[apple/ipsec.git] / ipsec-tools / racoon / isakmp_cfg.h

/*	$NetBSD: isakmp_cfg.h,v 1.6 2006/09/09 16:22:09 manu Exp $	*/

/*	$KAME$ */

/*
 * Copyright (C) 2004 Emmanuel Dreyfus
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifdef HAVE_LIBPAM
#include <security/pam_appl.h>
#endif

/* 
 * XXX don't forget to update 
 * src/racoon/handler.c:exclude_cfg_addr()
 * if you add IPv6 capability
 */

/* Attribute types */
#define INTERNAL_IP4_ADDRESS        1
#define INTERNAL_IP4_NETMASK        2
#define INTERNAL_IP4_DNS            3
#define INTERNAL_IP4_NBNS           4
#define INTERNAL_ADDRESS_EXPIRY     5
#define INTERNAL_IP4_DHCP           6
#define APPLICATION_VERSION         7
#define INTERNAL_IP6_ADDRESS        8
#define INTERNAL_IP6_NETMASK        9
#define INTERNAL_IP6_DNS           10
#define INTERNAL_IP6_NBNS          11
#define INTERNAL_IP6_DHCP          12
#define INTERNAL_IP4_SUBNET        13
#define SUPPORTED_ATTRIBUTES       14
#define INTERNAL_IP6_SUBNET        15

/* For APPLICATION_VERSION */
#define ISAKMP_CFG_RACOON_VERSION "racoon / IPsec-tools"

/* For the wins servers -- XXX find the value somewhere ? */
#define MAXWINS 4

/* 
 * Global configuration for ISAKMP mode confiration address allocation 
 * Read from the mode_cfg section of racoon.conf
 */
struct isakmp_cfg_port {
	char	used;
#ifdef HAVE_LIBPAM
	pam_handle_t *pam;
#endif
};

struct isakmp_cfg_config {
	in_addr_t		network4;
	in_addr_t		netmask4;
	in_addr_t		dns4[MAXNS];
	int			dns4_index;
	in_addr_t		nbns4[MAXWINS];
	int			nbns4_index;
	struct isakmp_cfg_port 	*port_pool;
	int			authsource;
	int			groupsource;
	char			**grouplist;
	int			groupcount;
	int			confsource;
	int			accounting;
	size_t			pool_size;
	int			auth_throttle;
	/* XXX move this to a unity specific sub-structure */
	char			default_domain[MAXPATHLEN + 1];
	char			motd[MAXPATHLEN + 1];
	struct unity_netentry	*splitnet_list;
	int			splitnet_count;
	int			splitnet_type;
	char 			*splitdns_list;
	int			splitdns_len;
	int			pfs_group;
	int			save_passwd;
};

/* For utmp updating */
#define TERMSPEC	"vpn%d"

/* For authsource */
#define ISAKMP_CFG_AUTH_SYSTEM	0
#define ISAKMP_CFG_AUTH_RADIUS	1
#define ISAKMP_CFG_AUTH_PAM	2
#define ISAKMP_CFG_AUTH_LDAP	4

/* For groupsource */
#define ISAKMP_CFG_GROUP_SYSTEM	0
#define ISAKMP_CFG_GROUP_LDAP	1

/* For confsource */
#define ISAKMP_CFG_CONF_LOCAL	0
#define ISAKMP_CFG_CONF_RADIUS	1
#define ISAKMP_CFG_CONF_LDAP	2

/* For accounting */
#define ISAKMP_CFG_ACCT_NONE	0
#define ISAKMP_CFG_ACCT_RADIUS	1
#define ISAKMP_CFG_ACCT_PAM	2
#define ISAKMP_CFG_ACCT_LDAP	3
#define ISAKMP_CFG_ACCT_SYSTEM	4

/* For pool_size */
#define ISAKMP_CFG_MAX_CNX	255

/* For motd */
#define ISAKMP_CFG_MOTD	"/etc/motd"

/* For default domain */
#define ISAKMP_CFG_DEFAULT_DOMAIN ""

extern struct isakmp_cfg_config isakmp_cfg_config;

