Home | History | Annotate | Download | only in racoon
      1 /*	$NetBSD: remoteconf.h,v 1.16 2011/03/14 15:50:36 vanhu Exp $	*/
      2 
      3 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in the
     16  *    documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *    may be used to endorse or promote products derived from this software
     19  *    without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #ifndef _REMOTECONF_H
     35 #define _REMOTECONF_H
     36 
     37 /* remote configuration */
     38 
     39 #include <sys/queue.h>
     40 #include "genlist.h"
     41 #ifdef ENABLE_HYBRID
     42 #include "isakmp_var.h"
     43 #include "isakmp_xauth.h"
     44 #endif
     45 
     46 struct ph1handle;
     47 struct secprotospec;
     48 
     49 struct etypes {
     50 	int type;
     51 	struct etypes *next;
     52 };
     53 
     54 /* ISAKMP SA specification */
     55 struct isakmpsa {
     56 	int prop_no;
     57 	int trns_no;
     58 	time_t lifetime;
     59 	size_t lifebyte;
     60 	int enctype;
     61 	int encklen;
     62 	int authmethod;
     63 	int hashtype;
     64 	int vendorid;
     65 #ifdef HAVE_GSSAPI
     66 	vchar_t *gssid;
     67 #endif
     68 	int dh_group;			/* don't use it if aggressive mode */
     69 	struct dhgroup *dhgrp;		/* don't use it if aggressive mode */
     70 
     71 	struct isakmpsa *next;		/* next transform */
     72 };
     73 
     74 /* Certificate information */
     75 struct rmconf_cert {
     76 	vchar_t *data;			/* certificate payload */
     77 	char *filename;			/* name of local file */
     78 };
     79 
     80 /* Script hooks */
     81 #define SCRIPT_PHASE1_UP	0
     82 #define SCRIPT_PHASE1_DOWN	1
     83 #define SCRIPT_PHASE1_DEAD	2
     84 #define SCRIPT_MAX		2
     85 extern char *script_names[SCRIPT_MAX + 1];
     86 
     87 struct remoteconf {
     88 	char *name;			/* remote configuration name */
     89 	struct sockaddr *remote;	/* remote IP address */
     90 					/* if family is AF_UNSPEC, that is
     91 					 * for anonymous configuration. */
     92 
     93 	struct etypes *etypes;		/* exchange type list. the head
     94 					 * is a type to be sent first. */
     95 	int doitype;			/* doi type */
     96 	int sittype;			/* situation type */
     97 
     98 	int idvtype;			/* my identifier type */
     99 	vchar_t *idv;			/* my identifier */
    100 	vchar_t *key;			/* my pre-shared key */
    101 	struct genlist *idvl_p;         /* peer's identifiers list */
    102 
    103 	char *myprivfile;		/* file name of my private key file */
    104 	char *mycertfile;		/* file name of my certificate */
    105 	vchar_t *mycert;		/* my certificate */
    106 	char *peerscertfile;		/* file name of peer's certifcate */
    107 	vchar_t *peerscert;		/* peer's certificate */
    108 	char *cacertfile;		/* file name of CA */
    109 	vchar_t *cacert;		/* CA certificate */
    110 
    111 	int send_cert;			/* send to CERT or not */
    112 	int send_cr;			/* send to CR or not */
    113 	int match_empty_cr;		/* does this match if CR is empty */
    114 	int verify_cert;		/* verify a CERT strictly */
    115 	int verify_identifier;		/* vefify the peer's identifier */
    116 	int nonce_size;			/* the number of bytes of nonce */
    117 	int passive;			/* never initiate */
    118 	int ike_frag;			/* IKE fragmentation */
    119 	int esp_frag;			/* ESP fragmentation */
    120 	int mode_cfg;			/* Gets config through mode config */
    121 	int support_proxy;		/* support mip6/proxy */
    122 #define GENERATE_POLICY_NONE	0
    123 #define GENERATE_POLICY_REQUIRE	1
    124 #define GENERATE_POLICY_UNIQUE	2
    125 	int gen_policy;			/* generate policy if no policy found */
    126 	int ini_contact;		/* initial contact */
    127 	int pcheck_level;		/* level of propocl checking */
    128 	int nat_traversal;		/* NAT-Traversal */
    129 	vchar_t *script[SCRIPT_MAX + 1];/* script hooks paths */
    130 	int dh_group;			/* use it when only aggressive mode */
    131 	struct dhgroup *dhgrp;		/* use it when only aggressive mode */
    132 					/* above two can't be defined by user*/
    133 
    134 	int dpd;				/* Negociate DPD support ? */
    135 	int dpd_retry;			/* in seconds */
