src/whack/whack.h

   1 /* Structure of messages from whack to Pluto proper.
   2  * Copyright (C) 1998-2001  D. Hugh Redelmeier.
   3  *
   4  * This program is free software; you can redistribute it and/or modify it
   5  * under the terms of the GNU General Public License as published by the
   6  * Free Software Foundation; either version 2 of the License, or (at your
   7  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
   8  *
   9  * This program is distributed in the hope that it will be useful, but
  10  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  11  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  12  * for more details.
  13  *
  14  * RCSID $Id: whack.h,v 1.16 2006/04/17 10:39:14 as Exp $
  15  */
  16
  17 #ifndef _WHACK_H
  18 #define _WHACK_H
  19
  20 #include <freeswan.h>
  21
  22 /* Since the message remains on one host, native representation is used.
  23  * Think of this as horizontal microcode: all selected operations are
  24  * to be done (in the order declared here).
  25  *
  26  * MAGIC is used to help detect version mismatches between whack and Pluto.
  27  * Whenever the interface (i.e. this struct) changes in form or
  28  * meaning, change this value (probably by changing the last number).
  29  *
  30  * If the command only requires basic actions (status or shutdown),
  31  * it is likely that the relevant part of the message changes less frequently.
  32  * Whack uses WHACK_BASIC_MAGIC in those cases.
  33  *
  34  * NOTE: no value of WHACK_BASIC_MAGIC may equal any value of WHACK_MAGIC.
  35  * Otherwise certain version mismatches will not be detected.
  36  */
  37
  38 #define WHACK_BASIC_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 24)
  39 #define WHACK_MAGIC (((((('w' << 8) + 'h') << 8) + 'k') << 8) + 26)
  40
  41 typedef struct whack_end whack_end_t;
  42
  43 /* struct whack_end is a lot like connection.h's struct end
  44  * It differs because it is going to be shipped down a socket
  45  * and because whack is a separate program from pluto.
  46  */
  47 struct whack_end {
  48     char *id;           /* id string (if any) -- decoded by pluto */
  49     char *cert;         /* path string (if any) -- loaded by pluto  */
  50     char *ca;           /* distinguished name string (if any) -- parsed by pluto */
  51     char *groups;       /* access control groups (if any) -- parsed by pluto */
  52     ip_address
  53         host_addr,
  54         host_nexthop,
  55         host_srcip;
  56     ip_subnet client;
  57
  58     bool key_from_DNS_on_demand;
  59     bool has_client;
  60     bool has_client_wildcard;
  61     bool has_port_wildcard;
  62     bool has_srcip;
  63     bool modecfg;
  64     bool hostaccess;
  65     certpolicy_t sendcert;
  66     char *updown;               /* string */
  67     u_int16_t host_port;        /* host order */
  68     u_int16_t port;             /* host order */
  69     u_int8_t protocol;
  70 #ifdef VIRTUAL_IP
  71     char *virt;
  72 #endif
  73  };
  74
  75 typedef struct whack_message whack_message_t;
  76
  77 struct whack_message {
  78     unsigned int magic;
  79
  80     /* for WHACK_STATUS: */
  81     bool whack_status;
  82     bool whack_statusall;
  83
  84
  85     /* for WHACK_SHUTDOWN */
  86     bool whack_shutdown;
  87
  88     /* END OF BASIC COMMANDS
  89      * If you change anything earlier in this struct, update WHACK_BASIC_MAGIC.
