xref: /openbsd-src/sbin/ipsecctl/ipsecctl.h (revision f2da64fbbbf1b03f09f390ab01267c93dfd77c4c) 
1 /*	$OpenBSD: ipsecctl.h,v 1.69 2015/12/09 21:41:50 naddy Exp $	*/
2 /*
3  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #ifndef _IPSECCTL_H_
19 #define _IPSECCTL_H_
20 
21 #define IPSECCTL_OPT_DISABLE		0x0001
22 #define IPSECCTL_OPT_ENABLE		0x0002
23 #define IPSECCTL_OPT_NOACTION		0x0004
24 #define IPSECCTL_OPT_VERBOSE		0x0010
25 #define IPSECCTL_OPT_VERBOSE2		0x0020
26 #define IPSECCTL_OPT_SHOW		0x0040
27 #define IPSECCTL_OPT_SHOWALL		0x0080
28 #define IPSECCTL_OPT_FLUSH		0x0100
29 #define IPSECCTL_OPT_DELETE		0x0200
30 #define IPSECCTL_OPT_MONITOR		0x0400
31 #define IPSECCTL_OPT_SHOWKEY		0x0800
32 
33 enum {
34 	ACTION_ADD, ACTION_DELETE
35 };
36 
37 #define RULE_FLOW	0x01
38 #define RULE_SA		0x02
39 #define RULE_IKE	0x04
40 #define RULE_GROUP	0x08
41 
42 enum {
43 	DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
44 };
45 enum {
46 	PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5,
47 	IPSEC_IPIP
48 };
49 enum {
50 	MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL
51 };
52 enum {
53 	ID_UNKNOWN, ID_PREFIX, ID_IPV4, ID_IPV6, ID_FQDN, ID_UFQDN
54 };
55 enum {
56 	TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY,
57 	TYPE_BYPASS, TYPE_DONTACQ
58 };
59 enum {
60 	AUTHXF_UNKNOWN, AUTHXF_NONE, AUTHXF_HMAC_MD5, AUTHXF_HMAC_RIPEMD160,
61 	AUTHXF_HMAC_SHA1, AUTHXF_HMAC_SHA2_256, AUTHXF_HMAC_SHA2_384,
62 	AUTHXF_HMAC_SHA2_512
63 };
64 enum {
65 	ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_AES,
66 	ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR,
67 	ENCXF_AES_128_CTR, ENCXF_AES_192_CTR, ENCXF_AES_256_CTR,
68 	ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM,
69 	ENCXF_AES_128_GMAC, ENCXF_AES_192_GMAC, ENCXF_AES_256_GMAC,
70 	ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_CHACHA20_POLY1305, ENCXF_NULL
71 };
72 enum {
73 	COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
74 };
75 enum {
76 	GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_768, GROUPXF_1024, GROUPXF_1536,
77 	GROUPXF_2048, GROUPXF_3072, GROUPXF_4096, GROUPXF_6144, GROUPXF_8192,
78 };
79 enum {
80 	IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC
81 };
82 enum {
83 	IKE_AUTH_RSA, IKE_AUTH_PSK
84 };
85 enum {
86 	IKE_MM=0, IKE_AM, IKE_QM
87 };
88 
89 
90 struct ipsec_addr {
91 	union {
92 		struct in_addr		v4;
93 		struct in6_addr		v6;
94 		u_int8_t		addr8[16];
95 		u_int16_t		addr16[8];
96 		u_int32_t		addr32[4];
97 	} ipa;
98 #define v4	ipa.v4
99 #define v6	ipa.v6
100 #define addr8	ipa.addr8
101 #define addr16	ipa.addr16
102 #define addr32	ipa.addr32
103 };
104 
105 struct ipsec_addr_wrap {
106 	struct ipsec_addr	 address;
107 	struct ipsec_addr	 mask;
108 	int			 netaddress;
109 	sa_family_t		 af;
110 	char			*name;
111 	struct ipsec_addr_wrap	*next;
112 	struct ipsec_addr_wrap	*tail;
113 	struct ipsec_addr_wrap	*srcnat;
114 };
115 
116 struct ipsec_hosts {
117 	struct ipsec_addr_wrap	*src;
118 	struct ipsec_addr_wrap	*dst;
119 	u_int16_t		 sport;
120 	u_int16_t		 dport;
121 };
122 
123 struct ipsec_auth {
124 	char		*srcid;
125 	char		*dstid;
126 	u_int8_t	 srcid_type;