/*
 * ISAKMP mode config state 
 */
#define LOGINLEN 31
struct isakmp_cfg_state {
	int flags;			/* See below */
	unsigned int port;		/* address index */
	char login[LOGINLEN + 1];	/* login */
	struct in_addr addr4;		/* IPv4 address */
	struct in_addr mask4;		/* IPv4 netmask */
	struct in_addr dns4[MAXNS];	/* IPv4 DNS (when client only) */
	int dns4_index;			/* Number of IPv4 DNS (client only) */
	struct in_addr wins4[MAXWINS];	/* IPv4 WINS (when client only) */
	int wins4_index;		/* Number of IPv4 WINS (client only) */
	char default_domain[MAXPATHLEN + 1];	/* Default domain recieved */
	struct unity_netentry 
	    *split_include; 		/* UNITY_SPLIT_INCLUDE */
	int include_count;		/* Number of SPLIT_INCLUDES */
	struct unity_netentry 
	    *split_local;		/* UNITY_LOCAL_LAN */
	int local_count;		/* Number of SPLIT_LOCAL */
	struct xauth_state xauth;	/* Xauth state, if revelant */		
	struct isakmp_ivm *ivm;		/* XXX Use iph1's ivm? */
	u_int32_t last_msgid;           /* Last message-ID */
	vchar_t	*attr_list;			/* list of mode config attributes - used when started by api */
};

/* flags */
#define ISAKMP_CFG_VENDORID_XAUTH	0x01	/* Supports Xauth */
#define ISAKMP_CFG_VENDORID_UNITY	0x02	/* Cisco Unity compliant */
#define ISAKMP_CFG_PORT_ALLOCATED	0x04	/* Port allocated */
#define ISAKMP_CFG_ADDR4_EXTERN		0x08	/* Address from external config  */
#define ISAKMP_CFG_MASK4_EXTERN		0x10	/* Netmask from external config */
#define ISAKMP_CFG_ADDR4_LOCAL		0x20	/* Address from local pool */
#define ISAKMP_CFG_MASK4_LOCAL		0x40	/* Netmask from local pool */
#define ISAKMP_CFG_GOT_ADDR4		0x80	/* Client got address */
#define ISAKMP_CFG_GOT_MASK4		0x100	/* Client got mask */
#define ISAKMP_CFG_GOT_DNS4		0x200	/* Client got DNS */
#define ISAKMP_CFG_GOT_WINS4		0x400	/* Client got WINS */
#define ISAKMP_CFG_DELETE_PH1		0x800	/* phase 1 should be deleted */
#define ISAKMP_CFG_GOT_DEFAULT_DOMAIN	0x1000	/* Client got default domain */
#define ISAKMP_CFG_GOT_SPLIT_INCLUDE	0x2000	/* Client got a split network config */
#define ISAKMP_CFG_GOT_SPLIT_LOCAL	0x4000	/* Client got a split LAN config */
#define ISAKMP_CFG_GOT_REPLY		0x8000	/* got config data from reply - don't process again */

struct isakmp_pl_attr;
struct ph1handle;
struct isakmp_ivm;
void isakmp_cfg_r(struct ph1handle *, vchar_t *);
int isakmp_cfg_attr_r(struct ph1handle *, u_int32_t, struct isakmp_pl_attr *, vchar_t *);
int isakmp_cfg_reply(struct ph1handle *, struct isakmp_pl_attr *);
int isakmp_cfg_request(struct ph1handle *, struct isakmp_pl_attr *, vchar_t *);
int isakmp_cfg_set(struct ph1handle *, struct isakmp_pl_attr *, vchar_t *);
int isakmp_cfg_send(struct ph1handle *, vchar_t *, u_int32_t, int, int, int, vchar_t *);
struct isakmp_ivm *isakmp_cfg_newiv(struct ph1handle *, u_int32_t);
void isakmp_cfg_rmstate(struct ph1handle *);
struct isakmp_cfg_state *isakmp_cfg_mkstate(void);
vchar_t *isakmp_cfg_copy(struct ph1handle *, struct isakmp_data *);
vchar_t *isakmp_cfg_short(struct ph1handle *, struct isakmp_data *, int);
vchar_t *isakmp_cfg_varlen(struct ph1handle *, struct isakmp_data *, char *, size_t);
vchar_t *isakmp_cfg_string(struct ph1handle *, struct isakmp_data *, char *);
int isakmp_cfg_getconfig(struct ph1handle *);
int isakmp_cfg_setenv(struct ph1handle *, char ***, int *);

int isakmp_cfg_resize_pool(int);
int isakmp_cfg_getport(struct ph1handle *);
int isakmp_cfg_putport(struct ph1handle *, unsigned int);
int isakmp_cfg_init(int);
#define ISAKMP_CFG_INIT_COLD	1
#define ISAKMP_CFG_INIT_WARM	0

