xref: /openbsd/sbin/ipsecctl/ipsecctl.h (revision 3cab2bb3) 
1 /*	$OpenBSD: ipsecctl.h,v 1.74 2020/02/07 13:01:34 bluhm Exp $	*/
2 /*
3  * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #ifndef _IPSECCTL_H_
19 #define _IPSECCTL_H_
20 
21 #define IPSECCTL_OPT_DISABLE		0x0001
22 #define IPSECCTL_OPT_ENABLE		0x0002
23 #define IPSECCTL_OPT_NOACTION		0x0004
24 #define IPSECCTL_OPT_VERBOSE		0x0010
25 #define IPSECCTL_OPT_VERBOSE2		0x0020
26 #define IPSECCTL_OPT_SHOW		0x0040
27 #define IPSECCTL_OPT_SHOWALL		0x0080
28 #define IPSECCTL_OPT_FLUSH		0x0100
29 #define IPSECCTL_OPT_DELETE		0x0200
30 #define IPSECCTL_OPT_MONITOR		0x0400
31 #define IPSECCTL_OPT_SHOWKEY		0x0800
32 #define IPSECCTL_OPT_COLLAPSE		0x1000
33 
34 enum {
35 	ACTION_ADD, ACTION_DELETE
36 };
37 
38 #define RULE_FLOW	0x01
39 #define RULE_SA		0x02
40 #define RULE_IKE	0x04
41 #define RULE_BUNDLE	0x08
42 
43 enum {
44 	DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
45 };
46 enum {
47 	PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5,
48 	IPSEC_IPIP
49 };
50 enum {
51 	MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL
52 };
53 enum {
54 	ID_UNKNOWN, ID_PREFIX, ID_IPV4, ID_IPV6, ID_FQDN, ID_UFQDN
55 };
56 enum {
57 	TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY,
58 	TYPE_BYPASS, TYPE_DONTACQ
59 };
60 enum {
61 	AUTHXF_UNKNOWN, AUTHXF_NONE, AUTHXF_HMAC_MD5, AUTHXF_HMAC_RIPEMD160,
62 	AUTHXF_HMAC_SHA1, AUTHXF_HMAC_SHA2_256, AUTHXF_HMAC_SHA2_384,
63 	AUTHXF_HMAC_SHA2_512
64 };
65 enum {
66 	ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_AES,
67 	ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR,
68 	ENCXF_AES_128_CTR, ENCXF_AES_192_CTR, ENCXF_AES_256_CTR,
69 	ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM,
70 	ENCXF_AES_128_GMAC, ENCXF_AES_192_GMAC, ENCXF_AES_256_GMAC,
71 	ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_CHACHA20_POLY1305, ENCXF_NULL
72 };
73 enum {
74 	COMPXF_UNKNOWN, COMPXF_DEFLATE, COMPXF_LZS
75 };
76 enum {
77 	GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_1, GROUPXF_2, GROUPXF_5,
78 	GROUPXF_14, GROUPXF_15, GROUPXF_16, GROUPXF_17, GROUPXF_18,
79 	GROUPXF_19, GROUPXF_20, GROUPXF_21, GROUPXF_25, GROUPXF_26,
80 	GROUPXF_27, GROUPXF_28, GROUPXF_29, GROUPXF_30
81 };
82 enum {
83 	IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC
84 };
85 enum {
86 	IKE_AUTH_RSA, IKE_AUTH_PSK
87 };
88 enum {
89 	IKE_MM=0, IKE_AM, IKE_QM
90 };
91 
92 
93 struct ipsec_addr {
94 	union {
95 		struct in_addr		v4;
96 		struct in6_addr		v6;
97 		u_int8_t		addr8[16];
98 		u_int16_t		addr16[8];
99 		u_int32_t		addr32[4];
100 	} ipa;
101 #define v4	ipa.v4
102 #define v6	ipa.v6
103 #define addr8	ipa.addr8
104 #define addr16	ipa.addr16
105 #define addr32	ipa.addr32
106 };
107 
108 struct ipsec_addr_wrap {
109 	struct ipsec_addr	 address;
110 	struct ipsec_addr	 mask;
111 	int			 netaddress;
112 	sa_family_t		 af;
113 	char			*name;
114 	struct ipsec_addr_wrap	*next;
115 	struct ipsec_addr_wrap	*tail;
116 	struct ipsec_addr_wrap	*srcnat;
117 };
118 
119 struct ipsec_hosts {
120 	struct ipsec_addr_wrap	*src;
121 	struct ipsec_addr_wrap	*dst;
122 	u_int16_t		 sport;
123 	u_int16_t		 dport;
124 };
125 
126 struct ipsec_auth {
127 	char		*srcid;
128 	char		*dstid;
129 	u_int8_t	 srcid_type;
