handle zero size Base64 conversions
[strongswan.git] / src / whack / whack.h
1 /* Structure of messages from whack to Pluto proper.
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 */
14
15 #ifndef _WHACK_H
16 #define _WHACK_H
17
18 #include <freeswan.h>
19
20 #include <defs.h>
21 #include <constants.h>
22
23 /* copy of smartcard operations, defined in smartcard.h */
24 #ifndef SC_OP_T
25 #define SC_OP_T
26 typedef enum {
27 SC_OP_NONE = 0,
28 SC_OP_ENCRYPT = 1,
29 SC_OP_DECRYPT = 2,
30 SC_OP_SIGN = 3,
31 } sc_op_t;
32 #endif /* SC_OP_T */
33
34 /* Since the message remains on one host, native representation is used.
35 * Think of this as horizontal microcode: all selected operations are
36 * to be done (in the order declared here).
37 *
38 * MAGIC is used to help detect version mismatches between whack and Pluto.
39 * Whenever the interface (i.e. this struct) changes in form or
40 * meaning, change this value (probably by changing the last number).
41 *
42 * If the command only requires basic actions (status or shutdown),
43 * it is likely that the relevant part of the message changes less frequently.
44 * Whack uses WHACK_BASIC_MAGIC in those cases.
45 *
46 * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC.
47 * Otherwise certain version mismatches will not be detected.
48 */
49
50 #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
51 #define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 30)
52
53 typedef struct whack_end whack_end_t;
54
55 /* struct whack_end is a lot like connection.h's struct end
56 * It differs because it is going to be shipped down a socket
57 * and because whack is a separate program from pluto.
58 */
59 struct whack_end {
60 char *id; /* id string (if any) -- decoded by pluto */
61 char *cert; /* path string (if any) -- loaded by pluto */
62 char *ca; /* distinguished name string (if any) -- parsed by pluto */
63 char *groups; /* access control groups (if any) -- parsed by pluto */
64 char *sourceip; /* source IP address or pool identifier -- parsed by pluto */
65 int sourceip_mask;
66 ip_address host_addr;
67 ip_address host_nexthop;
68 ip_address host_srcip;
69 ip_subnet client;
70 bool key_from_DNS_on_demand;
71 bool has_client;
72 bool has_client_wildcard;
73 bool has_port_wildcard;
74 bool has_srcip;
75 bool has_natip;
76 bool modecfg;
77 bool hostaccess;
78 bool allow_any;
79 certpolicy_t sendcert;
80 char *updown; /* string */
81 u_int16_t host_port; /* host order */
82 u_int16_t port; /* host order */
83 u_int8_t protocol;
84 char *virt;
85 };
86
87 typedef struct whack_message whack_message_t;
88
89 struct whack_message {
90 unsigned int magic;
91
92 /* for WHACK_STATUS: */
93 bool whack_status;
94 bool whack_statusall;
95
96
97 /* for WHACK_SHUTDOWN */
98 bool whack_shutdown;
99
100 /* END OF BASIC COMMANDS
101 * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
102 */
103
104 /* name is used in connection, ca and initiate */
105 size_t name_len; /* string 1 */
106 char *name;
107
108 /* for WHACK_OPTIONS: */
109
110 bool whack_options;
111
112 lset_t debugging; /* only used #ifdef DEBUG, but don't want layout to change */
113
114 /* for WHACK_CONNECTION */
115
116 bool whack_connection;
117 bool whack_async;
118 bool ikev1;
119
120 lset_t policy;
121 time_t sa_ike_life_seconds;
122 time_t sa_ipsec_life_seconds;
123 time_t sa_rekey_margin;
124 unsigned long sa_rekey_fuzz;
125 unsigned long sa_keying_tries;
126
127 /* For DPD 3706 - Dead Peer Detection */
