ipsec-34.0.2.tar.gz

[apple/ipsec.git] / ipsec-tools / racoon / remoteconf.h

/* $Id: remoteconf.h,v 1.19.2.1 2005/05/20 00:37:42 manubsd Exp $ */

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef _REMOTECONF_H
#define _REMOTECONF_H

/* remote configuration */

#include <sys/queue.h>
#include "genlist.h"
#ifdef __APPLE__
#include <CoreFoundation/CFData.h>
#endif
#include "algorithm.h"

struct proposalspec {
        time_t lifetime;                /* for isakmp/ipsec */
        int lifebyte;                   /* for isakmp/ipsec */
        struct secprotospec *spspec;    /* the head is always current spec. */
        struct proposalspec *next;      /* the tail is the most prefered. */
        struct proposalspec *prev;
};

struct secprotospec {
        int prop_no;
        int trns_no;
        int strength;           /* for isakmp/ipsec */
        int encklen;            /* for isakmp/ipsec */
        time_t lifetime;        /* for isakmp */
        int lifebyte;           /* for isakmp */
        int proto_id;           /* for ipsec (isakmp?) */
        int ipsec_level;        /* for ipsec */
        int encmode;            /* for ipsec */
        int vendorid;           /* for isakmp */
        char *gssid;
        struct sockaddr *remote;
        int algclass[MAXALGCLASS];

        struct secprotospec *next;      /* the tail is the most prefiered. */
        struct secprotospec *prev;
        struct proposalspec *back;
};


struct etypes {
        int type;
        struct etypes *next;
};

/* Script hooks */
#define SCRIPT_PHASE1_UP        0
#define SCRIPT_PHASE1_DOWN      1
#define SCRIPT_MAX              1
extern char *script_names[SCRIPT_MAX + 1];
extern vchar_t *script_paths;

struct remoteconf {
        struct sockaddr *remote;        /* remote IP address */
                                        /* if family is AF_UNSPEC, that is
                                         * for anonymous configuration. */

        struct etypes *etypes;          /* exchange type list. the head
                                         * is a type to be sent first. */
        int doitype;                    /* doi type */
        int sittype;                    /* situation type */

        int idvtype;                    /* my identifier type */
        vchar_t *idv;                   /* my identifier */
        vchar_t *key;                   /* my pre-shared key */
        struct genlist *idvl_p;         /* peer's identifiers list */

#ifdef __APPLE__
        int     identity_in_keychain;   /* cert and private key is in the keychain */
        vchar_t *keychainCertRef;       /* peristant keychain ref for cert */
        int secrettype;                 /* type of secret [use, key, keychain] */
        vchar_t *shared_secret; /* shared secret */
        vchar_t *open_dir_auth_group;   /* group to be used to authorize user */
#endif

        int certtype;                   /* certificate type if need */
        char *mycertfile;               /* file name of my certificate */
        char *myprivfile;               /* file name of my private key file */
        char *peerscertfile;            /* file name of peer's certifcate */
        int getcert_method;             /* the way to get peer's certificate */
        int cacerttype;                 /* CA type is needed */
        char *cacertfile;               /* file name of CA */
        int getcacert_method;           /* the way to get the CA */
        int send_cert;                  /* send to CERT or not */
        int send_cr;                    /* send to CR or not */
        int verify_cert;                /* verify a CERT strictly */
#ifdef __APPLE__
        int cert_verification;  /* openssl or security framework */
        int cert_verification_option;   /* nothing, peers identifier, or open_dir */
#endif
        int verify_identifier;          /* vefify the peer's identifier */
        int nonce_size;                 /* the number of bytes of nonce */
        int passive;                    /* never initiate */
        int ike_frag;                   /* IKE fragmentation */
        int esp_frag;                   /* ESP fragmentation */
        int mode_cfg;                   /* Gets config through mode config */
        int support_proxy;              /* support mip6/proxy */
        int gen_policy;                 /* generate policy if no policy found */
        int ini_contact;                /* initial contact */
        int pcheck_level;               /* level of propocl checking */
        int nat_traversal;              /* NAT-Traversal */
#ifdef __APPLE__
        int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */
#endif
        int script[SCRIPT_MAX + 1];     /* script hooks index in script_paths */
        int dh_group;                   /* use it when only aggressive mode */
        struct dhgroup *dhgrp;          /* use it when only aggressive mode */
                                        /* above two can't be defined by user*/

        int retry_counter;              /* times to retry. */
        int retry_interval;             /* interval each retry. */
                                /* above 2 values are copied from localconf. */

        int dpd;                                /* Negociate DPD support ? */
        int dpd_retry;                  /* in seconds */
        int dpd_interval;               /* in seconds */
        int dpd_maxfails; 

        struct isakmpsa *proposal;      /* proposal list */
        struct remoteconf *inherited_from;      /* the original rmconf 
                                                   from which this one 
                                                   was inherited */
        struct proposalspec *prhead;

        struct genlist  *rsa_private,   /* lists of PlainRSA keys to use */
                        *rsa_public;
        TAILQ_ENTRY(remoteconf) chain;  /* next remote conf */
};

struct dhgroup;

/* ISAKMP SA specification */
struct isakmpsa {
        int prop_no;
        int trns_no;
        time_t lifetime;
        size_t lifebyte;
        int enctype;
        int encklen;
        int authmethod;
        int hashtype;
        int vendorid;
#ifdef HAVE_GSSAPI
        vchar_t *gssid;
#endif
        int dh_group;                   /* don't use it if aggressive mode */
        struct dhgroup *dhgrp;          /* don't use it if aggressive mode */

        struct isakmpsa *next;          /* next transform */
        struct remoteconf *rmconf;      /* backpointer to remoteconf */
};

struct idspec {
        int idtype;                     /* identifier type */
        vchar_t *id;                    /* identifier */
};

typedef struct remoteconf * (rmconf_func_t)(struct remoteconf *rmconf, void *data);

extern struct remoteconf *getrmconf __P((struct sockaddr *));
extern struct remoteconf *getrmconf_strict
        __P((struct sockaddr *remote, int allow_anon));
extern struct remoteconf *copyrmconf __P((struct sockaddr *));
extern struct remoteconf *newrmconf __P((void));
extern struct remoteconf *duprmconf __P((struct remoteconf *));
extern void delrmconf __P((struct remoteconf *));
extern void delisakmpsa __P((struct isakmpsa *));
extern void deletypes __P((struct etypes *));
extern struct etypes * dupetypes __P((struct etypes *));
extern void insrmconf __P((struct remoteconf *));
extern void remrmconf __P((struct remoteconf *));
extern void flushrmconf __P((void));
extern void initrmconf __P((void));
extern struct etypes *check_etypeok
        __P((struct remoteconf *, u_int8_t));
extern struct remoteconf *foreachrmconf __P((rmconf_func_t rmconf_func,
                                             void *data));

extern struct isakmpsa *newisakmpsa __P((void));
extern struct isakmpsa *dupisakmpsa __P((struct isakmpsa *));

extern void insisakmpsa __P((struct isakmpsa *, struct remoteconf *));

extern void dumprmconf __P((void));

extern struct idspec *newidspec __P((void));

extern int script_path_add __P((vchar_t *));

extern void rsa_key_free __P((void *entry));

#endif /* _REMOTECONF_H */