]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/remoteconf.h
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-146.2.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.h
1 /* $NetBSD: remoteconf.h,v 1.7 2006/10/03 08:01:56 vanhu Exp $ */
2
3 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _REMOTECONF_H
35 #define _REMOTECONF_H
36
37 /* remote configuration */
38
39 #include <sys/queue.h>
40 #include "genlist.h"
41 #ifdef ENABLE_HYBRID
42 #include "isakmp_var.h"
43 #include "isakmp_xauth.h"
44 #endif
45 #include <CoreFoundation/CFData.h>
46 #include "algorithm.h"
47
48
49 struct proposalspec {
50 time_t lifetime; /* for isakmp/ipsec */
51 int lifebyte; /* for isakmp/ipsec */
52 struct secprotospec *spspec; /* the head is always current spec. */
53 struct proposalspec *next; /* the tail is the most prefered. */
54 struct proposalspec *prev;
55 };
56
57 struct secprotospec {
58 int prop_no;
59 int trns_no;
60 int strength; /* for isakmp/ipsec */
61 int encklen; /* for isakmp/ipsec */
62 time_t lifetime; /* for isakmp */
63 int lifebyte; /* for isakmp */
64 int proto_id; /* for ipsec (isakmp?) */
65 int ipsec_level; /* for ipsec */
66 int encmode; /* for ipsec */
67 int vendorid; /* for isakmp */
68 char *gssid;
69 struct sockaddr *remote;
70 int algclass[MAXALGCLASS];
71
72 struct secprotospec *next; /* the tail is the most prefiered. */
73 struct secprotospec *prev;
74 struct proposalspec *back;
75 };
76
77
78 struct etypes {
79 int type;
80 struct etypes *next;
81 };
82
83 enum {
84 DPD_ALGO_DEFAULT = 0,
85 DPD_ALGO_INBOUND_DETECT,
86 DPD_ALGO_BLACKHOLE_DETECT,
87 DPD_ALGO_MAX,
88 };
89
90 /* Script hooks */
91 #define SCRIPT_PHASE1_UP 0
92 #define SCRIPT_PHASE1_DOWN 1
93 #define SCRIPT_MAX 1
94 extern char *script_names[SCRIPT_MAX + 1];
95
96 struct remoteconf {
97 struct sockaddr *remote; /* remote IP address */
98 /* if family is AF_UNSPEC, that is
99 * for anonymous configuration. */
100
101 struct etypes *etypes; /* exchange type list. the head
102 * is a type to be sent first. */
103 int doitype; /* doi type */
104 int sittype; /* situation type */
105
106 int idvtype; /* my identifier type */
107 vchar_t *idv; /* my identifier */
108 vchar_t *key; /* my pre-shared key */
109 struct genlist *idvl_p; /* peer's identifiers list */
110
111 int identity_in_keychain; /* cert and private key is in the keychain */
112 vchar_t *keychainCertRef; /* peristant keychain ref for cert */
113 int secrettype; /* type of secret [use, key, keychain] */
114 vchar_t *shared_secret; /* shared secret */
115 vchar_t *open_dir_auth_group; /* group to be used to authorize user */
116
117 int certtype; /* certificate type if need */
118 char *mycertfile; /* file name of my certificate */
119 char *myprivfile; /* file name of my private key file */
120 char *peerscertfile; /* file name of peer's certifcate */
121 int getcert_method; /* the way to get peer's certificate */
122 int cacerttype; /* CA type is needed */
123 char *cacertfile; /* file name of CA */
124 int getcacert_method; /* the way to get the CA */
125 int send_cert; /* send to CERT or not */
126 int send_cr; /* send to CR or not */
127 int verify_cert; /* verify a CERT strictly */
128 int cert_verification; /* openssl or security framework */
129 int cert_verification_option; /* nothing, peers identifier, or open_dir */
130 int verify_identifier; /* vefify the peer's identifier */
131 int nonce_size; /* the number of bytes of nonce */
132 int passive; /* never initiate */
133 int ike_frag; /* IKE fragmentation */
134 int esp_frag; /* ESP fragmentation */
135 int mode_cfg; /* Gets config through mode config */
136 int support_proxy; /* support mip6/proxy */
137 #define GENERATE_POLICY_NONE 0
138 #define GENERATE_POLICY_REQUIRE 1
139 #define GENERATE_POLICY_UNIQUE 2
140 int gen_policy; /* generate policy if no policy found */
