| /* $NetBSD: remoteconf.h,v 1.16 2011/03/14 15:50:36 vanhu Exp $ */ |
| |
| /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */ |
| |
| /* |
| * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
| * All rights reserved. |
| * |
| * Redistribution and use in source and binary forms, with or without |
| * modification, are permitted provided that the following conditions |
| * are met: |
| * 1. Redistributions of source code must retain the above copyright |
| * notice, this list of conditions and the following disclaimer. |
| * 2. Redistributions in binary form must reproduce the above copyright |
| * notice, this list of conditions and the following disclaimer in the |
| * documentation and/or other materials provided with the distribution. |
| * 3. Neither the name of the project nor the names of its contributors |
| * may be used to endorse or promote products derived from this software |
| * without specific prior written permission. |
| * |
| * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
| * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
| * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| * SUCH DAMAGE. |
| */ |
| |
| #ifndef _REMOTECONF_H |
| #define _REMOTECONF_H |
| |
| /* remote configuration */ |
| |
| #include <sys/queue.h> |
| #include "genlist.h" |
| #ifdef ENABLE_HYBRID |
| #include "isakmp_var.h" |
| #include "isakmp_xauth.h" |
| #endif |
| |
| struct ph1handle; |
| struct secprotospec; |
| |
| struct etypes { |
| int type; |
| struct etypes *next; |
| }; |
| |
| /* ISAKMP SA specification */ |
| struct isakmpsa { |
| int prop_no; |
| int trns_no; |
| time_t lifetime; |
| size_t lifebyte; |
| int enctype; |
| int encklen; |
| int authmethod; |
| int hashtype; |
| int vendorid; |
| #ifdef HAVE_GSSAPI |
| vchar_t *gssid; |
| #endif |
| int dh_group; /* don't use it if aggressive mode */ |
| struct dhgroup *dhgrp; /* don't use it if aggressive mode */ |
| |
| struct isakmpsa *next; /* next transform */ |
| }; |
| |
| /* Certificate information */ |
| struct rmconf_cert { |
| vchar_t *data; /* certificate payload */ |
| char *filename; /* name of local file */ |
| }; |
| |
| /* Script hooks */ |
| #define SCRIPT_PHASE1_UP 0 |
| #define SCRIPT_PHASE1_DOWN 1 |
| #define SCRIPT_PHASE1_DEAD 2 |
| #define SCRIPT_MAX 2 |
| extern char *script_names[SCRIPT_MAX + 1]; |
| |
| struct remoteconf { |
| char *name; /* remote configuration name */ |
| struct sockaddr *remote; /* remote IP address */ |
| /* if family is AF_UNSPEC, that is |
| * for anonymous configuration. */ |
| |
| struct etypes *etypes; /* exchange type list. the head |
| * is a type to be sent first. */ |
| int doitype; /* doi type */ |
| int sittype; /* situation type */ |
| |
| int idvtype; /* my identifier type */ |
| vchar_t *idv; /* my identifier */ |
| vchar_t *key; /* my pre-shared key */ |
| struct genlist *idvl_p; /* peer's identifiers list */ |
| |
| char *myprivfile; /* file name of my private key file */ |
| char *mycertfile; /* file name of my certificate */ |
| vchar_t *mycert; /* my certificate */ |
| char *peerscertfile; /* file name of peer's certifcate */ |
| vchar_t *peerscert; /* peer's certificate */ |
| char *cacertfile; /* file name of CA */ |
| vchar_t *cacert; /* CA certificate */ |
| |
| int send_cert; /* send to CERT or not */ |
| int send_cr; /* send to CR or not */ |
| int match_empty_cr; /* does this match if CR is empty */ |
| int verify_cert; /* verify a CERT strictly */ |
| int verify_identifier; /* vefify the peer's identifier */ |
| int nonce_size; /* the number of bytes of nonce */ |
| int passive; /* never initiate */ |
| int ike_frag; /* IKE fragmentation */ |
| int esp_frag; /* ESP fragmentation */ |
| int mode_cfg; /* Gets config through mode config */ |
| int support_proxy; /* support mip6/proxy */ |
| #define GENERATE_POLICY_NONE 0 |
| #define GENERATE_POLICY_REQUIRE 1 |
| #define GENERATE_POLICY_UNIQUE 2 |
| int gen_policy; /* generate policy if no policy found */ |
| int ini_contact; /* initial contact */ |
