1 /* Structure of messages from whack to Pluto proper.
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * RCSID $Id: whack.h,v 1.16 2006/04/17 10:39:14 as Exp $
22 /* Since the message remains on one host, native representation is used.
23 * Think of this as horizontal microcode: all selected operations are
24 * to be done (in the order declared here).
26 * MAGIC is used to help detect version mismatches between whack and Pluto.
27 * Whenever the interface (i.e. this struct) changes in form or
28 * meaning, change this value (probably by changing the last number).
30 * If the command only requires basic actions (status or shutdown),
31 * it is likely that the relevant part of the message changes less frequently.
32 * Whack uses WHACK_BASIC_MAGIC in those cases.
34 * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC.
35 * Otherwise certain version mismatches will not be detected.
38 #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
39 #define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26)
41 typedef struct whack_end whack_end_t
;
43 /* struct whack_end is a lot like connection.h's struct end
44 * It differs because it is going to be shipped down a socket
45 * and because whack is a separate program from pluto.
48 char *id
; /* id string (if any) -- decoded by pluto */
49 char *cert
; /* path string (if any) -- loaded by pluto */
50 char *ca
; /* distinguished name string (if any) -- parsed by pluto */
51 char *groups
; /* access control groups (if any) -- parsed by pluto */
58 bool key_from_DNS_on_demand
;
60 bool has_client_wildcard
;
61 bool has_port_wildcard
;
65 certpolicy_t sendcert
;
66 char *updown
; /* string */
67 u_int16_t host_port
; /* host order */
68 u_int16_t port
; /* host order */
75 typedef struct whack_message whack_message_t
;
77 struct whack_message
{
80 /* for WHACK_STATUS: */
85 /* for WHACK_SHUTDOWN */
88 /* END OF BASIC COMMANDS
89 * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
92 /* name is used in connection, ca and initiate */
93 size_t name_len
; /* string 1 */
96 /* for WHACK_OPTIONS: */
100 lset_t debugging
; /* only used #ifdef DEBUG, but don't want layout to change */
102 /* for WHACK_CONNECTION */
104 bool whack_connection
;
108 time_t sa_ike_life_seconds
;
109 time_t sa_ipsec_life_seconds
;
110 time_t sa_rekey_margin
;
111 unsigned long sa_rekey_fuzz
;
112 unsigned long sa_keying_tries
;
114 /* For DPD 3706 - Dead Peer Detection */
117 dpd_action_t dpd_action
;
119 /* note that each end contains string 2/5.id, string 3/6 cert,
120 * and string 4/7 updown
125 /* note: if the client is the gateway, the following must be equal */
126 sa_family_t addr_family
; /* between gateways */
127 sa_family_t tunnel_addr_family
; /* between clients */
129 char *ike
; /* ike algo string (separated by commas) */
130 char *pfsgroup
; /* pfsgroup will be "encapsulated" in esp string for pluto */
131 char *esp
; /* esp algo string (separated by commas) */
136 char *keyid
; /* string 8 */
137 enum pubkey_alg pubkey_alg
;
138 chunk_t keyval
; /* chunk */
140 /* for WHACK_MYID: */
142 char *myid
; /* string 7 */
144 /* for WHACK_ROUTE: */
147 /* for WHACK_UNROUTE: */
150 /* for WHACK_INITIATE: */
153 /* for WHACK_OPINITIATE */
154 bool whack_oppo_initiate
;
155 ip_address oppo_my_client
, oppo_peer_client
;
157 /* for WHACK_TERMINATE: */
158 bool whack_terminate
;
160 /* for WHACK_DELETE: */
163 /* for WHACK_DELETESTATE: */
164 bool whack_deletestate
;
165 so_serial_t whack_deletestateno
;
167 /* for WHACK_LISTEN: */
168 bool whack_listen
, whack_unlisten
;
170 /* for WHACK_CRASH - note if a remote peer is known to have rebooted */
172 ip_address whack_crash_peer
;
178 /* for WHACK_PURGEOCSP */
179 bool whack_purgeocsp
;
181 /* for WHACK_REREAD */
195 /* for WHACK_SC_OP */
200 /* space for strings (hope there is enough room):
201 * Note that pointers don't travel on wire.