141 int ini_contact; /* initial contact */
142 int pcheck_level; /* level of propocl checking */
143 int nat_traversal; /* NAT-Traversal */
144 int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */
145 int natt_keepalive; /* do we need to send natt keep alive */
146 vchar_t *script[SCRIPT_MAX + 1]; /* script hooks paths */
147 int dh_group; /* use it when only aggressive mode */
148 struct dhgroup *dhgrp; /* use it when only aggressive mode */
149 /* above two can't be defined by user*/
150
151 int retry_counter; /* times to retry. */
152 int retry_interval; /* interval each retry. */
153 /* above 2 values are copied from localconf. */
154
155 int dpd; /* Negociate DPD support ? */
156 int dpd_retry; /* in seconds */
157 int dpd_interval; /* in seconds */
158 int dpd_maxfails;
159 int dpd_algo;
160 int idle_timeout; /* in seconds */
161 int idle_timeout_dir; /* direction to check */
162
163 int ph1id; /* ph1id to be matched with sainfo sections */
164
165 int weak_phase1_check; /* act on unencrypted deletions ? */
166
167 struct isakmpsa *proposal; /* proposal list */
168 struct remoteconf *inherited_from; /* the original rmconf
169 from which this one
170 was inherited */
171 struct proposalspec *prhead;
172 #ifdef HAVE_OPENSSL
173 struct genlist *rsa_private, /* lists of PlainRSA keys to use */
174 *rsa_public;
175 #endif
176
177 #ifdef ENABLE_HYBRID
178 struct xauth_rmconf *xauth;
179 #endif
180 int initiate_ph1rekey;
181 int to_remove;
182 int to_delete;
183 int linked_to_ph1;
184
185 TAILQ_ENTRY(remoteconf) chain; /* next remote conf */
186 };
187
188 struct dhgroup;
189
190 /* ISAKMP SA specification */
191 struct isakmpsa {
192 int prop_no;
193 int trns_no;
194 time_t lifetime;
195 size_t lifebyte;
196 int enctype;
197 int encklen;
198 int authmethod;
199 int hashtype;
200 int vendorid;
201 #ifdef HAVE_GSSAPI
202 vchar_t *gssid;
203 #endif
204 int dh_group; /* don't use it if aggressive mode */
205 struct dhgroup *dhgrp; /* don't use it if aggressive mode */
206
207 struct isakmpsa *next; /* next transform */
208 struct remoteconf *rmconf; /* backpointer to remoteconf */
209 };
210
211 struct idspec {
212 int idtype; /* identifier type */
213 vchar_t *id; /* identifier */
214 };
215
216 typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data);
217
218 extern struct remoteconf *getrmconf __P((struct sockaddr *));
219 extern struct remoteconf *getrmconf_strict
220 __P((struct sockaddr *remote, int allow_anon));
221
222 extern int link_rmconf_to_ph1 __P((struct remoteconf *));
223 extern int unlink_rmconf_from_ph1 __P((struct remoteconf *));
224 extern int no_remote_configs __P((int));
225 extern struct remoteconf *copyrmconf __P((struct sockaddr *));
226 extern struct remoteconf *newrmconf __P((void));
227 extern struct remoteconf *duprmconf __P((struct remoteconf *));
228 extern void delrmconf __P((struct remoteconf *));
229 extern void delisakmpsa __P((struct isakmpsa *));
230 extern void deletypes __P((struct etypes *));
231 extern struct etypes * dupetypes __P((struct etypes *));
232 extern void insrmconf __P((struct remoteconf *));
233 extern void remrmconf __P((struct remoteconf *));
234 extern void flushrmconf __P((void));
235 extern void initrmconf __P((void));
236 extern struct etypes *check_etypeok
237 __P((struct remoteconf *, u_int8_t));
238 extern struct remoteconf *foreachrmconf __P((rmconf_func_t rmconf_func,
239 void *data));
240
241 extern struct isakmpsa *newisakmpsa __P((void));
242 extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));
243
244 extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));
245
246 extern void dumprmconf __P((void));
247
248 extern struct idspec *newidspec __P((void));
249
250 extern vchar_t *script_path_add __P((vchar_t *));
251
252 extern void rsa_key_free __P((void *entry));
253
254 #endif /* _REMOTECONF_H */
mirror of ipsec