]>
Commit | Line | Data |
---|---|---|
1 | /* $Id: vpn_control.h,v 1.10 2004/12/30 13:45:49 manubsd Exp $ */ | |
2 | ||
3 | /* | |
4 | * Copyright (c) 2006 Apple Computer, Inc. All rights reserved. | |
5 | * | |
6 | * @APPLE_LICENSE_HEADER_START@ | |
7 | * | |
8 | * The contents of this file constitute Original Code as defined in and | |
9 | * are subject to the Apple Public Source License Version 1.1 (the | |
10 | * "License"). You may not use this file except in compliance with the | |
11 | * License. Please obtain a copy of the License at | |
12 | * http://www.apple.com/publicsource and read it before using this file. | |
13 | * | |
14 | * This Original Code and all software distributed under the License are | |
15 | * distributed on an "AS IS" basis, WITHOUT WARRANTY OF ANY KIND, EITHER | |
16 | * EXPRESS OR IMPLIED, AND APPLE HEREBY DISCLAIMS ALL SUCH WARRANTIES, | |
17 | * INCLUDING WITHOUT LIMITATION, ANY WARRANTIES OF MERCHANTABILITY, | |
18 | * FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT. Please see the | |
19 | * License for the specific language governing rights and limitations | |
20 | * under the License. | |
21 | * | |
22 | * @APPLE_LICENSE_HEADER_END@ | |
23 | */ | |
24 | ||
25 | /* | |
26 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
27 | * All rights reserved. | |
28 | * | |
29 | * Redistribution and use in source and binary forms, with or without | |
30 | * modification, are permitted provided that the following conditions | |
31 | * are met: | |
32 | * 1. Redistributions of source code must retain the above copyright | |
33 | * notice, this list of conditions and the following disclaimer. | |
34 | * 2. Redistributions in binary form must reproduce the above copyright | |
35 | * notice, this list of conditions and the following disclaimer in the | |
36 | * documentation and/or other materials provided with the distribution. | |
37 | * 3. Neither the name of the project nor the names of its contributors | |
38 | * may be used to endorse or promote products derived from this software | |
39 | * without specific prior written permission. | |
40 | * | |
41 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
51 | * SUCH DAMAGE. | |
52 | */ | |
53 | ||
54 | #ifndef _VPN_CONTROL_H | |
55 | #define _VPN_CONTROL_H | |
56 | ||
57 | #include "algorithm_types.h" | |
58 | #include <net/if.h> | |
59 | #if __has_include(<nw/private.h>) | |
60 | #include <nw/private.h> | |
61 | #else | |
62 | #include <network/nat64.h> | |
63 | #endif | |
64 | ||
65 | #define VPNCONTROLSOCK_PATH ADMINPORTDIR "/vpncontrol.sock" | |
66 | ||
67 | #define FROM_LOCAL 0 | |
68 | #define FROM_REMOTE 1 | |
69 | ||
70 | ||
71 | extern char *vpncontrolsock_path; | |
72 | extern uid_t vpncontrolsock_owner; | |
73 | extern gid_t vpncontrolsock_group; | |