128 time_t dpd_delay;
129 time_t dpd_timeout;
130 dpd_action_t dpd_action;
131
132
133 /* Assign optional fixed reqid and xfrm marks to IPsec SA */
134 u_int32_t reqid;
135 struct {
136 u_int32_t value;
137 u_int32_t mask;
138 } mark_in, mark_out;
139
140 /* note that each end contains string 2/5.id, string 3/6 cert,
141 * and string 4/7 updown
142 */
143 whack_end_t left;
144 whack_end_t right;
145
146 /* note: if the client is the gateway, the following must be equal */
147 sa_family_t addr_family; /* between gateways */
148 sa_family_t tunnel_addr_family; /* between clients */
149
150 char *ike; /* ike algo string (separated by commas) */
151 char *pfsgroup; /* pfsgroup will be "encapsulated" in esp string for pluto */
152 char *esp; /* esp algo string (separated by commas) */
153
154 /* for WHACK_KEY: */
155 bool whack_key;
156 bool whack_addkey;
157 char *keyid; /* string 8 */
158 enum pubkey_alg pubkey_alg;
159 chunk_t keyval; /* chunk */
160
161 /* for WHACK_MYID: */
162 bool whack_myid;
163 char *myid; /* string 7 */
164
165 /* for WHACK_ROUTE: */
166 bool whack_route;
167
168 /* for WHACK_UNROUTE: */
169 bool whack_unroute;
170
171 /* for WHACK_INITIATE: */
172 bool whack_initiate;
173
174 /* for WHACK_OPINITIATE */
175 bool whack_oppo_initiate;
176 ip_address oppo_my_client, oppo_peer_client;
177
178 /* for WHACK_TERMINATE: */
179 bool whack_terminate;
180
181 /* for WHACK_DELETE: */
182 bool whack_delete;
183
184 /* for WHACK_DELETESTATE: */
185 bool whack_deletestate;
186 so_serial_t whack_deletestateno;
187
188 /* for WHACK_LEASES: */
189 bool whack_leases;
190 char *whack_lease_ip, *whack_lease_id;
191
192 /* for WHACK_LISTEN: */
193 bool whack_listen, whack_unlisten;
194
195 /* for WHACK_CRASH - note if a remote peer is known to have rebooted */
196 bool whack_crash;
197 ip_address whack_crash_peer;
198
199 /* for WHACK_LIST */
200 bool whack_utc;
201 lset_t whack_list;
202
203 /* for WHACK_PURGEOCSP */
204 bool whack_purgeocsp;
205
206 /* for WHACK_REREAD */
207 u_char whack_reread;
208
209 /* for WHACK_CA */
210 bool whack_ca;
211 bool whack_strict;
212
213 char *cacert;
214 char *ldaphost;
215 char *ldapbase;
216 char *crluri;
217 char *crluri2;
218 char *ocspuri;
219
220 /* for WHACK_SC_OP */
221 sc_op_t whack_sc_op;
222 int inbase, outbase;
223 char *sc_data;
224
225 /* XAUTH user identity */
226 char *xauth_identity;
227
228 /* space for strings (hope there is enough room):
229 * Note that pointers don't travel on wire.
230 * 1 connection name
231 * 2 left's id
232 * 3 left's cert
233 * 4 left's ca
234 * 5 left's groups
235 * 6 left's updown
236 * 7 left's source ip
237 * 8 left's virtual ip ranges
238 * 9 right's id
239 * 10 right's cert
240 * 11 right's ca
241 * 12 right's groups
242 * 13 right's updown
243 * 14 right's source ip
244 * 15 right's virtual ip ranges
245 * 16 keyid
246 * 17 myid
247 * 18 cacert
248 * 19 ldaphost
249 * 20 ldapbase
250 * 21 crluri
251 * 22 crluri2
252 * 23 ocspuri
253 * 24 ike
254 * 25 esp
255 * 26 smartcard data
256 * 27 whack leases ip argument
257 * 28 whack leases id argument
258 * 29 xauth identity
259 * plus keyval (limit: 8K bits + overhead), a chunk.
260 */
261 size_t str_size;
262 char string[2048];
263 };
264
265 /* Codes for status messages returned to whack.
266 * These are 3 digit decimal numerals. The structure
267 * is inspired by section 4.2 of RFC959 (FTP).
268 * Since these will end up as the exit status of whack, they
269 * must be less than 256.
