1 /* Structure of messages from whack to Pluto proper.
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier.
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * RCSID $Id: whack.h,v 1.42 2002/03/09 01:26:30 dhr Exp $
20 * Since the message remains on one host, native representation is used.
21 * Think of this as horizontal microcode: all selected operations are
22 * to be done (in the order declared here).
24 * MAGIC is used to help detect version mismatches between whack and Pluto.
25 * Whenever the interface (i.e. this struct) changes in form or
26 * meaning, change this value (probably by changing the last number).
28 #define WHACK_MAGIC (((((('w' << 8) + 'a') << 8) + 'k') << 8) + 18)
30 /* struct whack_end is a lot like connection.h's struct end
31 * It differs because it is going to be shipped down a socket
32 * and because whack is a separate program from pluto.
35 char *id; /* id string (if any) -- decoded by pluto */
36 char *cert; /* path string (if any) -- loaded by pluto */
42 u_int16_t port; /* host order */
46 bool has_client_wildcard;
47 char *updown; /* string */
48 u_int16_t host_port; /* host order */
54 struct whack_message {
57 /* name is used in connection and initiate */
58 size_t name_len; /* string 1 */
62 /* for WHACK_OPTIONS: */
66 unsigned int debugging;
68 /* for WHACK_CONNECTION */
70 bool whack_connection;
74 time_t sa_ike_life_seconds;
75 time_t sa_ipsec_life_seconds;
76 time_t sa_rekey_margin;
77 unsigned long sa_rekey_fuzz;
78 unsigned long sa_keying_tries;
85 /* note that each end contains string 2/5.id, string 3/6 cert,
86 * and string 4/7 updown
88 struct whack_end left;
89 struct whack_end right;
91 /* note: if the client is the gateway, the following must be equal */
92 sa_family_t addr_family; /* between gateways */
93 sa_family_t tunnel_addr_family; /* between clients */
95 char *ike; /* ike algo string (separated by commas) */
96 char *pfsgroup; /* pfsgroup will be "encapsulated" in esp string for pluto */
97 char *esp; /* esp algo string (separated by commas) */
99 int retransmit_trigger;
104 char *keyid; /* string 8 */
105 enum pubkey_alg pubkey_alg;
106 chunk_t keyval; /* chunk */
108 /* for WHACK_ROUTE: */
111 /* for WHACK_UNROUTE: */
114 /* for WHACK_INITIATE: */
117 /* for WHACK_OPINITIATE */
118 bool whack_oppo_initiate;
119 ip_address oppo_my_client, oppo_peer_client;
121 /* for WHACK_TERMINATE: */
122 bool whack_terminate;
124 /* for WHACK_DELETE: */
127 /* for WHACK_DELETESTATE: */
128 bool whack_deletestate;
129 so_serial_t whack_deletestateno;
131 /* for WHACK_LISTEN: */
132 bool whack_listen, whack_unlisten;
138 /* for WHACK_REREAD */
141 /* for WHACK_STATUS: */
144 /* for WHACK_SHUTDOWN */
147 /* space for strings (hope there is enough room):
148 * Note that pointers don't travel on wire.
149 * 1 connection name [name_len]
150 * 2 left's name [left.host.name.len]
153 * 5 right's name [left.host.name.len]
157 * plus keyval (limit: 8K bits + overhead), a chunk.
163 /* Codes for status messages returned to whack.
164 * These are 3 digit decimal numerals. The structure
165 * is inspired by section 4.2 of RFC959 (FTP).
166 * Since these will end up as the exit status of whack, they
167 * must be less than 256.
168 * NOTE: ipsec_auto(8) knows about some of these numbers -- change carefully.
171 RC_COMMENT, /* non-commital utterance (does not affect exit status) */
172 RC_WHACK_PROBLEM, /* whack-detected problem */
173 RC_LOG, /* message aimed at log (does not affect exit status) */
174 RC_LOG_SERIOUS, /* serious message aimed at log (does not affect exit status) */
175 RC_SUCCESS, /* success (exit status 0) */
177 /* failure, but not definitive */
179 RC_RETRANSMISSION = 10,
181 /* improper request */
183 RC_DUPNAME = 20, /* attempt to reuse a connection name */
184 RC_UNKNOWN_NAME, /* connection name unknown or state number */
185 RC_ORIENT, /* cannot orient connection: neither end is us */
186 RC_CLASH, /* clash between two Road Warrior connections OVERLOADED */
187 RC_DEAF, /* need --listen before --initiate */
188 RC_ROUTE, /* cannot route */
189 RC_RTBUSY, /* cannot unroute: route busy */
190 RC_BADID, /* malformed --id */
191 RC_NOKEY, /* no key found through DNS */
192 RC_NOPEERIP, /* cannot initiate when peer IP is unknown */
194 /* permanent failure */
196 RC_BADWHACKMESSAGE = 30,
199 RC_OPPOFAILURE, /* Opportunism failed */
201 /* progress: start of range for successful state transition.
202 * Actual value is RC_NEW_STATE plus the new state code.
206 /* start of range for notification.
207 * Actual value is RC_NOTIFICATION plus code for notification
208 * that should be generated by this Pluto.
210 RC_NOTIFICATION = 200 /* as per IKE notification messages */
213 /* options of whack --list*** command */
215 #define LIST_NONE 0x00 /* don't list anything */
216 #define LIST_PUBKEYS 0x01 /* list all public keys */
217 #define LIST_CERTS 0x02 /* list all host/user certs */
218 #define LIST_CACERTS 0x04 /* list all ca certs */
219 #define LIST_CRLS 0x08 /* list all crls */
221 #define LIST_ALL LRANGES(LIST_PUBKEYS, LIST_CRLS) /* all list options */
223 /* options of whack --reread*** command */
225 #define REREAD_NONE 0x00 /* don't reread anything */
226 #define REREAD_SECRETS 0x01 /* reread /etc/ipsec.secrets */
227 #define REREAD_MYCERT 0x02 /* reread /etc/x509cert.der (deprecated) */
228 #define REREAD_CACERTS 0x04 /* reread certs in /etc/ipsec.d/cacerts */
229 #define REREAD_CRLS 0x08 /* reread crls in /etc/ipsec.d/crls */
231 #define REREAD_ALL LRANGES(REREAD_SECRETS, REREAD_CRLS) /* all reread options */