1/* $OpenBSD: ipsecctl.h,v 1.77 2023/10/09 15:32:14 tobhe Exp $ */ 2/* 3 * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org> 4 * 5 * Permission to use, copy, modify, and distribute this software for any 6 * purpose with or without fee is hereby granted, provided that the above 7 * copyright notice and this permission notice appear in all copies. 8 * 9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 */ 17 18#ifndef _IPSECCTL_H_ 19#define _IPSECCTL_H_ 20 21#define IPSECCTL_OPT_DISABLE 0x0001 22#define IPSECCTL_OPT_ENABLE 0x0002 23#define IPSECCTL_OPT_NOACTION 0x0004 24#define IPSECCTL_OPT_VERBOSE 0x0010 25#define IPSECCTL_OPT_VERBOSE2 0x0020 26#define IPSECCTL_OPT_SHOW 0x0040 27#define IPSECCTL_OPT_SHOWALL 0x0080 28#define IPSECCTL_OPT_FLUSH 0x0100 29#define IPSECCTL_OPT_DELETE 0x0200 30#define IPSECCTL_OPT_MONITOR 0x0400 31#define IPSECCTL_OPT_SHOWKEY 0x0800 32#define IPSECCTL_OPT_COLLAPSE 0x1000 33#define IPSECCTL_OPT_SHOWFLOWS 0x2000 34#define IPSECCTL_OPT_SHOWSAS 0x4000 35 36enum { 37 ACTION_ADD, ACTION_DELETE 38}; 39 40#define RULE_FLOW 0x01 41#define RULE_SA 0x02 42#define RULE_IKE 0x04 43#define RULE_BUNDLE 0x08 44 45enum { 46 DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT 47}; 48enum { 49 PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5, 50 IPSEC_IPIP 51}; 52enum { 53 MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL 54}; 55enum { 56 ID_UNKNOWN, ID_PREFIX, ID_IPV4, ID_IPV6, ID_FQDN, ID_UFQDN 57}; 58enum { 59 TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY, 60 TYPE_BYPASS, TYPE_DONTACQ 61}; 62enum { 63 AUTHXF_UNKNOWN, AUTHXF_NONE, AUTHXF_HMAC_MD5, AUTHXF_HMAC_RIPEMD160, 64 AUTHXF_HMAC_SHA1, AUTHXF_HMAC_SHA2_256, AUTHXF_HMAC_SHA2_384, 65 AUTHXF_HMAC_SHA2_512 66}; 67enum { 68 ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_AES, 69 ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR, 70 ENCXF_AES_128_CTR, ENCXF_AES_192_CTR, ENCXF_AES_256_CTR, 71 ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM, 72 ENCXF_AES_128_GMAC, ENCXF_AES_192_GMAC, ENCXF_AES_256_GMAC, 73 ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_CHACHA20_POLY1305, ENCXF_NULL 74}; 75enum { 76 COMPXF_UNKNOWN, COMPXF_DEFLATE 77}; 78enum { 79 GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_1, GROUPXF_2, GROUPXF_5, 80 GROUPXF_14, GROUPXF_15, GROUPXF_16, GROUPXF_17, GROUPXF_18, 81 GROUPXF_19, GROUPXF_20, GROUPXF_21, GROUPXF_25, GROUPXF_26, 82 GROUPXF_27, GROUPXF_28, GROUPXF_29, GROUPXF_30 83}; 84enum { 85 IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC 86}; 87enum { 88 IKE_AUTH_RSA, IKE_AUTH_PSK 89}; 90enum { 91 IKE_MM=0, IKE_AM, IKE_QM 92}; 93 94 95struct ipsec_addr { 96 union { 97 struct in_addr v4; 98 struct in6_addr v6; 99 u_int8_t addr8[16]; 100 u_int16_t addr16[8]; 101 u_int32_t addr32[4]; 102 } ipa; 103#define v4 ipa.v4 104#define v6 ipa.v6 105#define addr8 ipa.addr8 106#define addr16 ipa.addr16 107#define addr32 ipa.addr32 108}; 109 110struct ipsec_addr_wrap { 111 struct ipsec_addr address; 112 struct ipsec_addr mask; 113 int netaddress; 114 sa_family_t af; 115 char *name; 116 struct ipsec_addr_wrap *next; 117 struct ipsec_addr_wrap *tail; 118 struct ipsec_addr_wrap *srcnat; 119}; 120 121struct ipsec_hosts { 122 struct ipsec_addr_wrap *src; 123 struct ipsec_addr_wrap *dst; 124 u_int16_t