#ifdef HAVE_LIBRADIUS
struct rad_handle;
extern struct rad_handle *radius_acct_state;
int isakmp_cfg_radius_common(struct rad_handle *, int); 
#endif

#ifdef HAVE_LIBPAM
int isakmp_cfg_accounting_pam(int, int);
void cleanup_pam(int);
#endif

int isakmp_cfg_accounting_system(int, struct sockaddr *, char *, int);
Commit	Line	Data
d1e348cf A	1	/* $NetBSD: isakmp_cfg.h,v 1.6 2006/09/09 16:22:09 manu Exp $ */
d1e348cf A	2
52b7d2ce A	3	/* $KAME$ */
	4
	5	/*
	6	* Copyright (C) 2004 Emmanuel Dreyfus
	7	* All rights reserved.
	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	* 2. Redistributions in binary form must reproduce the above copyright
	15	* notice, this list of conditions and the following disclaimer in the
	16	* documentation and/or other materials provided with the distribution.
	17	* 3. Neither the name of the project nor the names of its contributors
	18	* may be used to endorse or promote products derived from this software
	19	* without specific prior written permission.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	31	* SUCH DAMAGE.
	32	*/
	33
	34	#ifdef HAVE_LIBPAM
52b7d2ce A	35	#include <security/pam_appl.h>
52b7d2ce A	36	#endif
52b7d2ce A	37
	38	/*
	39	* XXX don't forget to update
	40	* src/racoon/handler.c:exclude_cfg_addr()
	41	* if you add IPv6 capability
	42	*/
	43
	44	/* Attribute types */
	45	#define INTERNAL_IP4_ADDRESS 1
	46	#define INTERNAL_IP4_NETMASK 2
	47	#define INTERNAL_IP4_DNS 3
	48	#define INTERNAL_IP4_NBNS 4
	49	#define INTERNAL_ADDRESS_EXPIRY 5
	50	#define INTERNAL_IP4_DHCP 6
	51	#define APPLICATION_VERSION 7
	52	#define INTERNAL_IP6_ADDRESS 8
	53	#define INTERNAL_IP6_NETMASK 9
	54	#define INTERNAL_IP6_DNS 10
	55	#define INTERNAL_IP6_NBNS 11
	56	#define INTERNAL_IP6_DHCP 12
	57	#define INTERNAL_IP4_SUBNET 13
	58	#define SUPPORTED_ATTRIBUTES 14
	59	#define INTERNAL_IP6_SUBNET 15
	60
	61	/* For APPLICATION_VERSION */
d1e348cf A	62	#define ISAKMP_CFG_RACOON_VERSION "racoon / IPsec-tools"
	63
	64	/* For the wins servers -- XXX find the value somewhere ? */
	65	#define MAXWINS 4
52b7d2ce A	66
	67	/*
	68	* Global configuration for ISAKMP mode confiration address allocation
d1e348cf	69	* Read from the mode_cfg section of racoon.conf
52b7d2ce A	70	*/
	71	struct isakmp_cfg_port {
	72	char used;
	73	#ifdef HAVE_LIBPAM
	74	pam_handle_t *pam;
	75	#endif
	76	};
	77
	78	struct isakmp_cfg_config {
d1e348cf A	79	in_addr_t network4;
	80	in_addr_t netmask4;
	81	in_addr_t dns4[MAXNS];
	82	int dns4_index;
	83	in_addr_t nbns4[MAXWINS];
	84	int nbns4_index;
	85	struct isakmp_cfg_port *port_pool;
	86	int authsource;
	87	int groupsource;
	88	char **grouplist;
	89	int groupcount;
	90	int confsource;
	91	int accounting;
	92	size_t pool_size;
	93	int auth_throttle;
	94	/* XXX move this to a unity specific sub-structure */
	95	char default_domain[MAXPATHLEN + 1];
