src/whack/whack.h

   1 /* Structure of messages from whack to Pluto proper.
   2  * Copyright (C) 1998-2001  D. Hugh Redelmeier.
   3  *
   4  * This program is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License as published by the
   6  * Free Software Foundation; either version 2 of the License, or (at your
   7  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   8  *
   9  * This program is distributed in the hope that it will be useful, but
  10  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  11  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * for more details.
  13  *
  14  * RCSID $Id: whack.h,v 1.16 2006/04/17 10:39:14 as Exp $
  15  */
  16
  17 #ifndef _WHACK_H
  18 #define _WHACK_H
  19
  20 #include <freeswan.h>
  21
  22 #include <smartcard.h>
  23
  24 /* Since the message remains on one host, native representation is used.
  25  * Think of this as horizontal microcode: all selected operations are
  26  * to be done (in the order declared here).
  27  *
  28  * MAGIC is used to help detect version mismatches between whack and Pluto.
  29  * Whenever the interface (i.e. this struct) changes in form or
  30  * meaning, change this value (probably by changing the last number).
  31  *
  32  * If the command only requires basic actions (status or shutdown),
  33  * it is likely that the relevant part of the message changes less frequently.
  34  * Whack uses WHACK_BASIC_MAGIC in those cases.
  35  *
  36  * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC.
  37  * Otherwise certain version mismatches will not be detected.
  38  */
  39
  40 #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
  41 #define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26)
  42
  43 typedef struct whack_end whack_end_t;
  44
  45 /* struct whack_end is a lot like connection.h's struct end
  46  * It differs because it is going to be shipped down a socket
  47  * and because whack is a separate program from pluto.
  48  */
  49 struct whack_end {
  50     char *id;           /* id string (if any) -- decoded by pluto */
  51     char *cert;         /* path string (if any) -- loaded by pluto  */
  52     char *ca;           /* distinguished name string (if any) -- parsed by pluto */
  53     char *groups;       /* access control groups (if any) -- parsed by pluto */
  54     ip_address
  55         host_addr,
  56         host_nexthop,
  57         host_srcip;
  58     ip_subnet client;
  59
  60     bool key_from_DNS_on_demand;
  61     bool has_client;
  62     bool has_client_wildcard;
  63     bool has_port_wildcard;
  64     bool has_srcip;
  65     bool modecfg;
  66     bool hostaccess;
  67     certpolicy_t sendcert;
  68     char *updown;               /* string */
  69     u_int16_t host_port;        /* host order */
  70     u_int16_t port;             /* host order */
  71     u_int8_t protocol;
  72     char *virt;
  73  };
  74
  75 typedef struct whack_message whack_message_t;
  76
  77 struct whack_message {
  78     unsigned int magic;
  79
  80     /* for WHACK_STATUS: */
  81     bool whack_status;
  82     bool whack_statusall;
  83
  84
  85     /* for WHACK_SHUTDOWN */
  86     bool whack_shutdown;
  87
  88     /* END OF BASIC COMMANDS
  89      * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
  90      */
  91
  92     /* name is used in connection, ca and initiate */
  93     size_t name_len;    /* string 1 */
  94     char *name;
  95
  96     /* for WHACK_OPTIONS: */
  97
  98     bool whack_options;
  99
 100     lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
 101
 102     /* for WHACK_CONNECTION */
 103
 104     bool whack_connection;
 105     bool whack_async;
 106     bool ikev1;
 107
 108     lset_t policy;
 109     time_t sa_ike_life_seconds;