    136 	int dpd_interval;		/* in seconds */
    137 	int dpd_maxfails;
    138 
    139 	int rekey;			/* rekey ph1 when active ph2s? */
    140 #define REKEY_OFF		FALSE
    141 #define REKEY_ON		TRUE
    142 #define REKEY_FORCE		2
    143 
    144 	uint32_t ph1id; /* ph1id to be matched with sainfo sections */
    145 
    146 	int weak_phase1_check;		/* act on unencrypted deletions ? */
    147 
    148 	struct isakmpsa *proposal;	/* proposal list */
    149 	struct remoteconf *inherited_from;	/* the original rmconf
    150 						   from which this one
    151 						   was inherited */
    152 
    153 	time_t lifetime;		/* for isakmp/ipsec */
    154 	int lifebyte;			/* for isakmp/ipsec */
    155 	struct secprotospec *spspec;	/* the head is always current spec. */
    156 
    157 	struct genlist	*rsa_private,	/* lists of PlainRSA keys to use */
    158 			*rsa_public;
    159 
    160 #ifdef ENABLE_HYBRID
    161 	struct xauth_rmconf *xauth;
    162 #endif
    163 
    164 	TAILQ_ENTRY(remoteconf) chain;	/* next remote conf */
    165 };
    166 
    167 #define RMCONF_NONCE_SIZE(rmconf) \
    168 	(rmconf != NULL ? rmconf->nonce_size : DEFAULT_NONCE_SIZE)
    169 
    170 struct dhgroup;
    171 
    172 struct idspec {
    173 	int idtype;                     /* identifier type */
    174 	vchar_t *id;                    /* identifier */
    175 };
    176 
    177 struct rmconfselector {
    178 	int flags;
    179 	struct sockaddr *remote;
    180 	int etype;
    181 	struct isakmpsa *approval;
    182 	vchar_t *identity;
    183 	vchar_t *certificate_request;
    184 };
    185 
    186 extern void rmconf_selector_from_ph1 __P((struct rmconfselector *rmsel,
    187 					  struct ph1handle *iph1));
    188 extern int enumrmconf __P((struct rmconfselector *rmsel,
    189 			   int (* enum_func)(struct remoteconf *rmconf, void *arg),
    190 			   void *enum_arg));
    191 
    192 #define GETRMCONF_F_NO_ANONYMOUS	0x0001
    193 #define GETRMCONF_F_NO_PASSIVE		0x0002
    194 
    195 #define RMCONF_ERR_MULTIPLE		((struct remoteconf *) -1)
    196 
    197 extern int rmconf_match_identity __P((struct remoteconf *rmconf,
    198 				      vchar_t *id_p));
    199 extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags));
    200 extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1));
    201 extern struct remoteconf *getrmconf_by_name __P((const char *name));
    202 
    203 extern struct remoteconf *newrmconf __P((void));
    204 extern struct remoteconf *duprmconf_shallow __P((struct remoteconf *));
    205 extern int duprmconf_finish __P((struct remoteconf *));
    206 extern void delrmconf __P((struct remoteconf *));
    207 extern void deletypes __P((struct etypes *));
    208 extern struct etypes * dupetypes __P((struct etypes *));
    209 extern void insrmconf __P((struct remoteconf *));
    210 extern void remrmconf __P((struct remoteconf *));
    211 extern void flushrmconf __P((void));
    212 extern void dupspspec_list __P((struct remoteconf *, struct remoteconf *));
    213 extern void flushspspec __P((struct remoteconf *));
    214 extern void initrmconf __P((void));
    215 extern void rmconf_start_reload __P((void));
    216 extern void rmconf_finish_reload __P((void));
    217 
    218 extern int check_etypeok __P((struct remoteconf *, void *));
    219 
    220 extern struct isakmpsa *newisakmpsa __P((void));
    221 extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));
    222 extern void delisakmpsa __P((struct isakmpsa *));
    223 extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));
    224 #ifdef ENABLE_HYBRID
    225 extern int isakmpsa_switch_authmethod __P((int authmethod));
    226 #else
    227 static inline int isakmpsa_switch_authmethod(int authmethod)
    228 {
    229 	return authmethod;
    230 }
    231 #endif
    232 extern struct isakmpsa * checkisakmpsa __P((int pcheck,
    233 					    struct isakmpsa *proposal,
    234 					    struct isakmpsa *acceptable));
    235 
    236 
    237 extern void dumprmconf __P((void));
    238 
    239 extern struct idspec *newidspec __P((void));
    240 
    241 extern vchar_t *script_path_add __P((vchar_t *));
    242 
    243 #endif /* _REMOTECONF_H */
    244