	96	char motd[MAXPATHLEN + 1];
	97	struct unity_netentry *splitnet_list;
	98	int splitnet_count;
	99	int splitnet_type;
	100	char *splitdns_list;
	101	int splitdns_len;
	102	int pfs_group;
	103	int save_passwd;
52b7d2ce A	104	};
52b7d2ce A	105
d1e348cf A	106	/* For utmp updating */
	107	#define TERMSPEC "vpn%d"
	108
52b7d2ce A	109	/* For authsource */
	110	#define ISAKMP_CFG_AUTH_SYSTEM 0
	111	#define ISAKMP_CFG_AUTH_RADIUS 1
	112	#define ISAKMP_CFG_AUTH_PAM 2
d1e348cf A	113	#define ISAKMP_CFG_AUTH_LDAP 4
	114
	115	/* For groupsource */
	116	#define ISAKMP_CFG_GROUP_SYSTEM 0
	117	#define ISAKMP_CFG_GROUP_LDAP 1
52b7d2ce A	118
	119	/* For confsource */
	120	#define ISAKMP_CFG_CONF_LOCAL 0
	121	#define ISAKMP_CFG_CONF_RADIUS 1
d1e348cf	122	#define ISAKMP_CFG_CONF_LDAP 2
52b7d2ce A	123
	124	/* For accounting */
	125	#define ISAKMP_CFG_ACCT_NONE 0
	126	#define ISAKMP_CFG_ACCT_RADIUS 1
	127	#define ISAKMP_CFG_ACCT_PAM 2
d1e348cf A	128	#define ISAKMP_CFG_ACCT_LDAP 3
d1e348cf A	129	#define ISAKMP_CFG_ACCT_SYSTEM 4
52b7d2ce A	130
	131	/* For pool_size */
	132	#define ISAKMP_CFG_MAX_CNX 255
	133
	134	/* For motd */
	135	#define ISAKMP_CFG_MOTD "/etc/motd"
	136
d1e348cf A	137	/* For default domain */
	138	#define ISAKMP_CFG_DEFAULT_DOMAIN ""
	139
52b7d2ce A	140	extern struct isakmp_cfg_config isakmp_cfg_config;
	141
	142	/*
	143	* ISAKMP mode config state
	144	*/
	145	#define LOGINLEN 31
	146	struct isakmp_cfg_state {
	147	int flags; /* See below */
	148	unsigned int port; /* address index */
	149	char login[LOGINLEN + 1]; /* login */
	150	struct in_addr addr4; /* IPv4 address */
	151	struct in_addr mask4; /* IPv4 netmask */
d1e348cf A	152	struct in_addr dns4[MAXNS]; /* IPv4 DNS (when client only) */
	153	int dns4_index; /* Number of IPv4 DNS (client only) */
	154	struct in_addr wins4[MAXWINS]; /* IPv4 WINS (when client only) */
	155	int wins4_index; /* Number of IPv4 WINS (client only) */
	156	char default_domain[MAXPATHLEN + 1]; /* Default domain recieved */
	157	struct unity_netentry
	158	split_include; / UNITY_SPLIT_INCLUDE */
	159	int include_count; /* Number of SPLIT_INCLUDES */
	160	struct unity_netentry
	161	split_local; / UNITY_LOCAL_LAN */
	162	int local_count; /* Number of SPLIT_LOCAL */
52b7d2ce A	163	struct xauth_state xauth; /* Xauth state, if revelant */
52b7d2ce A	164	struct isakmp_ivm ivm; / XXX Use iph1's ivm? */
d1e348cf A	165	u_int32_t last_msgid; /* Last message-ID */
d1e348cf A	166	vchar_t attr_list; / list of mode config attributes - used when started by api */
52b7d2ce A	167	};
	168
	169	/* flags */
	170	#define ISAKMP_CFG_VENDORID_XAUTH 0x01 /* Supports Xauth */
	171	#define ISAKMP_CFG_VENDORID_UNITY 0x02 /* Cisco Unity compliant */
	172	#define ISAKMP_CFG_PORT_ALLOCATED 0x04 /* Port allocated */
d1e348cf A	173	#define ISAKMP_CFG_ADDR4_EXTERN 0x08 /* Address from external config */
