xref: /openbsd/sbin/ipsecctl/ipsecctl.h (revision 202aab43) 
1 /*	$OpenBSD: ipsecctl.h,v 1.77 2023/10/09 15:32:14 tobhe Exp $	*/
2 /*
3  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #ifndef _IPSECCTL_H_
19 #define _IPSECCTL_H_
20 
21 #define IPSECCTL_OPT_DISABLE		0x0001
22 #define IPSECCTL_OPT_ENABLE		0x0002
23 #define IPSECCTL_OPT_NOACTION		0x0004
24 #define IPSECCTL_OPT_VERBOSE		0x0010
25 #define IPSECCTL_OPT_VERBOSE2		0x0020
26 #define IPSECCTL_OPT_SHOW		0x0040
27 #define IPSECCTL_OPT_SHOWALL		0x0080
28 #define IPSECCTL_OPT_FLUSH		0x0100
29 #define IPSECCTL_OPT_DELETE		0x0200
30 #define IPSECCTL_OPT_MONITOR		0x0400
31 #define IPSECCTL_OPT_SHOWKEY		0x0800
32 #define IPSECCTL_OPT_COLLAPSE		0x1000
33 #define IPSECCTL_OPT_SHOWFLOWS		0x2000
34 #define IPSECCTL_OPT_SHOWSAS		0x4000
35 
36 enum {
37 	ACTION_ADD, ACTION_DELETE
38 };
39 
40 #define RULE_FLOW	0x01
41 #define RULE_SA		0x02
42 #define RULE_IKE	0x04
43 #define RULE_BUNDLE	0x08
44 
45 enum {
46 	DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
47 };
48 enum {
49 	PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5,
50 	IPSEC_IPIP
51 };
52 enum {
53 	MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL
54 };
55 enum {
56 	ID_UNKNOWN, ID_PREFIX, ID_IPV4, ID_IPV6, ID_FQDN, ID_UFQDN
57 };
58 enum {
59 	TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY,
60 	TYPE_BYPASS, TYPE_DONTACQ
61 };
62 enum {
63 	AUTHXF_UNKNOWN, AUTHXF_NONE, AUTHXF_HMAC_MD5, AUTHXF_HMAC_RIPEMD160,
64 	AUTHXF_HMAC_SHA1, AUTHXF_HMAC_SHA2_256, AUTHXF_HMAC_SHA2_384,
65 	AUTHXF_HMAC_SHA2_512
66 };
67 enum {
68 	ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_AES,
69 	ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR,
70 	ENCXF_AES_128_CTR, ENCXF_AES_192_CTR, ENCXF_AES_256_CTR,
71 	ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM,
72 	ENCXF_AES_128_GMAC, ENCXF_AES_192_GMAC, ENCXF_AES_256_GMAC,
73 	ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_CHACHA20_POLY1305, ENCXF_NULL
74 };
75 enum {
76 	COMPXF_UNKNOWN, COMPXF_DEFLATE
77 };
78 enum {
79 	GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_1, GROUPXF_2, GROUPXF_5,
80 	GROUPXF_14, GROUPXF_15, GROUPXF_16, GROUPXF_17, GROUPXF_18,
81 	GROUPXF_19, GROUPXF_20, GROUPXF_21, GROUPXF_25, GROUPXF_26,
82 	GROUPXF_27, GROUPXF_28, GROUPXF_29, GROUPXF_30
83 };
84 enum {
85 	IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC
86 };
87 enum {
88 	IKE_AUTH_RSA, IKE_AUTH_PSK
89 };
90 enum {
91 	IKE_MM=0, IKE_AM, IKE_QM
92 };
93 
94 
95 struct ipsec_addr {
96 	union {
97 		struct in_addr		v4;
98 		struct in6_addr		v6;
99 		u_int8_t		addr8[16];
100 		u_int16_t		addr16[8];
101 		u_int32_t		addr32[4];
102 	} ipa;
103 #define v4	ipa.v4
104 #define v6	ipa.v6
105 #define addr8	ipa.addr8
106 #define addr16	ipa.addr16
107 #define addr32	ipa.addr32
108 };
109 
110 struct ipsec_addr_wrap {
111 	struct ipsec_addr	 address;
112 	struct ipsec_addr	 mask;
113 	int			 netaddress;
114 	sa_family_t		 af;
115 	char			*name;
116 	struct ipsec_addr_wrap	*next;
117 	struct ipsec_addr_wrap	*tail;
118 	struct ipsec_addr_wrap	*srcnat;
119 };
120 
121 struct ipsec_hosts {
122 	struct ipsec_addr_wrap	*src;
123 	struct ipsec_addr_wrap	*dst;
124 	u_int16_t		 sport;
125 	u_int16_t		 dport;
126 };
127 
128 struct ipsec_auth {
129 	char		*srcid;
130 	char		*dstid;
131 	u_int8_t	 srcid_type;
