]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/remoteconf.h
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-93.13.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.h
1 /* $NetBSD: remoteconf.h,v 1.7 2006/10/03 08:01:56 vanhu Exp $ */
2
3 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _REMOTECONF_H
35 #define _REMOTECONF_H
36
37 /* remote configuration */
38
39 #include <sys/queue.h>
40 #include "genlist.h"
41 #ifdef ENABLE_HYBRID
42 #include "isakmp_var.h"
43 #include "isakmp_xauth.h"
44 #endif
45 #ifdef __APPLE__
46 #include <CoreFoundation/CFData.h>
47 #endif
48 #include "algorithm.h"
49
50
51 struct proposalspec {
52 time_t lifetime; /* for isakmp/ipsec */
53 int lifebyte; /* for isakmp/ipsec */
54 struct secprotospec *spspec; /* the head is always current spec. */
55 struct proposalspec *next; /* the tail is the most prefered. */
56 struct proposalspec *prev;
57 };
58
59 struct secprotospec {
60 int prop_no;
61 int trns_no;
62 int strength; /* for isakmp/ipsec */
63 int encklen; /* for isakmp/ipsec */
64 time_t lifetime; /* for isakmp */
65 int lifebyte; /* for isakmp */
66 int proto_id; /* for ipsec (isakmp?) */
67 int ipsec_level; /* for ipsec */
68 int encmode; /* for ipsec */
69 int vendorid; /* for isakmp */
70 char *gssid;
71 struct sockaddr *remote;
72 int algclass[MAXALGCLASS];
73
74 struct secprotospec *next; /* the tail is the most prefiered. */
75 struct secprotospec *prev;
76 struct proposalspec *back;
77 };
78
79
80 struct etypes {
81 int type;
82 struct etypes *next;
83 };
84
85 enum {
86 DPD_ALGO_DEFAULT = 0,
87 DPD_ALGO_INBOUND_DETECT,
88 DPD_ALGO_BLACKHOLE_DETECT,
89 DPD_ALGO_MAX,
90 };
91
92 /* Script hooks */
93 #define SCRIPT_PHASE1_UP 0
94 #define SCRIPT_PHASE1_DOWN 1
95 #define SCRIPT_MAX 1
96 extern char *script_names[SCRIPT_MAX + 1];
97
98 struct remoteconf {
99 struct sockaddr *remote; /* remote IP address */
100 /* if family is AF_UNSPEC, that is
101 * for anonymous configuration. */
102
103 struct etypes *etypes; /* exchange type list. the head
104 * is a type to be sent first. */
105 int doitype; /* doi type */
106 int sittype; /* situation type */
107
108 int idvtype; /* my identifier type */
109 vchar_t *idv; /* my identifier */
110 vchar_t *key; /* my pre-shared key */
111 struct genlist *idvl_p; /* peer's identifiers list */
112
113 #ifdef __APPLE__
114 int identity_in_keychain; /* cert and private key is in the keychain */
115 vchar_t *keychainCertRef; /* peristant keychain ref for cert */
116 int secrettype; /* type of secret [use, key, keychain] */
117 vchar_t *shared_secret; /* shared secret */
118 vchar_t *open_dir_auth_group; /* group to be used to authorize user */
119 #endif
120
121 int certtype; /* certificate type if need */
122 char *mycertfile; /* file name of my certificate */
123 char *myprivfile; /* file name of my private key file */
124 char *peerscertfile; /* file name of peer's certifcate */
125 int getcert_method; /* the way to get peer's certificate */
126 int cacerttype; /* CA type is needed */
127 char *cacertfile; /* file name of CA */
128 int getcacert_method; /* the way to get the CA */
129 int send_cert; /* send to CERT or not */
130 int send_cr; /* send to CR or not */
131 int verify_cert; /* verify a CERT strictly */
132 #ifdef __APPLE__
133 int cert_verification; /* openssl or security framework */
134 int cert_verification_option; /* nothing, peers identifier, or open_dir */
135 #endif
136 int verify_identifier; /* vefify the peer's identifier */
137 int nonce_size; /* the number of bytes of nonce */
138 int passive; /* never initiate */
139 int ike_frag; /* IKE fragmentation */
140 int esp_frag; /* ESP fragmentation */
141 int mode_cfg; /* Gets config through mode config */
142 int support_proxy; /* support mip6/proxy */
143 #define GENERATE_POLICY_NONE 0
144 #define GENERATE_POLICY_REQUIRE 1
145 #define GENERATE_POLICY_UNIQUE 2
146 int gen_policy; /* generate policy if no policy found */
