]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/remoteconf.h
projects / apple / ipsec.git / blob
? search:


f1b556af246291b66d864d82ed253d3d24bda230
[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.h
1 /* $NetBSD: remoteconf.h,v 1.7 2006/10/03 08:01:56 vanhu Exp $ */
2
3 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _REMOTECONF_H
35 #define _REMOTECONF_H
36
37 /* remote configuration */
38
39 #include <sys/queue.h>
40 #include "genlist.h"
41 #ifdef ENABLE_HYBRID
42 #include "isakmp_var.h"
43 #include "isakmp_xauth.h"
44 #endif
45 #include <CoreFoundation/CFData.h>
46 #include "algorithm.h"
47
48
49 struct proposalspec {
50 time_t lifetime; /* for isakmp/ipsec */
51 int lifebyte; /* for isakmp/ipsec */
52 struct secprotospec *spspec; /* the head is always current spec. */
53 struct proposalspec *next; /* the tail is the most prefered. */
54 struct proposalspec *prev;
55 };
56
57 struct secprotospec {
58 int prop_no;
59 int trns_no;
60 int strength; /* for isakmp/ipsec */
61 int encklen; /* for isakmp/ipsec */
62 time_t lifetime; /* for isakmp */
63 int lifebyte; /* for isakmp */
64 int proto_id; /* for ipsec (isakmp?) */
65 int ipsec_level; /* for ipsec */
66 int encmode; /* for ipsec */
67 int vendorid; /* for isakmp */
68 char *gssid;
69 struct sockaddr_storage *remote;
70 int algclass[MAXALGCLASS];
71
72 struct secprotospec *next; /* the tail is the most prefiered. */
73 struct secprotospec *prev;
74 struct proposalspec *back;
75 };
76
77
78 struct etypes {
79 int type;
80 struct etypes *next;
81 };
82
83 enum {
84 DPD_ALGO_DEFAULT = 0,
85 DPD_ALGO_INBOUND_DETECT,
86 DPD_ALGO_BLACKHOLE_DETECT,
87 DPD_ALGO_MAX,
88 };
89
90 /* Script hooks */
91 #define SCRIPT_PHASE1_UP 0
92 #define SCRIPT_PHASE1_DOWN 1
93 #define SCRIPT_MAX 1
94 extern char *script_names[SCRIPT_MAX + 1];
95
96 struct remoteconf {
97 struct sockaddr_storage *remote; /* remote IP address */
98 int remote_prefix; /* allows subnet for remote address */
99 /* if family is AF_UNSPEC, that is
100 * for anonymous configuration. */
101
102 struct etypes *etypes; /* exchange type list. the head
103 * is a type to be sent first. */
104 int doitype; /* doi type */
105 int sittype; /* situation type */
106
107 int idvtype; /* my identifier type */
108 vchar_t *idv; /* my identifier */
109 vchar_t *key; /* my pre-shared key */
110 struct genlist *idvl_p; /* peer's identifiers list */
111
112 int identity_in_keychain; /* cert and private key is in the keychain */
113 vchar_t *keychainCertRef; /* peristant keychain ref for cert */
114 int secrettype; /* type of secret [use, key, keychain] */
115 vchar_t *shared_secret; /* shared secret */
116 vchar_t *open_dir_auth_group; /* group to be used to authorize user */
117
118 int certtype; /* certificate type if need */
119 char *mycertfile; /* file name of my certificate */
120 char *myprivfile; /* file name of my private key file */
121 char *peerscertfile; /* file name of peer's certifcate */
122 int getcert_method; /* the way to get peer's certificate */
123 int cacerttype; /* CA type is needed */
124 char *cacertfile; /* file name of CA */
125 int getcacert_method; /* the way to get the CA */
126 int send_cert; /* send to CERT or not */
127 int send_cr; /* send to CR or not */
128 int verify_cert; /* verify a CERT strictly */
129 int cert_verification; /* openssl or security framework */
130 int cert_verification_option; /* nothing, peers identifier, or open_dir */
131 int verify_identifier; /* vefify the peer's identifier */
132 int nonce_size; /* the number of bytes of nonce */
133 int passive; /* never initiate */
134 int ike_frag; /* IKE fragmentation */
135 int esp_frag; /* ESP fragmentation */
136 int mode_cfg; /* Gets config through mode config */
137 int support_proxy; /* support mip6/proxy */
138 #define GENERATE_POLICY_NONE 0
139 #define GENERATE_POLICY_REQUIRE 1
