Return to remoteconf.h CVS log

Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon

ipsec-tools

    1: /*	$NetBSD: remoteconf.h,v 1.16 2011/03/14 15:50:36 vanhu Exp $	*/
    2: 
    3: /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
    4: 
    5: /*
    6:  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
    7:  * All rights reserved.
    8:  * 
    9:  * Redistribution and use in source and binary forms, with or without
   10:  * modification, are permitted provided that the following conditions
   11:  * are met:
   12:  * 1. Redistributions of source code must retain the above copyright
   13:  *    notice, this list of conditions and the following disclaimer.
   14:  * 2. Redistributions in binary form must reproduce the above copyright
   15:  *    notice, this list of conditions and the following disclaimer in the
   16:  *    documentation and/or other materials provided with the distribution.
   17:  * 3. Neither the name of the project nor the names of its contributors
   18:  *    may be used to endorse or promote products derived from this software
   19:  *    without specific prior written permission.
   20:  * 
   21:  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
   22:  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
   23:  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
   24:  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
   25:  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
   26:  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
   27:  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
   28:  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
   29:  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
   30:  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
   31:  * SUCH DAMAGE.
   32:  */
   33: 
   34: #ifndef _REMOTECONF_H
   35: #define _REMOTECONF_H
   36: 
   37: /* remote configuration */
   38: 
   39: #include <sys/queue.h>
   40: #include "genlist.h"
   41: #ifdef ENABLE_HYBRID
   42: #include "isakmp_var.h"
   43: #include "isakmp_xauth.h"
   44: #endif
   45: 
   46: struct ph1handle;
   47: struct secprotospec;
   48: 
   49: struct etypes {
   50: 	int type;
   51: 	struct etypes *next;
   52: };
   53: 
   54: /* ISAKMP SA specification */
   55: struct isakmpsa {
   56: 	int prop_no;
   57: 	int trns_no;
   58: 	time_t lifetime;
   59: 	size_t lifebyte;
   60: 	int enctype;
   61: 	int encklen;
   62: 	int authmethod;
   63: 	int hashtype;
   64: 	int vendorid;
   65: #ifdef HAVE_GSSAPI
   66: 	vchar_t *gssid;
   67: #endif
   68: 	int dh_group;			/* don't use it if aggressive mode */
   69: 	struct dhgroup *dhgrp;		/* don't use it if aggressive mode */
   70: 
   71: 	struct isakmpsa *next;		/* next transform */
   72: };
   73: 
   74: /* Certificate information */
   75: struct rmconf_cert {
   76: 	vchar_t *data;			/* certificate payload */
   77: 	char *filename;			/* name of local file */
   78: };
   79: 
   80: /* Script hooks */
   81: #define SCRIPT_PHASE1_UP	0
   82: #define SCRIPT_PHASE1_DOWN	1
   83: #define SCRIPT_PHASE1_DEAD	2
   84: #define SCRIPT_MAX		2
   85: extern char *script_names[SCRIPT_MAX + 1];
   86: 
   87: struct remoteconf {
   88: 	char *name;			/* remote configuration name */
   89: 	struct sockaddr *remote;	/* remote IP address */
   90: 					/* if family is AF_UNSPEC, that is
   91: 					 * for anonymous configuration. */
   92: 
   93: 	struct etypes *etypes;		/* exchange type list. the head
   94: 					 * is a type to be sent first. */
   95: 	int doitype;			/* doi type */
   96: 	int sittype;			/* situation type */
   97: 
   98: 	int idvtype;			/* my identifier type */
   99: 	vchar_t *idv;			/* my identifier */
  100: 	vchar_t *key;			/* my pre-shared key */
  101: 	struct genlist *idvl_p;         /* peer's identifiers list */
  102: 
  103: 	char *myprivfile;		/* file name of my private key file */
  104: 	char *mycertfile;		/* file name of my certificate */
  105: 	vchar_t *mycert;		/* my certificate */
  106: 	char *peerscertfile;		/* file name of peer's certifcate */
  107: 	vchar_t *peerscert;		/* peer's certificate */
  108: 	char *cacertfile;		/* file name of CA */
  109: 	vchar_t *cacert;		/* CA certificate */
  110: 
  111: 	int send_cert;			/* send to CERT or not */
  112: 	int send_cr;			/* send to CR or not */
  113: 	int match_empty_cr;		/* does this match if CR is empty */
  114: 	int verify_cert;		/* verify a CERT strictly */
  115: 	int verify_identifier;		/* vefify the peer's identifier */
  116: 	int nonce_size;			/* the number of bytes of nonce */
  117: 	int passive;			/* never initiate */
  118: 	int ike_frag;			/* IKE fragmentation */
  119: 	int esp_frag;			/* ESP fragmentation */
  120: 	int mode_cfg;			/* Gets config through mode config */
  121: 	int support_proxy;		/* support mip6/proxy */