sport; 125 u_int16_t dport; 126}; 127 128struct ipsec_auth { 129 char *srcid; 130 char *dstid; 131 u_int8_t srcid_type; 132 u_int8_t dstid_type; 133 u_int16_t type; 134}; 135 136struct ipsec_key { 137 size_t len; 138 u_int8_t *data; 139}; 140 141struct ike_auth { 142 u_int8_t type; 143 char *string; 144}; 145 146struct ipsec_xf { 147 char *name; 148 u_int16_t id; 149 size_t keymin; 150 size_t keymax; 151 u_int8_t noauth; 152 u_int8_t nostatic; 153}; 154 155struct ipsec_transforms { 156 const struct ipsec_xf *authxf; 157 const struct ipsec_xf *encxf; 158 const struct ipsec_xf *compxf; 159 const struct ipsec_xf *groupxf; 160}; 161 162struct ipsec_lifetime { 163 int lt_bytes; 164 int lt_seconds; 165}; 166 167struct ike_mode { 168 struct ipsec_transforms *xfs; 169 struct ipsec_lifetime *life; 170 u_int8_t ike_exch; 171}; 172 173extern const struct ipsec_xf authxfs[]; 174extern const struct ipsec_xf encxfs[]; 175extern const struct ipsec_xf compxfs[]; 176 177TAILQ_HEAD(dst_bundle_queue, ipsec_rule); 178 179/* Complete state of one rule. */ 180struct ipsec_rule { 181 u_int8_t type; 182 183 unsigned int flags; 184#define IPSEC_RULE_F_IFACE (1 << 0) /* iface is valid */ 185 186 struct ipsec_addr_wrap *src; 187 struct ipsec_addr_wrap *dst; 188 struct ipsec_addr_wrap *dst2; 189 struct ipsec_addr_wrap *local; 190 struct ipsec_addr_wrap *peer; 191 struct ipsec_auth *auth; 192 struct ike_auth *ikeauth; 193 struct ipsec_transforms *xfs; 194 struct ipsec_transforms *p1xfs; 195 struct ipsec_lifetime *p1life; 196 struct ipsec_transforms *p2xfs; 197 struct ipsec_lifetime *p2life; 198 struct ipsec_key *authkey; 199 struct ipsec_key *enckey; 200 201 char *tag; /* pf tag for SAs */ 202 char *p1name; /* Phase 1 Name */ 203 char *p2name; /* Phase 2 Name (IPsec-XX) */ 204 char *p2lid; /* Phase 2 source ID */ 205 char *p2rid; /* Phase 2 destination ID */ 206 char *p2nid; /* Phase 2 source NAT-ID */ 207 u_int8_t satype; /* encapsulating prococol */ 208 u_int8_t proto; /* encapsulated protocol */ 209 u_int8_t proto2; 210 u_int8_t tmode; 211 u_int8_t direction; 212 u_int8_t flowtype; 213 u_int8_t ikemode; 214 u_int8_t p1ie; 215 u_int8_t p2ie; 216 u_int8_t udpencap; 217 u_int16_t udpdport; 218 u_int16_t sport; 219 u_int16_t dport; 220 u_int32_t spi; 221 u_int32_t spi2; 222 u_int32_t nr; 223 unsigned int iface; 224 225 TAILQ_ENTRY(ipsec_rule) rule_entry; 226 TAILQ_ENTRY(ipsec_rule) bundle_entry; 227 TAILQ_ENTRY(ipsec_rule) dst_bundle_entry; 228 229 TAILQ_HEAD(, ipsec_rule) collapsed_rules; 230 231 struct dst_bundle_queue dst_bundle_queue; 232 char *bundle; 233}; 234 235TAILQ_HEAD(ipsec_rule_queue, ipsec_rule); 236TAILQ_HEAD(ipsec_bundle_queue, ipsec_rule); 237 238struct ipsecctl { 239 u_int32_t rule_nr; 240 int opts; 241 struct ipsec_rule_queue rule_queue; 242 struct ipsec_bundle_queue bundle_queue; 243}; 244 245int parse_rules(const char *, struct ipsecctl *); 246int cmdline_symset(char *); 247int ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *); 248void ipsecctl_free_rule(struct ipsec_rule *); 249void ipsecctl_print_rule(struct ipsec_rule *, int); 250int ike_print_config(struct ipsec_rule *, int); 251int ike_ipsec_establish(int, struct ipsec_rule *, const char *); 252void set_ipmask(struct ipsec_addr_wrap *, u_int8_t); 253 254#endif /* _IPSECCTL_H_ */ 255