130 	u_int8_t	 dstid_type;
131 	u_int16_t	 type;
132 };
133 
134 struct ipsec_key {
135 	size_t		 len;
136 	u_int8_t	*data;
137 };
138 
139 struct ike_auth {
140 	u_int8_t	 type;
141 	char		*string;
142 };
143 
144 struct ipsec_xf {
145 	char		*name;
146 	u_int16_t	 id;
147 	size_t		 keymin;
148 	size_t		 keymax;
149 	u_int8_t	 noauth;
150 	u_int8_t	 nostatic;
151 };
152 
153 struct ipsec_transforms {
154 	const struct ipsec_xf *authxf;
155 	const struct ipsec_xf *encxf;
156 	const struct ipsec_xf *compxf;
157 	const struct ipsec_xf *groupxf;
158 };
159 
160 struct ipsec_lifetime {
161 	int		 lt_bytes;
162 	int		 lt_seconds;
163 };
164 
165 struct ike_mode {
166 	struct ipsec_transforms	*xfs;
167 	struct ipsec_lifetime	*life;
168 	u_int8_t		 ike_exch;
169 };
170 
171 extern const struct ipsec_xf authxfs[];
172 extern const struct ipsec_xf encxfs[];
173 extern const struct ipsec_xf compxfs[];
174 
175 TAILQ_HEAD(dst_bundle_queue, ipsec_rule);
176 
177 /* Complete state of one rule. */
178 struct ipsec_rule {
179 	u_int8_t	 type;
180 
181 	struct ipsec_addr_wrap *src;
182 	struct ipsec_addr_wrap *dst;
183 	struct ipsec_addr_wrap *dst2;
184 	struct ipsec_addr_wrap *local;
185 	struct ipsec_addr_wrap *peer;
186 	struct ipsec_auth *auth;
187 	struct ike_auth *ikeauth;
188 	struct ipsec_transforms *xfs;
189 	struct ipsec_transforms *p1xfs;
190 	struct ipsec_lifetime *p1life;
191 	struct ipsec_transforms *p2xfs;
192 	struct ipsec_lifetime *p2life;
193 	struct ipsec_key  *authkey;
194 	struct ipsec_key  *enckey;
195 
196 	char		*tag;		/* pf tag for SAs */
197 	char		*p1name;	/* Phase 1 Name */
198 	char		*p2name;	/* Phase 2 Name (IPsec-XX) */
199 	char		*p2lid;		/* Phase 2 source ID */
200 	char		*p2rid;		/* Phase 2 destination ID */
201 	char		*p2nid;		/* Phase 2 source NAT-ID */
202 	u_int8_t	 satype;	/* encapsulating prococol */
203 	u_int8_t	 proto;		/* encapsulated protocol */
204 	u_int8_t	 proto2;
205 	u_int8_t	 tmode;
206 	u_int8_t	 direction;
207 	u_int8_t	 flowtype;
208 	u_int8_t	 ikemode;
209 	u_int8_t	 p1ie;
210 	u_int8_t	 p2ie;
211 	u_int8_t	 udpencap;
212 	u_int16_t	 udpdport;
213 	u_int16_t	 sport;
214 	u_int16_t	 dport;
215 	u_int32_t	 spi;
216 	u_int32_t	 spi2;
217 	u_int32_t	 nr;
218 
219 	TAILQ_ENTRY(ipsec_rule) rule_entry;
220 	TAILQ_ENTRY(ipsec_rule) bundle_entry;
221 	TAILQ_ENTRY(ipsec_rule) dst_bundle_entry;
222 
223 	TAILQ_HEAD(, ipsec_rule) collapsed_rules;
224 
225 	struct dst_bundle_queue	dst_bundle_queue;
226 	char			*bundle;
227 };
228 
229 TAILQ_HEAD(ipsec_rule_queue, ipsec_rule);
230 TAILQ_HEAD(ipsec_bundle_queue, ipsec_rule);
231 
232 struct ipsecctl {
233 	u_int32_t	rule_nr;
234 	int		opts;
235 	struct ipsec_rule_queue rule_queue;
236 	struct ipsec_bundle_queue bundle_queue;
237 };
238 
239 int	parse_rules(const char *, struct ipsecctl *);
240 int	cmdline_symset(char *);
241 int	ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *);
242 void	ipsecctl_free_rule(struct ipsec_rule *);
243 void	ipsecctl_get_rules(struct ipsecctl *);
244 void	ipsecctl_print_rule(struct ipsec_rule *, int);
245 int	ike_print_config(struct ipsec_rule *, int);
246 int	ike_ipsec_establish(int, struct ipsec_rule *, const char *);
247 void	set_ipmask(struct ipsec_addr_wrap *, u_int8_t);
248 
249 #endif /* _IPSECCTL_H_ */
250