140 #define GENERATE_POLICY_UNIQUE 2
141 int gen_policy; /* generate policy if no policy found */
142 int ini_contact; /* initial contact */
143 int pcheck_level; /* level of propocl checking */
144 int nat_traversal; /* NAT-Traversal */
145 int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */
146 int natt_keepalive; /* do we need to send natt keep alive */
147 vchar_t *script[SCRIPT_MAX + 1]; /* script hooks paths */
148 int dh_group; /* use it when only aggressive mode */
149 struct dhgroup *dhgrp; /* use it when only aggressive mode */
150 /* above two can't be defined by user*/
151
152 int retry_counter; /* times to retry. */
153 int retry_interval; /* interval each retry. */
154 /* above 2 values are copied from localconf. */
155
156 int dpd; /* Negociate DPD support ? */
157 int dpd_retry; /* in seconds */
158 int dpd_interval; /* in seconds */
159 int dpd_maxfails;
160 int dpd_algo;
161 int idle_timeout; /* in seconds */
162 int idle_timeout_dir; /* direction to check */
163
164 int ph1id; /* ph1id to be matched with sainfo sections */
165
166 int weak_phase1_check; /* act on unencrypted deletions ? */
167
168 struct isakmpsa *proposal; /* proposal list */
169 struct remoteconf *inherited_from; /* the original rmconf
170 from which this one
171 was inherited */
172 struct proposalspec *prhead;
173
174 #ifdef ENABLE_HYBRID
175 struct xauth_rmconf *xauth;
176 #endif
177 int initiate_ph1rekey;
178 int to_remove;
179 int to_delete;
180 int linked_to_ph1;
181
182 TAILQ_ENTRY(remoteconf) chain; /* next remote conf */
183 };
184
185 struct dhgroup;
186
187 /* ISAKMP SA specification */
188 struct isakmpsa {
189 int prop_no;
190 int trns_no;
191 time_t lifetime;
192 size_t lifebyte;
193 int enctype;
194 int encklen;
195 int authmethod;
196 int hashtype;
197 int vendorid;
198 #ifdef HAVE_GSSAPI
199 vchar_t *gssid;
200 #endif
201 int dh_group; /* don't use it if aggressive mode */
202 struct dhgroup *dhgrp; /* don't use it if aggressive mode */
203
204 struct isakmpsa *next; /* next transform */
205 struct remoteconf *rmconf; /* backpointer to remoteconf */
206 };
207
208 struct idspec {
209 int idtype; /* identifier type */
210 vchar_t *id; /* identifier */
211 };
212
213 typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data);
214
215 extern struct remoteconf *getrmconf __P((struct sockaddr_storage *));
216 extern struct remoteconf *getrmconf_strict
217 __P((struct sockaddr_storage *remote, int allow_anon));
218
219 extern int link_rmconf_to_ph1 __P((struct remoteconf *));
220 extern int unlink_rmconf_from_ph1 __P((struct remoteconf *));
221 extern int no_remote_configs __P((int));
222 extern struct remoteconf *copyrmconf __P((struct sockaddr_storage *));
223 extern struct remoteconf *newrmconf __P((void));
224 extern struct remoteconf *duprmconf __P((struct remoteconf *));
225 extern void delrmconf __P((struct remoteconf *));
226 extern void delisakmpsa __P((struct isakmpsa *));
227 extern void deletypes __P((struct etypes *));
228 extern struct etypes * dupetypes __P((struct etypes *));
229 extern void insrmconf __P((struct remoteconf *));
230 extern void remrmconf __P((struct remoteconf *));
231 extern void flushrmconf __P((void));
232 extern void initrmconf __P((void));
233 extern struct etypes *check_etypeok
234 __P((struct remoteconf *, u_int8_t));
235 extern struct remoteconf *foreachrmconf __P((rmconf_func_t rmconf_func,
236 void *data));
237
238 extern struct isakmpsa *newisakmpsa __P((void));
239 extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));
240
241 extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));
242
243 extern void dumprmconf __P((void));
244
245 extern struct idspec *newidspec __P((void));
246
247 extern vchar_t *script_path_add __P((vchar_t *));
248
249 extern void rsa_key_free __P((void *entry));
250
251 #endif /* _REMOTECONF_H */
mirror of ipsec