     RC_DUPNAME = 20,    /* attempt to reuse a connection name */
 253     RC_UNKNOWN_NAME,    /* connection name unknown or state number */
 254     RC_ORIENT,          /* cannot orient connection: neither end is us */
 255     RC_CLASH,           /* clash between two Road Warrior connections OVERLOADED */
 256     RC_DEAF,            /* need --listen before --initiate */
 257     RC_ROUTE,           /* cannot route */
 258     RC_RTBUSY,          /* cannot unroute: route busy */
 259     RC_BADID,           /* malformed --id */
 260     RC_NOKEY,           /* no key found through DNS */
 261     RC_NOPEERIP,        /* cannot initiate when peer IP is unknown */
 262     RC_INITSHUNT,       /* cannot initiate a shunt-oly connection */
 263     RC_WILDCARD,        /* cannot initiate when ID has wildcards */
 264     RC_NOVALIDPIN,      /* cannot initiate without valid PIN */
 265
 266     /* permanent failure */
 267
 268     RC_BADWHACKMESSAGE = 30,
 269     RC_NORETRANSMISSION,
 270     RC_INTERNALERR,
 271     RC_OPPOFAILURE,     /* Opportunism failed */
 272
 273     /* entry of secrets */
 274     RC_ENTERSECRET = 40,
 275
 276     /* progress: start of range for successful state transition.
 277      * Actual value is RC_NEW_STATE plus the new state code.
 278      */
 279     RC_NEW_STATE = 100,
 280
 281     /* start of range for notification.
 282      * Actual value is RC_NOTIFICATION plus code for notification
 283      * that should be generated by this Pluto.
 284      */
 285     RC_NOTIFICATION = 200       /* as per IKE notification messages */
 286 };
 287
 288 /* options of whack --list*** command */
 289
 290 #define LIST_NONE       0x0000  /* don't list anything */
 291 #define LIST_ALGS       0x0001  /* list all registered IKE algorithms */
 292 #define LIST_PUBKEYS    0x0002  /* list all public keys */
 293 #define LIST_CERTS      0x0004  /* list all host/user certs */
 294 #define LIST_CACERTS    0x0008  /* list all ca certs */
 295 #define LIST_ACERTS     0x0010  /* list all attribute certs */
 296 #define LIST_AACERTS    0x0020  /* list all aa certs */
 297 #define LIST_OCSPCERTS  0x0040  /* list all ocsp certs */
 298 #define LIST_GROUPS     0x0080  /* list all access control groups */
 299 #define LIST_CAINFOS    0x0100  /* list all ca information records */
 300 #define LIST_CRLS       0x0200  /* list all crls */
 301 #define LIST_OCSP       0x0400  /* list all ocsp cache entries */
 302 #define LIST_CARDS      0x0800  /* list all smartcard records */
 303
 304 #define LIST_ALL        LRANGES(LIST_ALGS, LIST_CARDS)  /* all list options */
 305
 306 /* options of whack --reread*** command */
 307
 308 #define REREAD_NONE       0x00  /* don't reread anything */
 309 #define REREAD_SECRETS    0x01  /* reread /etc/ipsec.secrets */
 310 #define REREAD_CACERTS    0x02  /* reread certs in /etc/ipsec.d/cacerts */
 311 #define REREAD_AACERTS    0x04  /* reread certs in /etc/ipsec.d/aacerts */
 312 #define REREAD_OCSPCERTS  0x08  /* reread certs in /etc/ipsec.d/ocspcerts */
 313 #define REREAD_ACERTS     0x10  /* reread certs in /etc/ipsec.d/acerts */
 314 #define REREAD_CRLS       0x20  /* reread crls in /etc/ipsec.d/crls */
 315
 316 #define REREAD_ALL      LRANGES(REREAD_SECRETS, REREAD_CRLS)  /* all reread options */
 317
 318 #endif /* _WHACK_H */