127 	u_int8_t	 dstid_type;
128 	u_int16_t	 type;
129 };
130 
131 struct ipsec_key {
132 	size_t		 len;
133 	u_int8_t	*data;
134 };
135 
136 struct ike_auth {
137 	u_int8_t	 type;
138 	char		*string;
139 };
140 
141 struct ipsec_xf {
142 	char		*name;
143 	u_int16_t	 id;
144 	size_t		 keymin;
145 	size_t		 keymax;
146 	u_int8_t	 noauth;
147 	u_int8_t	 nostatic;
148 };
149 
150 struct ipsec_transforms {
151 	const struct ipsec_xf *authxf;
152 	const struct ipsec_xf *encxf;
153 	const struct ipsec_xf *compxf;
154 	const struct ipsec_xf *groupxf;
155 };
156 
157 struct ipsec_lifetime {
158 	int		 lt_bytes;
159 	int		 lt_seconds;
160 };
161 
162 struct ike_mode {
163 	struct ipsec_transforms	*xfs;
164 	struct ipsec_lifetime	*life;
165 	u_int8_t		 ike_exch;
166 };
167 
168 extern const struct ipsec_xf authxfs[];
169 extern const struct ipsec_xf encxfs[];
170 extern const struct ipsec_xf compxfs[];
171 
172 TAILQ_HEAD(dst_group_queue, ipsec_rule);
173 
174 /* Complete state of one rule. */
175 struct ipsec_rule {
176 	u_int8_t	 type;
177 
178 	struct ipsec_addr_wrap *src;
179 	struct ipsec_addr_wrap *dst;
180 	struct ipsec_addr_wrap *dst2;
181 	struct ipsec_addr_wrap *local;
182 	struct ipsec_addr_wrap *peer;
183 	struct ipsec_auth *auth;
184 	struct ike_auth *ikeauth;
185 	struct ipsec_transforms *xfs;
186 	struct ipsec_transforms *p1xfs;
187 	struct ipsec_lifetime *p1life;
188 	struct ipsec_transforms *p2xfs;
189 	struct ipsec_lifetime *p2life;
190 	struct ipsec_key  *authkey;
191 	struct ipsec_key  *enckey;
192 
193 	char		*tag;		/* pf tag for SAs */
194 	char		*p1name;	/* Phase 1 Name */
195 	char		*p2name;	/* Phase 2 Name (IPsec-XX) */
196 	char		*p2lid;		/* Phase 2 source ID */
197 	char		*p2rid;		/* Phase 2 destination ID */
198 	char		*p2nid;		/* Phase 2 source NAT-ID */
199 	u_int8_t	 satype;	/* encapsulating prococol */
200 	u_int8_t	 proto;		/* encapsulated protocol */
201 	u_int8_t	 proto2;
202 	u_int8_t	 tmode;
203 	u_int8_t	 direction;
204 	u_int8_t	 flowtype;
205 	u_int8_t	 ikemode;
206 	u_int8_t	 p1ie;
207 	u_int8_t	 p2ie;
208 	u_int16_t	 sport;
209 	u_int16_t	 dport;
210 	u_int32_t	 spi;
211 	u_int32_t	 spi2;
212 	u_int32_t	 nr;
213 
214 	TAILQ_ENTRY(ipsec_rule) rule_entry;
215 	TAILQ_ENTRY(ipsec_rule) group_entry;
216 	TAILQ_ENTRY(ipsec_rule) dst_group_entry;
217 
218 	struct dst_group_queue	dst_group_queue;
219 };
220 
221 TAILQ_HEAD(ipsec_rule_queue, ipsec_rule);
222 TAILQ_HEAD(ipsec_group_queue, ipsec_rule);
223 
224 struct ipsecctl {
225 	u_int32_t	rule_nr;
226 	int		opts;
227 	struct ipsec_rule_queue rule_queue;
228 	struct ipsec_group_queue group_queue;
229 };
230 
231 int	parse_rules(const char *, struct ipsecctl *);
232 int	cmdline_symset(char *);
233 int	ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *);
234 void	ipsecctl_free_rule(struct ipsec_rule *);
235 void	ipsecctl_get_rules(struct ipsecctl *);
236 void	ipsecctl_print_rule(struct ipsec_rule *, int);
237 int	ike_print_config(struct ipsec_rule *, int);
238 int	ike_ipsec_establish(int, struct ipsec_rule *, const char *);
239 void	set_ipmask(struct ipsec_addr_wrap *, u_int8_t);
240 
241 #endif /* _IPSECCTL_H_ */
242