147 int ini_contact; /* initial contact */
148 int pcheck_level; /* level of propocl checking */
149 int nat_traversal; /* NAT-Traversal */
150 #ifdef __APPLE__
151 int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */
152 int natt_keepalive; /* do we need to send natt keep alive */
153 #endif
154 vchar_t *script[SCRIPT_MAX + 1]; /* script hooks paths */
155 int dh_group; /* use it when only aggressive mode */
156 struct dhgroup *dhgrp; /* use it when only aggressive mode */
157 /* above two can't be defined by user*/
158
159 int retry_counter; /* times to retry. */
160 int retry_interval; /* interval each retry. */
161 /* above 2 values are copied from localconf. */
162
163 int dpd; /* Negociate DPD support ? */
164 int dpd_retry; /* in seconds */
165 int dpd_interval; /* in seconds */
166 int dpd_maxfails;
167 int dpd_algo;
168 int idle_timeout; /* in seconds */
169 int idle_timeout_dir; /* direction to check */
170
171 int ph1id; /* ph1id to be matched with sainfo sections */
172
173 int weak_phase1_check; /* act on unencrypted deletions ? */
174
175 struct isakmpsa *proposal; /* proposal list */
176 struct remoteconf *inherited_from; /* the original rmconf
177 from which this one
178 was inherited */
179 struct proposalspec *prhead;
180
181 struct genlist *rsa_private, /* lists of PlainRSA keys to use */
182 *rsa_public;
183
184 #ifdef ENABLE_HYBRID
185 struct xauth_rmconf *xauth;
186 #endif
187 int initiate_ph1rekey;
188
189 #ifdef __APPLE__
190 int to_remove;
191 int to_delete;
192 int linked_to_ph1;
193 #endif
194
195 TAILQ_ENTRY(remoteconf) chain; /* next remote conf */
196 };
197
198 struct dhgroup;
199
200 /* ISAKMP SA specification */
201 struct isakmpsa {
202 int prop_no;
203 int trns_no;
204 time_t lifetime;
205 size_t lifebyte;
206 int enctype;
207 int encklen;
208 int authmethod;
209 int hashtype;
210 int vendorid;
211 #ifdef HAVE_GSSAPI
212 vchar_t *gssid;
213 #endif
214 int dh_group; /* don't use it if aggressive mode */
215 struct dhgroup *dhgrp; /* don't use it if aggressive mode */
216
217 struct isakmpsa *next; /* next transform */
218 struct remoteconf *rmconf; /* backpointer to remoteconf */
219 };
220
221 struct idspec {
222 int idtype; /* identifier type */
223 vchar_t *id; /* identifier */
224 };
225
226 typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data);
227
228 extern struct remoteconf *getrmconf __P((struct sockaddr *));
229 extern struct remoteconf *getrmconf_strict
230 __P((struct sockaddr *remote, int allow_anon));
231
232 #ifdef __APPLE__
233 extern int link_rmconf_to_ph1 __P((struct remoteconf *));
234 extern int unlink_rmconf_from_ph1 __P((struct remoteconf *));
235 #endif
236 extern int no_remote_configs __P((int));
237 extern struct remoteconf *copyrmconf __P((struct sockaddr *));
238 extern struct remoteconf *newrmconf __P((void));
239 extern struct remoteconf *duprmconf __P((struct remoteconf *));
240 extern void delrmconf __P((struct remoteconf *));
241 extern void delisakmpsa __P((struct isakmpsa *));
242 extern void deletypes __P((struct etypes *));
243 extern struct etypes * dupetypes __P((struct etypes *));
244 extern void insrmconf __P((struct remoteconf *));
245 extern void remrmconf __P((struct remoteconf *));
246 extern void flushrmconf __P((void));
247 extern void initrmconf __P((void));
248 extern struct etypes *check_etypeok
249 __P((struct remoteconf *, u_int8_t));
250 extern struct remoteconf *foreachrmconf __P((rmconf_func_t rmconf_func,
251 void *data));
252
253 extern struct isakmpsa *newisakmpsa __P((void));
254 extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));
255
256 extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));
257
258 extern void dumprmconf __P((void));
259
260 extern struct idspec *newidspec __P((void));
261
262 extern vchar_t *script_path_add __P((vchar_t *));
263
264 extern void rsa_key_free __P((void *entry));
265
266 #endif /* _REMOTECONF_H */
mirror of ipsec