d1e348cf A	174	#define ISAKMP_CFG_MASK4_EXTERN 0x10 /* Netmask from external config */
52b7d2ce A	175	#define ISAKMP_CFG_ADDR4_LOCAL 0x20 /* Address from local pool */
	176	#define ISAKMP_CFG_MASK4_LOCAL 0x40 /* Netmask from local pool */
	177	#define ISAKMP_CFG_GOT_ADDR4 0x80 /* Client got address */
	178	#define ISAKMP_CFG_GOT_MASK4 0x100 /* Client got mask */
	179	#define ISAKMP_CFG_GOT_DNS4 0x200 /* Client got DNS */
	180	#define ISAKMP_CFG_GOT_WINS4 0x400 /* Client got WINS */
	181	#define ISAKMP_CFG_DELETE_PH1 0x800 /* phase 1 should be deleted */
d1e348cf A	182	#define ISAKMP_CFG_GOT_DEFAULT_DOMAIN 0x1000 /* Client got default domain */
	183	#define ISAKMP_CFG_GOT_SPLIT_INCLUDE 0x2000 /* Client got a split network config */
	184	#define ISAKMP_CFG_GOT_SPLIT_LOCAL 0x4000 /* Client got a split LAN config */
	185	#define ISAKMP_CFG_GOT_REPLY 0x8000 /* got config data from reply - don't process again */
52b7d2ce A	186
	187	struct isakmp_pl_attr;
	188	struct ph1handle;
	189	struct isakmp_ivm;
	190	void isakmp_cfg_r(struct ph1handle , vchar_t );
d1e348cf	191	int isakmp_cfg_attr_r(struct ph1handle , u_int32_t, struct isakmp_pl_attr , vchar_t *);
52b7d2ce	192	int isakmp_cfg_reply(struct ph1handle , struct isakmp_pl_attr );
d1e348cf A	193	int isakmp_cfg_request(struct ph1handle , struct isakmp_pl_attr , vchar_t *);
	194	int isakmp_cfg_set(struct ph1handle , struct isakmp_pl_attr , vchar_t *);
	195	int isakmp_cfg_send(struct ph1handle , vchar_t , u_int32_t, int, int, int, vchar_t *);
52b7d2ce A	196	struct isakmp_ivm isakmp_cfg_newiv(struct ph1handle , u_int32_t);
	197	void isakmp_cfg_rmstate(struct ph1handle *);
	198	struct isakmp_cfg_state *isakmp_cfg_mkstate(void);
	199	vchar_t isakmp_cfg_copy(struct ph1handle , struct isakmp_data *);
	200	vchar_t isakmp_cfg_short(struct ph1handle , struct isakmp_data *, int);
d1e348cf	201	vchar_t isakmp_cfg_varlen(struct ph1handle , struct isakmp_data , char , size_t);
52b7d2ce A	202	vchar_t isakmp_cfg_string(struct ph1handle , struct isakmp_data , char );
	203	int isakmp_cfg_getconfig(struct ph1handle *);
	204	int isakmp_cfg_setenv(struct ph1handle , char *, int );
	205
d1e348cf A	206	int isakmp_cfg_resize_pool(int);
d1e348cf A	207	int isakmp_cfg_getport(struct ph1handle *);
52b7d2ce	208	int isakmp_cfg_putport(struct ph1handle *, unsigned int);
d1e348cf A	209	int isakmp_cfg_init(int);
	210	#define ISAKMP_CFG_INIT_COLD 1
	211	#define ISAKMP_CFG_INIT_WARM 0
52b7d2ce A	212
	213	#ifdef HAVE_LIBRADIUS
	214	struct rad_handle;
	215	extern struct rad_handle *radius_acct_state;
	216	int isakmp_cfg_radius_common(struct rad_handle *, int);
	217	#endif
	218
	219	#ifdef HAVE_LIBPAM
	220	int isakmp_cfg_accounting_pam(int, int);
	221	void cleanup_pam(int);
	222	#endif
d1e348cf A	223
d1e348cf A	224	int isakmp_cfg_accounting_system(int, struct sockaddr , char , int);