IABSD.fr/src/sbin/ipsecctl/ipsecctl.h

Branch : - branch - master - tag -

• Show log

  Commit

• Author : tb
  Date : 2025-04-30 03:54:09
  Hash : 63effc54
  Message : mop up P-192/Group 25 remnants based on an initial diff by markus

• sbin/ipsecctl/ipsecctl.h

• /*	$OpenBSD: ipsecctl.h,v 1.78 2025/04/30 03:54:09 tb Exp $	*/
  /*
   * Copyright (c) 2004, 2005 Hans-Joerg Hoexer <hshoexer@openbsd.org>
   *
   * Permission to use, copy, modify, and distribute this software for any
   * purpose with or without fee is hereby granted, provided that the above
   * copyright notice and this permission notice appear in all copies.
   *
   * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
   * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
   * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
   * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
   * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
   * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
   * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
   */
  
  #ifndef _IPSECCTL_H_
  #define _IPSECCTL_H_
  
  #define IPSECCTL_OPT_DISABLE		0x0001
  #define IPSECCTL_OPT_ENABLE		0x0002
  #define IPSECCTL_OPT_NOACTION		0x0004
  #define IPSECCTL_OPT_VERBOSE		0x0010
  #define IPSECCTL_OPT_VERBOSE2		0x0020
  #define IPSECCTL_OPT_SHOW		0x0040
  #define IPSECCTL_OPT_SHOWALL		0x0080
  #define IPSECCTL_OPT_FLUSH		0x0100
  #define IPSECCTL_OPT_DELETE		0x0200
  #define IPSECCTL_OPT_MONITOR		0x0400
  #define IPSECCTL_OPT_SHOWKEY		0x0800
  #define IPSECCTL_OPT_COLLAPSE		0x1000
  #define IPSECCTL_OPT_SHOWFLOWS		0x2000
  #define IPSECCTL_OPT_SHOWSAS		0x4000
  
  enum {
  	ACTION_ADD, ACTION_DELETE
  };
  
  #define RULE_FLOW	0x01
  #define RULE_SA		0x02
  #define RULE_IKE	0x04
  #define RULE_BUNDLE	0x08
  
  enum {
  	DIRECTION_UNKNOWN, IPSEC_IN, IPSEC_OUT, IPSEC_INOUT
  };
  enum {
  	PROTO_UNKNOWN, IPSEC_ESP, IPSEC_AH, IPSEC_IPCOMP, IPSEC_TCPMD5,
  	IPSEC_IPIP
  };
  enum {
  	MODE_UNKNOWN, IPSEC_TRANSPORT, IPSEC_TUNNEL
  };
  enum {
  	ID_UNKNOWN, ID_PREFIX, ID_IPV4, ID_IPV6, ID_FQDN, ID_UFQDN
  };
  enum {
  	TYPE_UNKNOWN, TYPE_USE, TYPE_ACQUIRE, TYPE_REQUIRE, TYPE_DENY,
  	TYPE_BYPASS, TYPE_DONTACQ
  };
  enum {
  	AUTHXF_UNKNOWN, AUTHXF_NONE, AUTHXF_HMAC_MD5, AUTHXF_HMAC_RIPEMD160,
  	AUTHXF_HMAC_SHA1, AUTHXF_HMAC_SHA2_256, AUTHXF_HMAC_SHA2_384,
  	AUTHXF_HMAC_SHA2_512
  };
  enum {
  	ENCXF_UNKNOWN, ENCXF_NONE, ENCXF_3DES_CBC, ENCXF_AES,
  	ENCXF_AES_128, ENCXF_AES_192, ENCXF_AES_256, ENCXF_AESCTR,
  	ENCXF_AES_128_CTR, ENCXF_AES_192_CTR, ENCXF_AES_256_CTR,
  	ENCXF_AES_128_GCM, ENCXF_AES_192_GCM, ENCXF_AES_256_GCM,
  	ENCXF_AES_128_GMAC, ENCXF_AES_192_GMAC, ENCXF_AES_256_GMAC,
  	ENCXF_BLOWFISH, ENCXF_CAST128, ENCXF_CHACHA20_POLY1305, ENCXF_NULL
  };
  enum {
  	COMPXF_UNKNOWN, COMPXF_DEFLATE
  };
  enum {
  	GROUPXF_UNKNOWN, GROUPXF_NONE, GROUPXF_1, GROUPXF_2, GROUPXF_5,
  	GROUPXF_14, GROUPXF_15, GROUPXF_16, GROUPXF_17, GROUPXF_18,
  	GROUPXF_19, GROUPXF_20, GROUPXF_21, GROUPXF_26,
  	GROUPXF_27, GROUPXF_28, GROUPXF_29, GROUPXF_30
  };
  enum {
  	IKE_ACTIVE, IKE_PASSIVE, IKE_DYNAMIC
  };
  enum {
  	IKE_AUTH_RSA, IKE_AUTH_PSK
  };
  enum {
  	IKE_MM=0, IKE_AM, IKE_QM
  };
  
  
  struct ipsec_addr {
  	union {
  		struct in_addr		v4;
  		struct in6_addr		v6;
  		u_int8_t		addr8[16];
  		u_int16_t		addr16[8];
  		u_int32_t		addr32[4];
  	} ipa;
  #define v4	ipa.v4
  #define v6	ipa.v6
  #define addr8	ipa.addr8
  #define addr16	ipa.addr16
  #define addr32	ipa.addr32
  };
  