  90      */
  91
  92     /* name is used in connection, ca and initiate */
  93     size_t name_len;    /* string 1 */
  94     char *name;
  95
  96     /* for WHACK_OPTIONS: */
  97
  98     bool whack_options;
  99
 100     lset_t debugging;   /* only used #ifdef DEBUG, but don't want layout to change */
 101
 102     /* for WHACK_CONNECTION */
 103
 104     bool whack_connection;
 105     bool whack_async;
 106
 107     lset_t policy;
 108     time_t sa_ike_life_seconds;
 109     time_t sa_ipsec_life_seconds;
 110     time_t sa_rekey_margin;
 111     unsigned long sa_rekey_fuzz;
 112     unsigned long sa_keying_tries;
 113
 114     /* For DPD 3706 - Dead Peer Detection */
 115     time_t dpd_delay;
 116     time_t dpd_timeout;
 117     dpd_action_t dpd_action;
 118
 119     /*  note that each end contains string 2/5.id, string 3/6 cert,
 120      *  and string 4/7 updown
 121      */
 122     whack_end_t left;
 123     whack_end_t right;
 124
 125     /* note: if the client is the gateway, the following must be equal */
 126     sa_family_t addr_family;    /* between gateways */
 127     sa_family_t tunnel_addr_family;     /* between clients */
 128
 129     char *ike;          /* ike algo string (separated by commas) */
 130     char *pfsgroup;     /* pfsgroup will be "encapsulated" in esp string for pluto */
 131     char *esp;          /* esp algo string (separated by commas) */
 132
 133     /* for WHACK_KEY: */
 134     bool whack_key;
 135     bool whack_addkey;
 136     char *keyid;        /* string 8 */
 137     enum pubkey_alg pubkey_alg;
 138     chunk_t keyval;     /* chunk */
 139
 140     /* for WHACK_MYID: */
 141     bool whack_myid;
 142     char *myid; /* string 7 */
 143
 144     /* for WHACK_ROUTE: */
 145     bool whack_route;
 146
 147     /* for WHACK_UNROUTE: */
 148     bool whack_unroute;
 149
 150     /* for WHACK_INITIATE: */
 151     bool whack_initiate;
 152
 153     /* for WHACK_OPINITIATE */
 154     bool whack_oppo_initiate;
 155     ip_address oppo_my_client, oppo_peer_client;
 156
 157     /* for WHACK_TERMINATE: */
 158     bool whack_terminate;
 159
 160     /* for WHACK_DELETE: */
 161     bool whack_delete;
 162
 163     /* for WHACK_DELETESTATE: */
 164     bool whack_deletestate;
 165     so_serial_t whack_deletestateno;
 166
 167     /* for WHACK_LISTEN: */
 168     bool whack_listen, whack_unlisten;
 169
 170     /* for WHACK_CRASH - note if a remote peer is known to have rebooted */
 171     bool whack_crash;
 172     ip_address whack_crash_peer;
 173
 174     /* for WHACK_LIST */
 175     bool whack_utc;
 176     lset_t whack_list;
 177
 178     /* for WHACK_PURGEOCSP */
 179     bool whack_purgeocsp;
 180
 181     /* for WHACK_REREAD */
 182     u_char whack_reread;
 183
 184     /* for WHACK_CA */
 185     bool whack_ca;
 186     bool whack_strict;
 187
 188     char *cacert;
 189     char *ldaphost;
 190     char *ldapbase;
 191     char *crluri;
 192     char *crluri2;
 193     char *ocspuri;
 194
 195     /* for WHACK_SC_OP */
 196     sc_op_t whack_sc_op;
 197     int inbase, outbase;
 198     char *sc_data;
 199
 200     /* space for strings (hope there is enough room):
 201      * Note that pointers don't travel on wire.
 202      *  1 connection name [name_len]
 203      *  2 left's name [left.host.name.len]
 204      *  3 left's cert
 205      *  4 left's ca
 206      *  5 left's groups
 207      *  6 left's updown
 208      *  7 right's name [left.host.name.len]
 209      *  8 right's cert
 210      *  9 right's ca
 211      * 10 right's groups
 212      * 11 right's updown
 213      * 12 keyid
 214      * 13 myid
 215      * 14 cacert
 216      * 15 ldaphost
 217      * 16 ldapbase
 218      * 17 crluri
 219      * 18 crluri2
 220      * 19 ocspuri
 221      * 20 ike
 222      " 21 esp
 223      * 22 rsa_data
 224      * plus keyval (limit: 8K bits + overhead), a chunk.
 225      */
 226     size_t str_size;
 227     char string[2048];
 228 };
 229
 230 /* Codes for status messages returned to whack.
 231  * These are 3 digit decimal numerals.  The structure
 232  * is inspired by section 4.2 of RFC959 (FTP).
 233  * Since these will end up as the exit status of whack, they
 234  * must be less than 256.