74 | extern mode_t vpncontrolsock_mode; | |
75 | ||
76 | ||
77 | /* | |
78 | * message types | |
79 | */ | |
80 | #define VPNCTL_CMD_BIND 0x0001 | |
81 | #define VPNCTL_CMD_UNBIND 0x0002 | |
82 | #define VPNCTL_CMD_REDIRECT 0x0003 | |
83 | #define VPNCTL_CMD_PING 0x0004 | |
84 | #define VPNCTL_CMD_CONNECT 0x0011 | |
85 | #define VPNCTL_CMD_DISCONNECT 0x0012 | |
86 | #define VPNCTL_CMD_START_PH2 0x0013 | |
87 | #define VPNCTL_CMD_XAUTH_INFO 0x0014 | |
88 | #define VPNCTL_CMD_START_DPD 0x0015 | |
89 | #define VPNCTL_CMD_ASSERT 0x0016 | |
90 | #define VPNCTL_CMD_RECONNECT 0x0017 | |
91 | #define VPNCTL_CMD_SET_NAT64_PREFIX 0x0018 | |
92 | #define VPNCTL_STATUS_IKE_FAILED 0x8001 | |
93 | #define VPNCTL_STATUS_PH1_START_US 0x8011 | |
94 | #define VPNCTL_STATUS_PH1_START_PEER 0x8012 | |
95 | #define VPNCTL_STATUS_PH1_ESTABLISHED 0x8013 | |
96 | #define VPNCTL_STATUS_PH2_START 0x8021 | |
97 | #define VPNCTL_STATUS_PH2_ESTABLISHED 0x8022 | |
98 | #define VPNCTL_STATUS_NEED_AUTHINFO 0x8101 | |
99 | #define VPNCTL_STATUS_NEED_REAUTHINFO 0x8102 | |
100 | #define VPNCTL_STATUS_PEER_RESP 0x8103 | |
101 | ||
102 | /* | |
103 | * Flags | |
104 | */ | |
105 | #define VPNCTL_FLAG_MODECFG_USED 0x0001 | |
106 | #define VPNCTL_FLAG_IKE_VERSION 0x0002 | |
107 | #define VPNCTL_FLAG_IKEV2 VPNCTL_FLAG_IKE_VERSION | |
108 | ||
109 | /* | |
110 | * XAUTH Attribute Types | |
111 | */ | |
112 | #ifndef __IPSEC_BUILD__ | |
113 | #define XAUTH_TYPE 16520 | |
114 | #define XAUTH_USER_NAME 16521 | |
115 | #define XAUTH_USER_PASSWORD 16522 | |
116 | #define XAUTH_PASSCODE 16523 | |
117 | #define XAUTH_MESSAGE 16524 | |
118 | #define XAUTH_CHALLENGE 16525 | |
119 | #define XAUTH_DOMAIN 16526 | |
120 | #define XAUTH_STATUS 16527 | |
121 | #define XAUTH_NEXT_PIN 16528 | |
122 | #define XAUTH_ANSWER 16529 | |
123 | ||
124 | ||
125 | /* Types for XAUTH_TYPE */ | |
126 | #define XAUTH_TYPE_GENERIC 0 | |
127 | #define XAUTH_TYPE_CHAP 1 | |
128 | #define XAUTH_TYPE_OTP 2 | |
129 | #define XAUTH_TYPE_SKEY 3 | |
130 | ||
131 | ||
132 | /* Mode cfg Attribute types */ | |
133 | #define INTERNAL_IP4_ADDRESS 1 | |
134 | #define INTERNAL_IP4_NETMASK 2 | |
135 | #define INTERNAL_IP4_DNS 3 | |
136 | #define INTERNAL_IP4_NBNS 4 | |
137 | #define INTERNAL_ADDRESS_EXPIRY 5 | |
138 | #define INTERNAL_IP4_DHCP 6 | |
139 | #define APPLICATION_VERSION 7 | |
140 | #define INTERNAL_IP6_ADDRESS 8 | |
141 | #define INTERNAL_IP6_NETMASK 9 | |
142 | #define INTERNAL_IP6_DNS 10 | |
143 | #define INTERNAL_IP6_NBNS 11 | |
144 | #define INTERNAL_IP6_DHCP 12 | |
145 | #define INTERNAL_IP4_SUBNET 13 | |
146 | #define SUPPORTED_ATTRIBUTES 14 | |
147 | #define INTERNAL_IP6_SUBNET 15 | |
148 | ||
149 | #define UNITY_BANNER 28672 | |
150 | #define UNITY_SAVE_PASSWD 28673 | |
151 | #define UNITY_DEF_DOMAIN 28674 | |
152 | #define UNITY_SPLITDNS_NAME 28675 | |