  122: #define GENERATE_POLICY_NONE	0
  123: #define GENERATE_POLICY_REQUIRE	1
  124: #define GENERATE_POLICY_UNIQUE	2
  125: 	int gen_policy;			/* generate policy if no policy found */
  126: 	int ini_contact;		/* initial contact */
  127: 	int pcheck_level;		/* level of propocl checking */
  128: 	int nat_traversal;		/* NAT-Traversal */
  129: 	vchar_t *script[SCRIPT_MAX + 1];/* script hooks paths */
  130: 	int dh_group;			/* use it when only aggressive mode */
  131: 	struct dhgroup *dhgrp;		/* use it when only aggressive mode */
  132: 					/* above two can't be defined by user*/
  133: 
  134: 	int dpd;				/* Negociate DPD support ? */
  135: 	int dpd_retry;			/* in seconds */
  136: 	int dpd_interval;		/* in seconds */
  137: 	int dpd_maxfails;
  138: 
  139: 	int rekey;			/* rekey ph1 when active ph2s? */
  140: #define REKEY_OFF		FALSE
  141: #define REKEY_ON		TRUE
  142: #define REKEY_FORCE		2
  143: 
  144: 	uint32_t ph1id; /* ph1id to be matched with sainfo sections */
  145: 
  146: 	int weak_phase1_check;		/* act on unencrypted deletions ? */
  147: 
  148: 	struct isakmpsa *proposal;	/* proposal list */
  149: 	struct remoteconf *inherited_from;	/* the original rmconf 
  150: 						   from which this one 
  151: 						   was inherited */
  152: 
  153: 	time_t lifetime;		/* for isakmp/ipsec */
  154: 	int lifebyte;			/* for isakmp/ipsec */
  155: 	struct secprotospec *spspec;	/* the head is always current spec. */
  156: 
  157: 	struct genlist	*rsa_private,	/* lists of PlainRSA keys to use */
  158: 			*rsa_public;
  159: 
  160: #ifdef ENABLE_HYBRID
  161: 	struct xauth_rmconf *xauth;
  162: #endif
  163: 
  164: 	TAILQ_ENTRY(remoteconf) chain;	/* next remote conf */
  165: };
  166: 
  167: #define RMCONF_NONCE_SIZE(rmconf) \
  168: 	(rmconf != NULL ? rmconf->nonce_size : DEFAULT_NONCE_SIZE)
  169: 
  170: struct dhgroup;
  171: 
  172: struct idspec {
  173: 	int idtype;                     /* identifier type */
  174: 	vchar_t *id;                    /* identifier */
  175: };
  176: 
  177: struct rmconfselector {
  178: 	int flags;
  179: 	struct sockaddr *remote;
  180: 	int etype;
  181: 	struct isakmpsa *approval;
  182: 	vchar_t *identity;
  183: 	vchar_t *certificate_request;
  184: };
  185: 
  186: extern void rmconf_selector_from_ph1 __P((struct rmconfselector *rmsel,
  187: 					  struct ph1handle *iph1));
  188: extern int enumrmconf __P((struct rmconfselector *rmsel,
  189: 			   int (* enum_func)(struct remoteconf *rmconf, void *arg),
  190: 			   void *enum_arg));
  191: 
  192: #define GETRMCONF_F_NO_ANONYMOUS	0x0001
  193: #define GETRMCONF_F_NO_PASSIVE		0x0002
  194: 
  195: #define RMCONF_ERR_MULTIPLE		((struct remoteconf *) -1)
  196: 
  197: extern int rmconf_match_identity __P((struct remoteconf *rmconf,
  198: 				      vchar_t *id_p));
  199: extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags));
  200: extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1));
  201: extern struct remoteconf *getrmconf_by_name __P((const char *name));
  202: 
  203: extern struct remoteconf *newrmconf __P((void));
  204: extern struct remoteconf *duprmconf_shallow __P((struct remoteconf *));
  205: extern int duprmconf_finish __P((struct remoteconf *));
  206: extern void delrmconf __P((struct remoteconf *));
  207: extern void deletypes __P((struct etypes *));
  208: extern struct etypes * dupetypes __P((struct etypes *));
  209: extern void insrmconf __P((struct remoteconf *));
  210: extern void remrmconf __P((struct remoteconf *));
  211: extern void flushrmconf __P((void));
  212: extern void dupspspec_list __P((struct remoteconf *, struct remoteconf *));
  213: extern void flushspspec __P((struct remoteconf *));
  214: extern void initrmconf __P((void));
  215: extern void rmconf_start_reload __P((void));
  216: extern void rmconf_finish_reload __P((void));
  217: 
  218: extern int check_etypeok __P((struct remoteconf *, void *));
  219: 
  220: extern struct isakmpsa *newisakmpsa __P((void));
  221: extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));
  222: extern void delisakmpsa __P((struct isakmpsa *));
  223: extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));
  224: #ifdef ENABLE_HYBRID
  225: extern int isakmpsa_switch_authmethod __P((int authmethod));
  226: #else
  227: static inline int isakmpsa_switch_authmethod(int authmethod)
  228: {
  229: 	return authmethod;
  230: }
  231: #endif
  232: extern struct isakmpsa * checkisakmpsa __P((int pcheck,
  233: 					    struct isakmpsa *proposal,
  234: 					    struct isakmpsa *acceptable));
  235: 
  236: 
  237: extern void dumprmconf __P((void));
  238: 
  239: extern struct idspec *newidspec __P((void));
  240: 
  241: extern vchar_t *script_path_add __P((vchar_t *));
  242: 
  243: #endif /* _REMOTECONF_H */