270 * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
271 */
272 enum rc_type {
273 RC_COMMENT, /* non-commital utterance (does not affect exit status) */
274 RC_WHACK_PROBLEM, /* whack-detected problem */
275 RC_LOG, /* message aimed at log (does not affect exit status) */
276 RC_LOG_SERIOUS, /* serious message aimed at log (does not affect exit status) */
277 RC_SUCCESS, /* success (exit status 0) */
278
279 /* failure, but not definitive */
280
281 RC_RETRANSMISSION = 10,
282
283 /* improper request */
284
285 RC_DUPNAME = 20, /* attempt to reuse a connection name */
286 RC_UNKNOWN_NAME, /* connection name unknown or state number */
287 RC_ORIENT, /* cannot orient connection: neither end is us */
288 RC_CLASH, /* clash between two Road Warrior connections OVERLOADED */
289 RC_DEAF, /* need --listen before --initiate */
290 RC_ROUTE, /* cannot route */
291 RC_RTBUSY, /* cannot unroute: route busy */
292 RC_BADID, /* malformed --id */
293 RC_NOKEY, /* no key found through DNS */
294 RC_NOPEERIP, /* cannot initiate when peer IP is unknown */
295 RC_INITSHUNT, /* cannot initiate a shunt-oly connection */
296 RC_WILDCARD, /* cannot initiate when ID has wildcards */
297 RC_NOVALIDPIN, /* cannot initiate without valid PIN */
298
299 /* permanent failure */
300
301 RC_BADWHACKMESSAGE = 30,
302 RC_NORETRANSMISSION,
303 RC_INTERNALERR,
304 RC_OPPOFAILURE, /* Opportunism failed */
305
306 /* entry of secrets */
307 RC_ENTERSECRET = 40,
308
309 /* progress: start of range for successful state transition.
310 * Actual value is RC_NEW_STATE plus the new state code.
311 */
312 RC_NEW_STATE = 100,
313
314 /* start of range for notification.
315 * Actual value is RC_NOTIFICATION plus code for notification
316 * that should be generated by this Pluto.
317 */
318 RC_NOTIFICATION = 200 /* as per IKE notification messages */
319 };
320
321 /* options of whack --list*** command */
322
323 #define LIST_NONE 0x0000 /* don't list anything */
324 #define LIST_ALGS 0x0001 /* list all registered IKE algorithms */
325 #define LIST_PUBKEYS 0x0002 /* list all public keys */
326 #define LIST_CERTS 0x0004 /* list all host/user certs */
327 #define LIST_CACERTS 0x0008 /* list all ca certs */
328 #define LIST_ACERTS 0x0010 /* list all attribute certs */
329 #define LIST_AACERTS 0x0020 /* list all aa certs */
330 #define LIST_OCSPCERTS 0x0040 /* list all ocsp certs */
331 #define LIST_GROUPS 0x0080 /* list all access control groups */
332 #define LIST_CAINFOS 0x0100 /* list all ca information records */
333 #define LIST_CRLS 0x0200 /* list all crls */
334 #define LIST_OCSP 0x0400 /* list all ocsp cache entries */
335 #define LIST_CARDS 0x0800 /* list all smartcard records */
336
337 #define LIST_ALL LRANGES(LIST_ALGS, LIST_CARDS) /* all list options */
338
339 /* options of whack --reread*** command */
340
341 #define REREAD_NONE 0x00 /* don't reread anything */
342 #define REREAD_SECRETS 0x01 /* reread /etc/ipsec.secrets */
343 #define REREAD_CACERTS 0x02 /* reread certs in /etc/ipsec.d/cacerts */
344 #define REREAD_AACERTS 0x04 /* reread certs in /etc/ipsec.d/aacerts */
345 #define REREAD_OCSPCERTS 0x08 /* reread certs in /etc/ipsec.d/ocspcerts */
346 #define REREAD_ACERTS 0x10 /* reread certs in /etc/ipsec.d/acerts */
347 #define REREAD_CRLS 0x20 /* reread crls in /etc/ipsec.d/crls */
348
349 #define REREAD_ALL LRANGES(REREAD_SECRETS, REREAD_CRLS) /* all reread options */
350
351 #endif /* _WHACK_H */