153 | #define UNITY_SPLIT_INCLUDE 28676 | |
154 | #define UNITY_NATT_PORT 28677 | |
155 | #define UNITY_LOCAL_LAN 28678 | |
156 | #define UNITY_PFS 28679 | |
157 | #define UNITY_FW_TYPE 28680 | |
158 | #define UNITY_BACKUP_SERVERS 28681 | |
159 | #define UNITY_DDNS_HOSTNAME 28682 | |
160 | ||
161 | /* 3.3 Data Attributes | |
162 | 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 | |
163 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
164 | !A! Attribute Type ! AF=0 Attribute Length ! | |
165 | !F! ! AF=1 Attribute Value ! | |
166 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
167 | . AF=0 Attribute Value . | |
168 | . AF=1 Not Transmitted . | |
169 | +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ | |
170 | */ | |
171 | struct isakmp_data { | |
172 | u_int16_t type; /* defined by DOI-spec, and Attribute Format */ | |
173 | u_int16_t lorv; /* if f equal 1, Attribute Length */ | |
174 | /* if f equal 0, Attribute Value */ | |
175 | /* if f equal 1, Attribute Value */ | |
176 | }; | |
177 | #endif | |
178 | ||
179 | /* commands and status for vpn control. */ | |
180 | /* network byte order. */ | |
181 | ||
182 | /* Packet header */ | |
183 | struct vpnctl_hdr { | |
184 | u_int16_t msg_type; | |
185 | u_int16_t flags; | |
186 | u_int32_t cookie; | |
187 | u_int32_t reserved; | |
188 | u_int16_t result; | |
189 | u_int16_t len; /* payload length */ | |
190 | }; | |
191 | ||
192 | /* Packet formats for commands */ | |
193 | ||
194 | /* bind to receive status for specified address */ | |
195 | struct vpnctl_cmd_bind { | |
196 | struct vpnctl_hdr hdr; | |
197 | u_int32_t address; /* 0xFFFFFFFF = all */ | |
198 | u_int16_t vers_len; /* if zero - no version provided */ | |
199 | /* name/version string of length vers_len */ | |
200 | }; | |
201 | ||
202 | /* unbind to stop receiving status for specified address */ | |
203 | struct vpnctl_cmd_unbind { | |
204 | struct vpnctl_hdr hdr; | |
205 | u_int32_t address; /* 0xFFFFFFFF = all */ | |
206 | }; | |
207 | ||
208 | ||
209 | /* connect to specified address */ | |
210 | struct vpnctl_cmd_connect { | |
211 | struct vpnctl_hdr hdr; | |
212 | u_int32_t address; | |
213 | }; | |
214 | ||
215 | struct vpnctl_cmd_set_nat64_prefix { | |
216 | struct vpnctl_hdr hdr; | |
217 | nw_nat64_prefix_t nat64_prefix; | |
218 | }; | |
219 | ||
220 | struct vpnctl_sa_selector { | |
221 | u_int32_t src_tunnel_address; | |
222 | u_int32_t src_tunnel_mask; | |
223 | u_int32_t dst_tunnel_address; | |
224 | u_int32_t dst_tunnel_mask; | |
225 | u_int16_t src_tunnel_port; | |
226 | u_int16_t dst_tunnel_port; | |
227 | u_int16_t ul_protocol; | |
228 | u_int16_t reserved; | |
229 | }; | |
230 | ||
231 | struct vpnctl_algo { | |
232 | u_int16_t algo_class; | |
233 | u_int16_t algo; | |
234 | u_int16_t key_len; /* for enc algorithms only */ | |