| int pcheck_level; /* level of propocl checking */ |
| int nat_traversal; /* NAT-Traversal */ |
| vchar_t *script[SCRIPT_MAX + 1];/* script hooks paths */ |
| int dh_group; /* use it when only aggressive mode */ |
| struct dhgroup *dhgrp; /* use it when only aggressive mode */ |
| /* above two can't be defined by user*/ |
| |
| int dpd; /* Negociate DPD support ? */ |
| int dpd_retry; /* in seconds */ |
| int dpd_interval; /* in seconds */ |
| int dpd_maxfails; |
| |
| int rekey; /* rekey ph1 when active ph2s? */ |
| #define REKEY_OFF FALSE |
| #define REKEY_ON TRUE |
| #define REKEY_FORCE 2 |
| |
| uint32_t ph1id; /* ph1id to be matched with sainfo sections */ |
| |
| int weak_phase1_check; /* act on unencrypted deletions ? */ |
| |
| struct isakmpsa *proposal; /* proposal list */ |
| struct remoteconf *inherited_from; /* the original rmconf |
| from which this one |
| was inherited */ |
| |
| time_t lifetime; /* for isakmp/ipsec */ |
| int lifebyte; /* for isakmp/ipsec */ |
| struct secprotospec *spspec; /* the head is always current spec. */ |
| |
| struct genlist *rsa_private, /* lists of PlainRSA keys to use */ |
| *rsa_public; |
| |
| #ifdef ENABLE_HYBRID |
| struct xauth_rmconf *xauth; |
| #endif |
| |
| TAILQ_ENTRY(remoteconf) chain; /* next remote conf */ |
| }; |
| |
| #define RMCONF_NONCE_SIZE(rmconf) \ |
| (rmconf != NULL ? rmconf->nonce_size : DEFAULT_NONCE_SIZE) |
| |
| struct dhgroup; |
| |
| struct idspec { |
| int idtype; /* identifier type */ |
| vchar_t *id; /* identifier */ |
| }; |
| |
| struct rmconfselector { |
| int flags; |
| struct sockaddr *remote; |
| int etype; |
| struct isakmpsa *approval; |
| vchar_t *identity; |
| vchar_t *certificate_request; |
| }; |
| |
| extern void rmconf_selector_from_ph1 __P((struct rmconfselector *rmsel, |
| struct ph1handle *iph1)); |
| extern int enumrmconf __P((struct rmconfselector *rmsel, |
| int (* enum_func)(struct remoteconf *rmconf, void *arg), |
| void *enum_arg)); |
| |
| #define GETRMCONF_F_NO_ANONYMOUS 0x0001 |
| #define GETRMCONF_F_NO_PASSIVE 0x0002 |
| |
| #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1) |
| |
| extern int rmconf_match_identity __P((struct remoteconf *rmconf, |
| vchar_t *id_p)); |
| extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags)); |
| extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1)); |
| extern struct remoteconf *getrmconf_by_name __P((const char *name)); |
| |
| extern struct remoteconf *newrmconf __P((void)); |
| extern struct remoteconf *duprmconf_shallow __P((struct remoteconf *)); |
| extern int duprmconf_finish __P((struct remoteconf *)); |
| extern void delrmconf __P((struct remoteconf *)); |
| extern void deletypes __P((struct etypes *)); |
| extern struct etypes * dupetypes __P((struct etypes *)); |
| extern void insrmconf __P((struct remoteconf *)); |
| extern void remrmconf __P((struct remoteconf *)); |
| extern void flushrmconf __P((void)); |
| extern void dupspspec_list __P((struct remoteconf *, struct remoteconf *)); |
| extern void flushspspec __P((struct remoteconf *)); |
| extern void initrmconf __P((void)); |
| extern void rmconf_start_reload __P((void)); |
| extern void rmconf_finish_reload __P((void)); |
| |
| extern int check_etypeok __P((struct remoteconf *, void *)); |
| |
| extern struct isakmpsa *newisakmpsa __P((void)); |
| extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *)); |
| extern void delisakmpsa __P((struct isakmpsa *)); |
| extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *)); |
| #ifdef ENABLE_HYBRID |
| extern int isakmpsa_switch_authmethod __P((int authmethod)); |
| #else |
| static inline int isakmpsa_switch_authmethod(int authmethod) |
| { |
| return authmethod; |
| } |
| #endif |
| extern struct isakmpsa * checkisakmpsa __P((int pcheck, |
| struct isakmpsa *proposal, |
| struct isakmpsa *acceptable)); |
| |
| |
| extern void dumprmconf __P((void)); |
| |
| extern struct idspec *newidspec __P((void)); |
| |
| extern vchar_t *script_path_add __P((vchar_t *)); |
| |
| #endif /* _REMOTECONF_H */ |