  struct ipsec_addr_wrap {
  	struct ipsec_addr	 address;
  	struct ipsec_addr	 mask;
  	int			 netaddress;
  	sa_family_t		 af;
  	char			*name;
  	struct ipsec_addr_wrap	*next;
  	struct ipsec_addr_wrap	*tail;
  	struct ipsec_addr_wrap	*srcnat;
  };
  
  struct ipsec_hosts {
  	struct ipsec_addr_wrap	*src;
  	struct ipsec_addr_wrap	*dst;
  	u_int16_t		 sport;
  	u_int16_t		 dport;
  };
  
  struct ipsec_auth {
  	char		*srcid;
  	char		*dstid;
  	u_int8_t	 srcid_type;
  	u_int8_t	 dstid_type;
  	u_int16_t	 type;
  };
  
  struct ipsec_key {
  	size_t		 len;
  	u_int8_t	*data;
  };
  
  struct ike_auth {
  	u_int8_t	 type;
  	char		*string;
  };
  
  struct ipsec_xf {
  	char		*name;
  	u_int16_t	 id;
  	size_t		 keymin;
  	size_t		 keymax;
  	u_int8_t	 noauth;
  	u_int8_t	 nostatic;
  };
  
  struct ipsec_transforms {
  	const struct ipsec_xf *authxf;
  	const struct ipsec_xf *encxf;
  	const struct ipsec_xf *compxf;
  	const struct ipsec_xf *groupxf;
  };
  
  struct ipsec_lifetime {
  	int		 lt_bytes;
  	int		 lt_seconds;
  };
  
  struct ike_mode {
  	struct ipsec_transforms	*xfs;
  	struct ipsec_lifetime	*life;
  	u_int8_t		 ike_exch;
  };
  
  extern const struct ipsec_xf authxfs[];
  extern const struct ipsec_xf encxfs[];
  extern const struct ipsec_xf compxfs[];
  
  TAILQ_HEAD(dst_bundle_queue, ipsec_rule);
  
  /* Complete state of one rule. */
  struct ipsec_rule {
  	u_int8_t	 type;
  
  	unsigned int	 flags;
  #define IPSEC_RULE_F_IFACE		(1 << 0) /* iface is valid */
  
  	struct ipsec_addr_wrap *src;
  	struct ipsec_addr_wrap *dst;
  	struct ipsec_addr_wrap *dst2;
  	struct ipsec_addr_wrap *local;
  	struct ipsec_addr_wrap *peer;
  	struct ipsec_auth *auth;
  	struct ike_auth *ikeauth;
  	struct ipsec_transforms *xfs;
  	struct ipsec_transforms *p1xfs;
  	struct ipsec_lifetime *p1life;
  	struct ipsec_transforms *p2xfs;
  	struct ipsec_lifetime *p2life;
  	struct ipsec_key  *authkey;
  	struct ipsec_key  *enckey;
  
  	char		*tag;		/* pf tag for SAs */
  	char		*p1name;	/* Phase 1 Name */
  	char		*p2name;	/* Phase 2 Name (IPsec-XX) */
  	char		*p2lid;		/* Phase 2 source ID */
  	char		*p2rid;		/* Phase 2 destination ID */
  	char		*p2nid;		/* Phase 2 source NAT-ID */
  	u_int8_t	 satype;	/* encapsulating prococol */
  	u_int8_t	 proto;		/* encapsulated protocol */
  	u_int8_t	 proto2;
  	u_int8_t	 tmode;
  	u_int8_t	 direction;
  	u_int8_t	 flowtype;
  	u_int8_t	 ikemode;
  	u_int8_t	 p1ie;
  	u_int8_t	 p2ie;
  	u_int8_t	 udpencap;
  	u_int16_t	 udpdport;
  	u_int16_t	 sport;
  	u_int16_t	 dport;
  	u_int32_t	 spi;
  	u_int32_t	 spi2;
  	u_int32_t	 nr;
  	unsigned int	 iface;
  
  	TAILQ_ENTRY(ipsec_rule) rule_entry;
  	TAILQ_ENTRY(ipsec_rule) bundle_entry;
  	TAILQ_ENTRY(ipsec_rule) dst_bundle_entry;
  
  	TAILQ_HEAD(, ipsec_rule) collapsed_rules;
  
  	struct dst_bundle_queue	dst_bundle_queue;
  	char			*bundle;
  };
  
  TAILQ_HEAD(ipsec_rule_queue, ipsec_rule);
  TAILQ_HEAD(ipsec_bundle_queue, ipsec_rule);
  
  struct ipsecctl {
  	u_int32_t	rule_nr;
  	int		opts;
  	struct ipsec_rule_queue rule_queue;
  	struct ipsec_bundle_queue bundle_queue;
  };
  
  int	parse_rules(const char *, struct ipsecctl *);
  int	cmdline_symset(char *);
  int	ipsecctl_add_rule(struct ipsecctl *, struct ipsec_rule *);
  void	ipsecctl_free_rule(struct ipsec_rule *);
  void	ipsecctl_print_rule(struct ipsec_rule *, int);
  int	ike_print_config(struct ipsec_rule *, int);
  int	ike_ipsec_establish(int, struct ipsec_rule *, const char *);
  void	set_ipmask(struct ipsec_addr_wrap *, u_int8_t);
  
  #endif /* _IPSECCTL_H_ */