132 	u_int8_t	 dstid_type;
133 	u_int16_t	 type;
134 };
135 
136 struct ipsec_key {
137 	size_t		 len;
138 	u_int8_t	*data;
139 };
140 
141 struct ike_auth {
142 	u_int8_t	 type;
143 	char		*string;
144 };
145 
146 struct ipsec_xf {
147 	char		*name;
148 	u_int16_t	 id;
149 	size_t		 keymin;
150 	size_t		 keymax;
151 	u_int8_t	 noauth;
152 	u_int8_t	 nostatic;
153 };
154 
155 struct ipsec_transforms {
156 	const struct ipsec_xf *authxf;
157 	const struct ipsec_xf *encxf;
158 	const struct ipsec_xf *compxf;
159 	const struct ipsec_xf *groupxf;
160 };
161 
162 struct ipsec_lifetime {
163 	int		 lt_bytes;
164 	int		 lt_seconds;
165 };
166 
167 struct ike_mode {
168 	struct ipsec_transforms	*xfs;
169 	struct ipsec_lifetime	*life;
170 	u_int8_t		 ike_exch;
171 };
172 
173 extern const struct ipsec_xf authxfs[];
174 extern const struct ipsec_xf encxfs[];
175 extern const struct ipsec_xf compxfs[];
176 
177 TAILQ_HEAD(dst_bundle_queue, ipsec_rule);
178 
179 /* Complete state of one rule. */
180 struct ipsec_rule {
181 	u_int8_t	 type;
182 
183 	unsigned int	 flags;
184 #define IPSEC_RULE_F_IFACE		(1 << 0) /* iface is valid */
185 
186 	struct ipsec_addr_wrap *src;
187 	struct ipsec_addr_wrap *dst;
188 	struct ipsec_addr_wrap *dst2;
189 	struct ipsec_addr_wrap *local;
190 	struct ipsec_addr_wrap *peer;
191 	struct ipsec_auth *auth;
192 	struct ike_auth *ikeauth;
193 	struct ipsec_transforms *xfs;
194 	struct ipsec_transforms *p1xfs;
195 	struct ipsec_lifetime *p1life;
196 	struct ipsec_transforms *p2xfs;
197 	struct ipsec_lifetime *p2life;
198 	struct ipsec_key  *authkey;
199 	struct ipsec_key  *enckey;
200 
201 	char		*tag;		/* pf tag for SAs */
202 	char		*p1name;	/* Phase 1 Name */
203 	char		*p2name;	/* Phase 2 Name (IPsec-XX) */
204 	char		*p2lid;		/* Phase 2 source ID */
205 	char		*p2rid;		/* Phase 2 destination ID */
206 	char		*p2nid;		/* Phase 2 source NAT-ID */
207 	u_int8_t	 satype;	/* encapsulating prococol */
208 	u_int8_t	 proto;		/* encapsulated protocol */
209 	u_int8_t	 proto2;
210 	u_int8_t	 tmode;
211 	u_int8_t	 direction;
212 	u_int8_t	 flowtype;
213 	u_int8_t	 ikemode;
214 	u_int8_t	 p1ie;
215 	u_int8_t	 p2ie;
216 	u_int8_t	 udpencap;
217 	u_int16_t	 udpdport;
218 	u_int16_t	 sport;
219 	u_int16_t	 dport;
220 	u_int32_t	 spi;
221 	u_int32_t	 spi2;
222 	u_int32_t	 nr;
223 	unsigned int	 iface;
224 
225 	TAILQ_ENTRY(ipsec_rule) rule_entry;
226 	TAILQ_ENTRY(ipsec_rule) bundle_entry;
227 	TAILQ_ENTRY(ipsec_rule) dst_bundle_entry;
228 
229 	TAILQ_HEAD(, ipsec_rule) collapsed_rules;
230 
231 	struct dst_bundle_queue	dst_bundle_queue;
232 	char			*bundle;
233 };
234 
235 TAILQ_HEAD(ipsec_rule_queue, ipsec_rule);
236 TAILQ_HEAD(ipsec_bundle_queue, ipsec_rule);
237 
238 struct ipsecctl {
239 	u_int32_t	rule_nr;
240 	int		opts;
241 	struct ipsec_rule_queue rule_queue;
242 	struct ipsec_bundle_queue bundle_queue;
243 };
244 
245 int	parse_rules(const char *, struct ipsecctl *);
246 int	cmdline_symset(char *);
247 int	ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *);
248 void	ipsecctl_free_rule(struct ipsec_rule *);
249 void	ipsecctl_print_rule(struct ipsec_rule *, int);
250 int	ike_print_config(struct ipsec_rule *, int);
251 int	ike_ipsec_establish(int, struct ipsec_rule *, const char *);
252 void	set_ipmask(struct ipsec_addr_wrap *, u_int8_t);
253 
254 #endif /* _IPSECCTL_H_ */
255