235 | u_int16_t reserved; | |
236 | }; | |
237 | ||
238 | /* start phase 2 */ | |
239 | struct vpnctl_cmd_start_ph2 { | |
240 | struct vpnctl_hdr hdr; | |
241 | u_int32_t address; | |
242 | u_int32_t lifetime; /* seconds */ | |
243 | u_int16_t pfs_group; /* defined in algorithm_types.h */ | |
244 | u_int16_t selector_count; | |
245 | u_int16_t algo_count; | |
246 | u_int16_t reserved; | |
247 | /* array of struct vpnctl_sa_selector */ | |
248 | /* array of struct vpnctl_algo */ | |
249 | }; | |
250 | ||
251 | /* assert connection (after network change) */ | |
252 | struct vpnctl_cmd_assert { | |
253 | struct vpnctl_hdr hdr; | |
254 | u_int32_t src_address; | |
255 | u_int32_t dst_address; | |
256 | }; | |
257 | ||
258 | /* set xauth info */ | |
259 | struct vpnctl_cmd_xauth_info { | |
260 | struct vpnctl_hdr hdr; | |
261 | u_int32_t address; | |
262 | /* packed array of variable sized struct isakmp_data */ | |
263 | }; | |
264 | ||
265 | /* redirect client to specified address */ | |
266 | struct vpnctl_cmd_redirect { | |
267 | struct vpnctl_hdr hdr; | |
268 | u_int32_t address; | |
269 | u_int32_t redirect_address; | |
270 | u_int16_t force; | |
271 | }; | |
272 | ||
273 | /* start dpd */ | |
274 | struct vpnctl_cmd_start_dpd { | |
275 | struct vpnctl_hdr hdr; | |
276 | u_int32_t address; | |
277 | }; | |
278 | ||
279 | /* | |
280 | * IKE Notify codes - mirrors codes in isakmp.h | |
281 | */ | |
282 | #define VPNCTL_NTYPE_INVALID_PAYLOAD_TYPE 1 | |
283 | #define VPNCTL_NTYPE_DOI_NOT_SUPPORTED 2 | |
284 | #define VPNCTL_NTYPE_SITUATION_NOT_SUPPORTED 3 | |
285 | #define VPNCTL_NTYPE_INVALID_COOKIE 4 | |
286 | #define VPNCTL_NTYPE_INVALID_MAJOR_VERSION 5 | |
287 | #define VPNCTL_NTYPE_INVALID_MINOR_VERSION 6 | |
288 | #define VPNCTL_NTYPE_INVALID_EXCHANGE_TYPE 7 | |
289 | #define VPNCTL_NTYPE_INVALID_FLAGS 8 | |
290 | #define VPNCTL_NTYPE_INVALID_MESSAGE_ID 9 | |
291 | #define VPNCTL_NTYPE_INVALID_PROTOCOL_ID 10 | |
292 | #define VPNCTL_NTYPE_INVALID_SPI 11 | |
293 | #define VPNCTL_NTYPE_INVALID_TRANSFORM_ID 12 | |
294 | #define VPNCTL_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13 | |
295 | #define VPNCTL_NTYPE_NO_PROPOSAL_CHOSEN 14 | |
296 | #define VPNCTL_NTYPE_BAD_PROPOSAL_SYNTAX 15 | |
297 | #define VPNCTL_NTYPE_PAYLOAD_MALFORMED 16 | |
298 | #define VPNCTL_NTYPE_INVALID_KEY_INFORMATION 17 | |
299 | #define VPNCTL_NTYPE_INVALID_ID_INFORMATION 18 | |
300 | #define VPNCTL_NTYPE_INVALID_CERT_ENCODING 19 | |
301 | #define VPNCTL_NTYPE_INVALID_CERTIFICATE 20 | |
302 | #define VPNCTL_NTYPE_BAD_CERT_REQUEST_SYNTAX 21 | |
303 | #define VPNCTL_NTYPE_INVALID_CERT_AUTHORITY 22 | |
304 | #define VPNCTL_NTYPE_INVALID_HASH_INFORMATION 23 | |
305 | #define VPNCTL_NTYPE_AUTHENTICATION_FAILED 24 | |
306 | #define VPNCTL_NTYPE_INVALID_SIGNATURE 25 | |
