1
#ifndef _IPSEC_POLICY_H
3
* policy interface file between pluto and applications
4
* Copyright (C) 2003 Michael Richardson <mcr@freeswan.org>
6
* This library is free software; you can redistribute it and/or modify it
7
* under the terms of the GNU Library General Public License as published by
8
* the Free Software Foundation; either version 2 of the License, or (at your
9
* option) any later version. See <http://www.fsf.org/copyleft/lgpl.txt>.
11
* This library is distributed in the hope that it will be useful, but
12
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU Library General Public
14
* License for more details.
16
* RCSID $Id: ipsec_policy.h,v 1.6 2004/12/09 18:16:53 mcr Exp $
18
#define _IPSEC_POLICY_H /* seen it, no need to see it again */
22
* this file defines an interface between an application (or rather an
23
* application library) and a key/policy daemon. It provides for inquiries
24
* as to the current state of a connected socket, as well as for general
27
* In general, the interface is defined as a series of functional interfaces,
28
* and the policy messages should be internal. However, because this is in
29
* fact an ABI between pieces of the system that may get compiled and revised
30
* seperately, this ABI must be public and revision controlled.
32
* It is expected that the daemon will always support previous versions.
35
#define IPSEC_POLICY_MSG_REVISION (unsigned)200305061
37
enum ipsec_policy_command {
38
IPSEC_CMD_QUERY_FD = 1,
39
IPSEC_CMD_QUERY_HOSTPAIR = 2,
40
IPSEC_CMD_QUERY_DSTONLY = 3,
43
struct ipsec_policy_msg_head {
44
u_int32_t ipm_version;
45
u_int32_t ipm_msg_len;
46
u_int32_t ipm_msg_type;
47
u_int32_t ipm_msg_seq;
50
enum ipsec_privacy_quality {
51
IPSEC_PRIVACY_NONE = 0,
52
IPSEC_PRIVACY_INTEGRAL = 4, /* not private at all. AH-like */
53
IPSEC_PRIVACY_UNKNOWN = 8, /* something is claimed, but details unavail */
54
IPSEC_PRIVACY_ROT13 = 12, /* trivially breakable, i.e. 1DES */
55
IPSEC_PRIVACY_GAK = 16, /* known eavesdroppers */
56
IPSEC_PRIVACY_PRIVATE = 32, /* secure for at least a decade */
57
IPSEC_PRIVACY_STRONG = 64, /* ridiculously secure */
58
IPSEC_PRIVACY_TORTOISE = 192, /* even stronger, but very slow */
59
IPSEC_PRIVACY_OTP = 224, /* some kind of *true* one time pad */
62
enum ipsec_bandwidth_quality {
63
IPSEC_QOS_UNKNOWN = 0, /* unknown bandwidth */
64
IPSEC_QOS_INTERACTIVE = 16, /* reasonably moderate jitter, moderate fast.
65
Good enough for telnet/ssh. */
66
IPSEC_QOS_VOIP = 32, /* faster crypto, predicable jitter */
67
IPSEC_QOS_FTP = 64, /* higher throughput crypto, perhaps hardware
68
offloaded, but latency/jitter may be bad */
69
IPSEC_QOS_WIRESPEED = 128, /* expect to be able to fill your pipe */
72
/* moved from programs/pluto/constants.h */
73
/* IPsec AH transform values
74
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
75
* and in http://www.iana.org/assignments/isakmp-registry
77
enum ipsec_authentication_algo {
86
/* IPsec ESP transform values
87
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
88
* and from http://www.iana.org/assignments/isakmp-registry
91
enum ipsec_cipher_algo {
104
ESP_AES=12, /* 128 bit AES */
107
/* IPCOMP transform values
108
* RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
111
enum ipsec_comp_algo {
118
/* Identification type values
119
* RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
123
ID_IMPOSSIBLE= (-2), /* private to Pluto */
124
ID_MYID= (-1), /* private to Pluto */
125
ID_NONE= 0, /* private to Pluto */
129
ID_IPV4_ADDR_SUBNET= 4,
131
ID_IPV6_ADDR_SUBNET= 6,
132
ID_IPV4_ADDR_RANGE= 7,
133
ID_IPV6_ADDR_RANGE= 8,
139
/* Certificate type values
140
* RFC 2408 ISAKMP, chapter 3.9
142
enum ipsec_cert_type {
143
CERT_NONE= 0, /* none, or guess from file contents */
144
CERT_PKCS7_WRAPPED_X509= 1, /* self-signed certificate from disk */
146
CERT_DNS_SIGNED_KEY= 3, /* KEY RR from DNS */
147
CERT_X509_SIGNATURE= 4,
148
CERT_X509_KEY_EXCHANGE= 5,
149
CERT_KERBEROS_TOKENS= 6,
153
CERT_X509_ATTRIBUTE= 10,
154
CERT_RAW_RSA= 11, /* raw RSA from config file */
157
/* a SIG record in ASCII */
158
struct ipsec_dns_sig {
160
char dns_sig[768]; /* empty string if not signed */
163
struct ipsec_raw_key {
168
struct ipsec_identity {
169
enum ipsec_id_type ii_type;
170
enum ipsec_cert_type ii_format;
172
struct ipsec_dns_sig ipsec_dns_signed;
173
/* some thing for PGP */
174
/* some thing for PKIX */
175
struct ipsec_raw_key ipsec_raw_key;
179
#define IPSEC_MAX_CREDENTIALS 32
181
struct ipsec_policy_cmd_query {
182
struct ipsec_policy_msg_head head;
185
ip_address query_local; /* us */
186
ip_address query_remote; /* them */
187
u_short src_port, dst_port;
190
enum ipsec_privacy_quality strength;
191
enum ipsec_bandwidth_quality bandwidth;
192
enum ipsec_authentication_algo auth_detail;
193
enum ipsec_cipher_algo esp_detail;
194
enum ipsec_comp_algo comp_detail;
196
int credential_count;
198
struct ipsec_identity credentials[IPSEC_MAX_CREDENTIALS];
201
#define IPSEC_POLICY_SOCKET "/var/run/pluto.info"
204
extern err_t ipsec_policy_lookup(int fd, struct ipsec_policy_cmd_query *result);
205
extern err_t ipsec_policy_init(void);
206
extern err_t ipsec_policy_final(void);
207
extern err_t ipsec_policy_readmsg(int policysock,
208
unsigned char *buf, size_t buflen);
209
extern err_t ipsec_policy_sendrecv(unsigned char *buf, size_t buflen);
210
extern err_t ipsec_policy_cgilookup(struct ipsec_policy_cmd_query *result);
213
extern const char *ipsec_policy_version_code(void);
214
extern const char *ipsec_policy_version_string(void);
216
#endif /* _IPSEC_POLICY_H */