 110     time_t sa_ipsec_life_seconds;
 111     time_t sa_rekey_margin;
 112     unsigned long sa_rekey_fuzz;
 113     unsigned long sa_keying_tries;
 114
 115     /* For DPD 3706 - Dead Peer Detection */
 116     time_t dpd_delay;
 117     time_t dpd_timeout;
 118     dpd_action_t dpd_action;
 119
 120     /*  note that each end contains string 2/5.id, string 3/6 cert,
 121      *  and string 4/7 updown
 122      */
 123     whack_end_t left;
 124     whack_end_t right;
 125
 126     /* note: if the client is the gateway, the following must be equal */
 127     sa_family_t addr_family;    /* between gateways */
 128     sa_family_t tunnel_addr_family;     /* between clients */
 129
 130     char *ike;          /* ike algo string (separated by commas) */
 131     char *pfsgroup;     /* pfsgroup will be "encapsulated" in esp string for pluto */
 132     char *esp;          /* esp algo string (separated by commas) */
 133
 134     /* for WHACK_KEY: */
 135     bool whack_key;
 136     bool whack_addkey;
 137     char *keyid;        /* string 8 */
 138     enum pubkey_alg pubkey_alg;
 139     chunk_t keyval;     /* chunk */
 140
 141     /* for WHACK_MYID: */
 142     bool whack_myid;
 143     char *myid; /* string 7 */
 144
 145     /* for WHACK_ROUTE: */
 146     bool whack_route;
 147
 148     /* for WHACK_UNROUTE: */
 149     bool whack_unroute;
 150
 151     /* for WHACK_INITIATE: */
 152     bool whack_initiate;
 153
 154     /* for WHACK_OPINITIATE */
 155     bool whack_oppo_initiate;
 156     ip_address oppo_my_client, oppo_peer_client;
 157
 158     /* for WHACK_TERMINATE: */
 159     bool whack_terminate;
 160
 161     /* for WHACK_DELETE: */
 162     bool whack_delete;
 163
 164     /* for WHACK_DELETESTATE: */
 165     bool whack_deletestate;
 166     so_serial_t whack_deletestateno;
 167
 168     /* for WHACK_LISTEN: */
 169     bool whack_listen, whack_unlisten;
 170
 171     /* for WHACK_CRASH - note if a remote peer is known to have rebooted */
 172     bool whack_crash;
 173     ip_address whack_crash_peer;
 174
 175     /* for WHACK_LIST */
 176     bool whack_utc;
 177     lset_t whack_list;
 178
 179     /* for WHACK_PURGEOCSP */
 180     bool whack_purgeocsp;
 181
 182     /* for WHACK_REREAD */
 183     u_char whack_reread;
 184
 185     /* for WHACK_CA */
 186     bool whack_ca;
 187     bool whack_strict;
 188
 189     char *cacert;
 190     char *ldaphost;
 191     char *ldapbase;
 192     char *crluri;
 193     char *crluri2;
 194     char *ocspuri;
 195
 196     /* for WHACK_SC_OP */
 197     sc_op_t whack_sc_op;
 198     int inbase, outbase;
 199     char *sc_data;
 200
 201     /* space for strings (hope there is enough room):
 202      * Note that pointers don't travel on wire.
 203      *  1 connection name [name_len]
 204      *  2 left's name [left.host.name.len]
 205      *  3 left's cert
 206      *  4 left's ca
 207      *  5 left's groups
 208      *  6 left's updown
 209      *  7 right's name [left.host.name.len]
 210      *  8 right's cert
 211      *  9 right's ca
 212      * 10 right's groups
 213      * 11 right's updown
 214      * 12 keyid
 215      * 13 myid
 216      * 14 cacert
 217      * 15 ldaphost
 218      * 16 ldapbase
 219      * 17 crluri
 220      * 18 crluri2
 221      * 19 ocspuri
 222      * 20 ike
 223      " 21 esp
 224      * 22 rsa_data
 225      * plus keyval (limit: 8K bits + overhead), a chunk.
 226      */
 227     size_t str_size;
 228     char string[2048];
 229 };
 230
 231 /* Codes for status messages returned to whack.
 232  * These are 3 digit decimal numerals.  The structure
 233  * is inspired by section 4.2 of RFC959 (FTP).
 234  * Since these will end up as the exit status of whack, they
 235  * must be less than 256.