307 | #define VPNCTL_NTYPE_ADDRESS_NOTIFICATION 26 | |
308 | #define VPNCTL_NTYPE_NOTIFY_SA_LIFETIME 27 | |
309 | #define VPNCTL_NTYPE_CERTIFICATE_UNAVAILABLE 28 | |
310 | #define VPNCTL_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29 | |
311 | #define VPNCTL_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30 | |
312 | #define VPNCTL_NTYPE_LOAD_BALANCE 40501 | |
313 | #define VPNCTL_NTYPE_PEER_DEAD 50001 /* detected by DPD */ | |
314 | #define VPNCTL_NTYPE_PH1_DELETE 50002 /* received a delete payload leaving no PH1 SA for the remote address */ | |
315 | #define VPNCTL_NTYPE_IDLE_TIMEOUT 50003 | |
316 | #define VPNCTL_NTYPE_LOCAL_CERT_PREMATURE 50004 /* certificate is premature */ | |
317 | #define VPNCTL_NTYPE_LOCAL_CERT_EXPIRED 50005 /* certificate has expired */ | |
318 | #define VPNCTL_NTYPE_PEER_CERT_PREMATURE 50006 /* peer's certificate is premature */ | |
319 | #define VPNCTL_NTYPE_PEER_CERT_EXPIRED 50007 /* peer's certificate has expired */ | |
320 | #define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJNAME 50008 /* peer's certificate has an invalid subjname */ | |
321 | #define VPNCTL_NTYPE_PEER_CERT_INVALID_SUBJALTNAME 50009 /* peer's certificate has an invalid subjaltname */ | |
322 | #define VPNCTL_NTYPE_INTERNAL_ERROR -1 | |
323 | ||
324 | ||
325 | /* packet format for phase change status */ | |
326 | struct vpnctl_status_phase_change { | |
327 | struct vpnctl_hdr hdr; | |
328 | u_int32_t address; | |
329 | /* The following is included when VPNCTL_FLAG_MODECFG_USED flag set */ | |
330 | // struct vpnctl_modecfg_params mode_cfg; | |
331 | ||
332 | }; | |
333 | ||
334 | ||
335 | /* packet format for auth needed status */ | |
336 | struct vpnctl_status_need_authinfo { | |
337 | struct vpnctl_hdr hdr; | |
338 | u_int32_t address; | |
339 | /* packed array of variable sized struct isakmp_data */ | |
340 | }; | |
341 | ||
342 | ||
343 | struct split_address { | |
344 | u_int32_t splitaddr; | |
345 | u_int32_t splitmask; | |
346 | }; | |
347 | ||
348 | struct vpnctl_modecfg_params { | |
349 | u_int32_t outer_local_addr; | |
350 | u_int16_t outer_remote_port; | |
351 | u_int16_t outer_local_port; | |
352 | u_int8_t ifname[IFNAMSIZ]; | |
353 | /* | |
354 | * ifname for outer_local_addr (not null terminated) | |
355 | * followed by packed array of attributes (struct isakmp_data) | |
356 | */ | |
357 | }; | |
358 | ||
359 | ||
360 | /* Packet formats for failed status */ | |
361 | struct vpnctl_status_failed { | |
362 | struct vpnctl_hdr hdr; | |
363 | u_int32_t address; | |
364 | u_int16_t ike_code; | |
365 | u_int16_t from; | |
366 | u_int8_t data[0]; | |
367 | }; | |
368 | ||
369 | struct vpnctl_status_peer_resp { | |
370 | struct vpnctl_hdr hdr; | |
371 | u_int32_t address; | |
372 | u_int16_t ike_code; | |
373 | }; | |
374 | ||
375 | #endif /* _VPN_CONTROL_H */ |