/* $NetBSD: remoteconf.h,v 1.16 2011/03/14 15:50:36 vanhu Exp $ */
/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _REMOTECONF_H
#define _REMOTECONF_H
/* remote configuration */
#include <sys/queue.h>
#include "genlist.h"
#ifdef ENABLE_HYBRID
#include "isakmp_var.h"
#include "isakmp_xauth.h"
#endif
struct ph1handle;
struct secprotospec;
struct etypes {
int type;
struct etypes *next;
};
/* ISAKMP SA specification */
struct isakmpsa {
int prop_no;
int trns_no;
time_t lifetime;
size_t lifebyte;
int enctype;
int encklen;
int authmethod;
int hashtype;
int vendorid;
#ifdef HAVE_GSSAPI
vchar_t *gssid;
#endif
int dh_group; /* don't use it if aggressive mode */
struct dhgroup *dhgrp; /* don't use it if aggressive mode */
struct isakmpsa *next; /* next transform */
};
/* Certificate information */
struct rmconf_cert {
vchar_t *data; /* certificate payload */
char *filename; /* name of local file */
};
/* Script hooks */
#define SCRIPT_PHASE1_UP 0
#define SCRIPT_PHASE1_DOWN 1
#define SCRIPT_PHASE1_DEAD 2
#define SCRIPT_MAX 2
extern char *script_names[SCRIPT_MAX + 1];
struct remoteconf {
char *name; /* remote configuration name */
struct sockaddr *remote; /* remote IP address */
/* if family is AF_UNSPEC, that is
* for anonymous configuration. */
struct etypes *etypes; /* exchange type list. the head
* is a type to be sent first. */
int doitype; /* doi type */
int sittype; /* situation type */
int idvtype; /* my identifier type */
vchar_t *idv; /* my identifier */
vchar_t *key; /* my pre-shared key */
struct genlist *idvl_p; /* peer's identifiers list */
char *myprivfile; /* file name of my private key file */
char *mycertfile; /* file name of my certificate */
vchar_t *mycert; /* my certificate */
char *peerscertfile; /* file name of peer's certifcate */
vchar_t *peerscert; /* peer's certificate */
char *cacertfile; /* file name of CA */
vchar_t *cacert; /* CA certificate */
int send_cert; /* send to CERT or not */
int send_cr; /* send to CR or not */
int match_empty_cr; /* does this match if CR is empty */
int verify_cert; /* verify a CERT strictly */
int verify_identifier; /* vefify the peer's identifier */
int nonce_size; /* the number of bytes of nonce */
int passive; /* never initiate */
int ike_frag; /* IKE fragmentation */
int esp_frag; /* ESP fragmentation */
int mode_cfg; /* Gets config through mode config */
int support_proxy; /* support mip6/proxy */
#define GENERATE_POLICY_NONE 0
#define GENERATE_POLICY_REQUIRE 1
#define GENERATE_POLICY_UNIQUE 2
int gen_policy; /* generate policy if no policy found */
int ini_contact; /* initial contact */
int pcheck_level; /* level of propocl checking */
int nat_traversal; /* NAT-Traversal */
vchar_t *script[SCRIPT_MAX + 1];/* script hooks paths */
int dh_group; /* use it when only aggressive mode */
struct dhgroup *dhgrp; /* use it when only aggressive mode */
/* above two can't be defined by user*/
int dpd; /* Negociate DPD support ? */
int dpd_retry; /* in seconds */
int dpd_interval; /* in seconds */
int dpd_maxfails;
int rekey; /* rekey ph1 when active ph2s? */
#define REKEY_OFF FALSE
#define REKEY_ON TRUE
#define REKEY_FORCE 2
uint32_t ph1id; /* ph1id to be matched with sainfo sections */
int weak_phase1_check; /* act on unencrypted deletions ? */
struct isakmpsa *proposal; /* proposal list */
struct remoteconf *inherited_from; /* the original rmconf
from which this one
was inherited */
time_t lifetime; /* for isakmp/ipsec */
int lifebyte; /* for isakmp/ipsec */
struct secprotospec *spspec; /* the head is always current spec. */
struct genlist *rsa_private, /* lists of PlainRSA keys to use */
*rsa_public;
#ifdef ENABLE_HYBRID
struct xauth_rmconf *xauth;
#endif
TAILQ_ENTRY(remoteconf) chain; /* next remote conf */
};
#define RMCONF_NONCE_SIZE(rmconf) \
(rmconf != NULL ? rmconf->nonce_size : DEFAULT_NONCE_SIZE)
struct dhgroup;
struct idspec {
int idtype; /* identifier type */
vchar_t *id; /* identifier */
};
struct rmconfselector {
int flags;
struct sockaddr *remote;
int etype;
struct isakmpsa *approval;
vchar_t *identity;
vchar_t *certificate_request;
};
extern void rmconf_selector_from_ph1 __P((struct rmconfselector *rmsel,
struct ph1handle *iph1));
extern int enumrmconf __P((struct rmconfselector *rmsel,
int (* enum_func)(struct remoteconf *rmconf, void *arg),
void *enum_arg));
#define GETRMCONF_F_NO_ANONYMOUS 0x0001
#define GETRMCONF_F_NO_PASSIVE 0x0002
#define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)
extern int rmconf_match_identity __P((struct remoteconf *rmconf,
vchar_t *id_p));
extern struct remoteconf *getrmconf __P((struct sockaddr *remote, int flags));
extern struct remoteconf *getrmconf_by_ph1 __P((struct ph1handle *iph1));
extern struct remoteconf *getrmconf_by_name __P((const char *name));
extern struct remoteconf *newrmconf __P((void));
extern struct remoteconf *duprmconf_shallow __P((struct remoteconf *));
extern int duprmconf_finish __P((struct remoteconf *));
extern void delrmconf __P((struct remoteconf *));
extern void deletypes __P((struct etypes *));
extern struct etypes * dupetypes __P((struct etypes *));
extern void insrmconf __P((struct remoteconf *));
extern void remrmconf __P((struct remoteconf *));
extern void flushrmconf __P((void));
extern void dupspspec_list __P((struct remoteconf *, struct remoteconf *));
extern void flushspspec __P((struct remoteconf *));
extern void initrmconf __P((void));
extern void rmconf_start_reload __P((void));
extern void rmconf_finish_reload __P((void));
extern int check_etypeok __P((struct remoteconf *, void *));
extern struct isakmpsa *newisakmpsa __P((void));
extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));
extern void delisakmpsa __P((struct isakmpsa *));
extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));
#ifdef ENABLE_HYBRID
extern int isakmpsa_switch_authmethod __P((int authmethod));
#else
static inline int isakmpsa_switch_authmethod(int authmethod)
{
return authmethod;
}
#endif
extern struct isakmpsa * checkisakmpsa __P((int pcheck,
struct isakmpsa *proposal,
struct isakmpsa *acceptable));
extern void dumprmconf __P((void));
extern struct idspec *newidspec __P((void));
extern vchar_t *script_path_add __P((vchar_t *));
#endif /* _REMOTECONF_H */