diff options
Diffstat (limited to 'ipsec-tools/src/racoon/remoteconf.h')
-rw-r--r-- | ipsec-tools/src/racoon/remoteconf.h | 243 |
1 files changed, 243 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/remoteconf.h b/ipsec-tools/src/racoon/remoteconf.h new file mode 100644 index 00000000..3ebe004e --- /dev/null +++ b/ipsec-tools/src/racoon/remoteconf.h @@ -0,0 +1,243 @@ +/* $NetBSD: remoteconf.h,v 1.16 2011/03/14 15:50:36 vanhu Exp $ */ + +/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */ + +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef _REMOTECONF_H +#define _REMOTECONF_H + +/* remote configuration */ + +#include <sys/queue.h> +#include "genlist.h" +#ifdef ENABLE_HYBRID +#include "isakmp_var.h" +#include "isakmp_xauth.h" +#endif + +struct ph1handle; +struct secprotospec; + +struct etypes { + int type; + struct etypes *next; +}; + +/* ISAKMP SA specification */ +struct isakmpsa { + int prop_no; + int trns_no; + time_t lifetime; + size_t lifebyte; + int enctype; + int encklen; + int authmethod; + int hashtype; + int vendorid; +#ifdef HAVE_GSSAPI + vchar_t *gssid; +#endif + int dh_group; /* don't use it if aggressive mode */ + struct dhgroup *dhgrp; /* don't use it if aggressive mode */ + + struct isakmpsa *next; /* next transform */ +}; + +/* Certificate information */ +struct rmconf_cert { + vchar_t *data; /* certificate payload */ + char *filename; /* name of local file */ +}; + +/* Script hooks */ +#define SCRIPT_PHASE1_UP 0 +#define SCRIPT_PHASE1_DOWN 1 +#define SCRIPT_PHASE1_DEAD 2 +#define SCRIPT_MAX 2 +extern char *script_names[SCRIPT_MAX + 1]; + +struct remoteconf { + char *name; /* remote configuration name */ + struct sockaddr *remote; /* remote IP address */ + /* if family is AF_UNSPEC, that is + * for anonymous configuration. */ + + struct etypes *etypes; /* exchange type list. the head + * is a type to be sent first. */ + int doitype; /* doi type */ + int sittype; /* situation type */ + + int idvtype; /* my identifier type */ + vchar_t *idv; /* my identifier */ + vchar_t *key; /* my pre-shared key */ + struct genlist *idvl_p; /* peer's identifiers list */ + + char *myprivfile; /* file name of my private key file */ + char *mycertfile; /* file name of my certificate */ + vchar_t *mycert; /* my certificate */ + char *peerscertfile; /* file name of peer's certifcate */ + vchar_t *peerscert; /* peer's certificate */ + char *cacertfile; /* file name of CA */ + vchar_t *cacert; /* CA certificate */ + + int send_cert; /* send to CERT or not */ + int send_cr; /* send to CR or not */ + int match_empty_cr; /* does this match if CR is empty */ + int verify_cert; /* verify a CERT strictly */ + int verify_identifier; /* vefify the peer's identifier */ + int nonce_size; /* the number of bytes of nonce */ + int passive; /* never initiate */ + int ike_frag; /* IKE fragmentation */ + int esp_frag; /* ESP fragmentation */ + int mode_cfg; /* Gets config through mode config */ + int support_proxy; /* support mip6/proxy */ +#define GENERATE_POLICY_NONE 0 +#define GENERATE_POLICY_REQUIRE 1 +#define GENERATE_POLICY_UNIQUE 2 + int gen_policy; /* generate policy if no policy found */ + int ini_contact; /* initial contact */ + int pcheck_level; /* level of propocl checking */ + int nat_traversal; /* NAT-Traversal */ + vchar_t *script[SCRIPT_MAX + 1];/* script hooks paths */ + int dh_group; /* use it when only aggressive mode */ + struct dhgroup *dhgrp; /* use it when only aggressive mode */ + /* above two