202 * 1 connection name [name_len]
203 * 2 left's name [left.host.name.len]
208 * 7 right's name [left.host.name.len]
224 * plus keyval (limit: 8K bits + overhead), a chunk.
230 /* Codes for status messages returned to whack.
231 * These are 3 digit decimal numerals. The structure
232 * is inspired by section 4.2 of RFC959 (FTP).
233 * Since these will end up as the exit status of whack, they
234 * must be less than 256.
235 * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
238 RC_COMMENT
, /* non-commital utterance (does not affect exit status) */
239 RC_WHACK_PROBLEM
, /* whack-detected problem */
240 RC_LOG
, /* message aimed at log (does not affect exit status) */
241 RC_LOG_SERIOUS
, /* serious message aimed at log (does not affect exit status) */
242 RC_SUCCESS
, /* success (exit status 0) */
244 /* failure, but not definitive */
246 RC_RETRANSMISSION
= 10,
248 /* improper request */
250 RC_DUPNAME
= 20, /* attempt to reuse a connection name */
251 RC_UNKNOWN_NAME
, /* connection name unknown or state number */
252 RC_ORIENT
, /* cannot orient connection: neither end is us */
253 RC_CLASH
, /* clash between two Road Warrior connections OVERLOADED */
254 RC_DEAF
, /* need --listen before --initiate */
255 RC_ROUTE
, /* cannot route */
256 RC_RTBUSY
, /* cannot unroute: route busy */
257 RC_BADID
, /* malformed --id */
258 RC_NOKEY
, /* no key found through DNS */
259 RC_NOPEERIP
, /* cannot initiate when peer IP is unknown */
260 RC_INITSHUNT
, /* cannot initiate a shunt-oly connection */
261 RC_WILDCARD
, /* cannot initiate when ID has wildcards */
262 RC_NOVALIDPIN
, /* cannot initiate without valid PIN */
264 /* permanent failure */
266 RC_BADWHACKMESSAGE
= 30,
269 RC_OPPOFAILURE
, /* Opportunism failed */
271 /* entry of secrets */
274 /* progress: start of range for successful state transition.
275 * Actual value is RC_NEW_STATE plus the new state code.
279 /* start of range for notification.
280 * Actual value is RC_NOTIFICATION plus code for notification
281 * that should be generated by this Pluto.
283 RC_NOTIFICATION
= 200 /* as per IKE notification messages */
286 /* options of whack --list*** command */
288 #define LIST_NONE 0x0000 /* don't list anything */
289 #define LIST_ALGS 0x0001 /* list all registered IKE algorithms */
290 #define LIST_PUBKEYS 0x0002 /* list all public keys */
291 #define LIST_CERTS 0x0004 /* list all host/user certs */
292 #define LIST_CACERTS 0x0008 /* list all ca certs */
293 #define LIST_ACERTS 0x0010 /* list all attribute certs */
294 #define LIST_AACERTS 0x0020 /* list all aa certs */
295 #define LIST_OCSPCERTS 0x0040 /* list all ocsp certs */
296 #define LIST_GROUPS 0x0080 /* list all access control groups */
297 #define LIST_CAINFOS 0x0100 /* list all ca information records */
298 #define LIST_CRLS 0x0200 /* list all crls */
299 #define LIST_OCSP 0x0400 /* list all ocsp cache entries */
300 #define LIST_CARDS 0x0800 /* list all smartcard records */
302 #define LIST_ALL LRANGES(LIST_ALGS, LIST_CARDS) /* all list options */
304 /* options of whack --reread*** command */
306 #define REREAD_NONE 0x00 /* don't reread anything */
307 #define REREAD_SECRETS 0x01 /* reread /etc/ipsec.secrets */
308 #define REREAD_CACERTS 0x02 /* reread certs in /etc/ipsec.d/cacerts */
309 #define REREAD_AACERTS 0x04 /* reread certs in /etc/ipsec.d/aacerts */
310 #define REREAD_OCSPCERTS 0x08 /* reread certs in /etc/ipsec.d/ocspcerts */
311 #define REREAD_ACERTS 0x10 /* reread certs in /etc/ipsec.d/acerts */
312 #define REREAD_CRLS 0x20 /* reread crls in /etc/ipsec.d/crls */
314 #define REREAD_ALL LRANGES(REREAD_SECRETS, REREAD_CRLS) /* all reread options */
316 #endif /* _WHACK_H */