 235  * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
 236  */
 237 enum rc_type {
 238     RC_COMMENT,         /* non-commital utterance (does not affect exit status) */
 239     RC_WHACK_PROBLEM,   /* whack-detected problem */
 240     RC_LOG,             /* message aimed at log (does not affect exit status) */
 241     RC_LOG_SERIOUS,     /* serious message aimed at log (does not affect exit status) */
 242     RC_SUCCESS,         /* success (exit status 0) */
 243
 244     /* failure, but not definitive */
 245
 246     RC_RETRANSMISSION = 10,
 247
 248     /* improper request */
 249
 250     RC_DUPNAME = 20,    /* attempt to reuse a connection name */
 251     RC_UNKNOWN_NAME,    /* connection name unknown or state number */
 252     RC_ORIENT,          /* cannot orient connection: neither end is us */
 253     RC_CLASH,           /* clash between two Road Warrior connections OVERLOADED */
 254     RC_DEAF,            /* need --listen before --initiate */
 255     RC_ROUTE,           /* cannot route */
 256     RC_RTBUSY,          /* cannot unroute: route busy */
 257     RC_BADID,           /* malformed --id */
 258     RC_NOKEY,           /* no key found through DNS */
 259     RC_NOPEERIP,        /* cannot initiate when peer IP is unknown */
 260     RC_INITSHUNT,       /* cannot initiate a shunt-oly connection */
 261     RC_WILDCARD,        /* cannot initiate when ID has wildcards */
 262     RC_NOVALIDPIN,      /* cannot initiate without valid PIN */
 263
 264     /* permanent failure */
 265
 266     RC_BADWHACKMESSAGE = 30,
 267     RC_NORETRANSMISSION,
 268     RC_INTERNALERR,
 269     RC_OPPOFAILURE,     /* Opportunism failed */
 270
 271     /* entry of secrets */
 272     RC_ENTERSECRET = 40,
 273
 274     /* progress: start of range for successful state transition.
 275      * Actual value is RC_NEW_STATE plus the new state code.
 276      */
 277     RC_NEW_STATE = 100,
 278
 279     /* start of range for notification.
 280      * Actual value is RC_NOTIFICATION plus code for notification
 281      * that should be generated by this Pluto.
 282      */
 283     RC_NOTIFICATION = 200       /* as per IKE notification messages */
 284 };
 285
 286 /* options of whack --list*** command */
 287
 288 #define LIST_NONE       0x0000  /* don't list anything */
 289 #define LIST_ALGS       0x0001  /* list all registered IKE algorithms */
 290 #define LIST_PUBKEYS    0x0002  /* list all public keys */
 291 #define LIST_CERTS      0x0004  /* list all host/user certs */
 292 #define LIST_CACERTS    0x0008  /* list all ca certs */
 293 #define LIST_ACERTS     0x0010  /* list all attribute certs */
 294 #define LIST_AACERTS    0x0020  /* list all aa certs */
 295 #define LIST_OCSPCERTS  0x0040  /* list all ocsp certs */
 296 #define LIST_GROUPS     0x0080  /* list all access control groups */
 297 #define LIST_CAINFOS    0x0100  /* list all ca information records */
 298 #define LIST_CRLS       0x0200  /* list all crls */
 299 #define LIST_OCSP       0x0400  /* list all ocsp cache entries */
 300 #define LIST_CARDS      0x0800  /* list all smartcard records */
 301
 302 #define LIST_ALL        LRANGES(LIST_ALGS, LIST_CARDS)  /* all list options */
 303
 304 /* options of whack --reread*** command */
 305
 306 #define REREAD_NONE       0x00  /* don't reread anything */
 307 #define REREAD_SECRETS    0x01  /* reread /etc/ipsec.secrets */
 308 #define REREAD_CACERTS    0x02  /* reread certs in /etc/ipsec.d/cacerts */
 309 #define REREAD_AACERTS    0x04  /* reread certs in /etc/ipsec.d/aacerts */
 310 #define REREAD_OCSPCERTS  0x08  /* reread certs in /etc/ipsec.d/ocspcerts */
 311 #define REREAD_ACERTS     0x10  /* reread certs in /etc/ipsec.d/acerts */
 312 #define REREAD_CRLS       0x20  /* reread crls in /etc/ipsec.d/crls */
 313
 314 #define REREAD_ALL      LRANGES(REREAD_SECRETS, REREAD_CRLS)  /* all reread options */
 315
 316 #endif /* _WHACK_H */