 236  * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
 237  */
 238 enum rc_type {
 239     RC_COMMENT,         /* non-commital utterance (does not affect exit status) */
 240     RC_WHACK_PROBLEM,   /* whack-detected problem */
 241     RC_LOG,             /* message aimed at log (does not affect exit status) */
 242     RC_LOG_SERIOUS,     /* serious message aimed at log (does not affect exit status) */
 243     RC_SUCCESS,         /* success (exit status 0) */
 244
 245     /* failure, but not definitive */
 246
 247     RC_RETRANSMISSION = 10,
 248
 249     /* improper request */
 250
 251     RC_DUPNAME = 20,    /* attempt to reuse a connection name */
 252     RC_UNKNOWN_NAME,    /* connection name unknown or state number */
 253     RC_ORIENT,          /* cannot orient connection: neither end is us */
 254     RC_CLASH,           /* clash between two Road Warrior connections OVERLOADED */
 255     RC_DEAF,            /* need --listen before --initiate */
 256     RC_ROUTE,           /* cannot route */
 257     RC_RTBUSY,          /* cannot unroute: route busy */
 258     RC_BADID,           /* malformed --id */
 259     RC_NOKEY,           /* no key found through DNS */
 260     RC_NOPEERIP,        /* cannot initiate when peer IP is unknown */
 261     RC_INITSHUNT,       /* cannot initiate a shunt-oly connection */
 262     RC_WILDCARD,        /* cannot initiate when ID has wildcards */
 263     RC_NOVALIDPIN,      /* cannot initiate without valid PIN */
 264
 265     /* permanent failure */
 266
 267     RC_BADWHACKMESSAGE = 30,
 268     RC_NORETRANSMISSION,
 269     RC_INTERNALERR,
 270     RC_OPPOFAILURE,     /* Opportunism failed */
 271
 272     /* entry of secrets */
 273     RC_ENTERSECRET = 40,
 274
 275     /* progress: start of range for successful state transition.
 276      * Actual value is RC_NEW_STATE plus the new state code.
 277      */
 278     RC_NEW_STATE = 100,
 279
 280     /* start of range for notification.
 281      * Actual value is RC_NOTIFICATION plus code for notification
 282      * that should be generated by this Pluto.
 283      */
 284     RC_NOTIFICATION = 200       /* as per IKE notification messages */
 285 };
 286
 287 /* options of whack --list*** command */
 288
 289 #define LIST_NONE       0x0000  /* don't list anything */
 290 #define LIST_ALGS       0x0001  /* list all registered IKE algorithms */
 291 #define LIST_PUBKEYS    0x0002  /* list all public keys */
 292 #define LIST_CERTS      0x0004  /* list all host/user certs */
 293 #define LIST_CACERTS    0x0008  /* list all ca certs */
 294 #define LIST_ACERTS     0x0010  /* list all attribute certs */
 295 #define LIST_AACERTS    0x0020  /* list all aa certs */
 296 #define LIST_OCSPCERTS  0x0040  /* list all ocsp certs */
 297 #define LIST_GROUPS     0x0080  /* list all access control groups */
 298 #define LIST_CAINFOS    0x0100  /* list all ca information records */
 299 #define LIST_CRLS       0x0200  /* list all crls */
 300 #define LIST_OCSP       0x0400  /* list all ocsp cache entries */
 301 #define LIST_CARDS      0x0800  /* list all smartcard records */
 302
 303 #define LIST_ALL        LRANGES(LIST_ALGS, LIST_CARDS)  /* all list options */
 304
 305 /* options of whack --reread*** command */
 306
 307 #define REREAD_NONE       0x00  /* don't reread anything */
 308 #define REREAD_SECRETS    0x01  /* reread /etc/ipsec.secrets */
 309 #define REREAD_CACERTS    0x02  /* reread certs in /etc/ipsec.d/cacerts */
 310 #define REREAD_AACERTS    0x04  /* reread certs in /etc/ipsec.d/aacerts */
 311 #define REREAD_OCSPCERTS  0x08  /* reread certs in /etc/ipsec.d/ocspcerts */
 312 #define REREAD_ACERTS     0x10  /* reread certs in /etc/ipsec.d/acerts */
 313 #define REREAD_CRLS       0x20  /* reread crls in /etc/ipsec.d/crls */
 314
 315 #define REREAD_ALL      LRANGES(REREAD_SECRETS, REREAD_CRLS)  /* all reread options */
 316
 317 #endif /* _WHACK_H */