can't be defined by user*/ + + int dpd; /* Negociate DPD support ? */ + int dpd_retry; /* in seconds */ + int dpd_interval; /* in seconds */ + int dpd_maxfails; + + int rekey; /* rekey ph1 when active ph2s? */ +#define REKEY_OFF FALSE +#define REKEY_ON TRUE +#define REKEY_FORCE 2 + + uint32_t ph1id; /* ph1id to be matched with sainfo sections */ + + int weak_phase1_check; /* act on unencrypted deletions ? */ + + struct isakmpsa *proposal; /* proposal list */ + struct remoteconf *inherited_from; /* the original rmconf + from which this one + was inherited */ + + time_t lifetime; /* for isakmp/ipsec */ + int lifebyte; /* for isakmp/ipsec */ + struct secprotospec *spspec; /* the head is always current spec. */ + + struct genlist *rsa_private, /* lists of PlainRSA keys to use */ + *rsa_public; + +#ifdef ENABLE_HYBRID + struct xauth_rmconf *xauth; +#endif + + TAILQ_ENTRY(remoteconf) chain; /* next remote conf */ +}; + +#define RMCONF_NONCE_SIZE(rmconf) \ + (rmconf != NULL ? rmconf->nonce_size : DEFAULT_NONCE_SIZE) + +struct dhgroup; + +struct idspec { + int idtype; /* identifier type */ + vchar_t *id; /* identifier */ +}; + +struct rmconfselector { + int flags; + struct sockaddr *remote; + int etype; + struct isakmpsa *approval; + vchar_t *identity; + vchar_t *certificate_request; +}; + +extern void rmconf_selector_from_ph1 __P((struct rmconfselector *rmsel, + struct ph1handle *iph1)); +extern int enumrmconf __P((struct rmconfselector *rmsel, + int (* enum_func)(struct remoteconf *rmconf, void *arg), + void *enum_arg)); + +#define GETRMCONF_F_NO_ANONYMOUS 0x0001 +#define GETRMCONF_F_NO_PASSIVE 0x0002 + +#define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1) + +extern int rmconf_match_identity __P((struct remoteconf *rmconf, + vchar_t *id_p)); +extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags)); +extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1)); +extern struct remoteconf *getrmconf_by_name __P((const char *name)); + +extern struct remoteconf *newrmconf __P((void)); +extern struct remoteconf *duprmconf_shallow __P((struct remoteconf *)); +extern int duprmconf_finish __P((struct remoteconf *)); +extern void delrmconf __P((struct remoteconf *)); +extern void deletypes __P((struct etypes *)); +extern struct etypes * dupetypes __P((struct etypes *)); +extern void insrmconf __P((struct remoteconf *)); +extern void remrmconf __P((struct remoteconf *)); +extern void flushrmconf __P((void)); +extern void dupspspec_list __P((struct remoteconf *, struct remoteconf *)); +extern void flushspspec __P((struct remoteconf *)); +extern void initrmconf __P((void)); +extern void rmconf_start_reload __P((void)); +extern void rmconf_finish_reload __P((void)); + +extern int check_etypeok __P((struct remoteconf *, void *)); + +extern struct isakmpsa *newisakmpsa __P((void)); +extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *)); +extern void delisakmpsa __P((struct isakmpsa *)); +extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *)); +#ifdef ENABLE_HYBRID +extern int isakmpsa_switch_authmethod __P((int authmethod)); +#else +static inline int isakmpsa_switch_authmethod(int authmethod) +{ + return authmethod; +} +#endif +extern struct isakmpsa * checkisakmpsa __P((int pcheck, + struct isakmpsa *proposal, + struct isakmpsa *acceptable)); + + +extern void dumprmconf __P((void)); + +extern struct idspec *newidspec __P((void)); + +extern vchar_t *script_path_add __P((vchar_t *)); + +#endif /* _REMOTECONF_H */ |