1/*	$NetBSD: remoteconf.h,v 1.7 2006/10/03 08:01:56 vanhu Exp $	*/
2
3/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifndef _REMOTECONF_H
35#define _REMOTECONF_H
36
37/* remote configuration */
38
39#include <sys/queue.h>
40#include "genlist.h"
41#ifdef ENABLE_HYBRID
42#include "isakmp_var.h"
43#include "isakmp_xauth.h"
44#endif
45#include <CoreFoundation/CFData.h>
46#include "algorithm.h"
47
48
49
50struct proposalspec {
51	time_t lifetime;		/* for isakmp/ipsec */
52	int lifebyte;			/* for isakmp/ipsec */
53	struct secprotospec *spspec;	/* the head is always current spec. */
54	struct proposalspec *next;	/* the tail is the most prefered. */
55	struct proposalspec *prev;
56};
57
58struct secprotospec {
59	int prop_no;
60	int trns_no;
61	int strength;		/* for isakmp/ipsec */
62	int encklen;		/* for isakmp/ipsec */
63	time_t lifetime;	/* for isakmp */
64	int lifebyte;		/* for isakmp */
65	int proto_id;		/* for ipsec (isakmp?) */
66	int ipsec_level;	/* for ipsec */
67	int encmode;		/* for ipsec */
68	int vendorid;		/* for isakmp */
69	char *gssid;
70	struct sockaddr_storage *remote;
71	int algclass[MAXALGCLASS];
72
73	struct secprotospec *next;	/* the tail is the most prefiered. */
74	struct secprotospec *prev;
75	struct proposalspec *back;
76};
77
78
79struct etypes {
80	int type;
81	struct etypes *next;
82};
83
84enum {
85    DPD_ALGO_DEFAULT = 0,
86    DPD_ALGO_INBOUND_DETECT,
87    DPD_ALGO_BLACKHOLE_DETECT,
88    DPD_ALGO_MAX,
89};
90
91
92struct remoteconf {
93	struct sockaddr_storage *remote;	/* remote IP address */
94    int remote_prefix;                  /* allows subnet for remote address */
95					/* if family is AF_UNSPEC, that is
96					 * for anonymous configuration. */
97
98	struct etypes *etypes;		/* exchange type list. the head
99					 * is a type to be sent first. */
100	int doitype;			/* doi type */
101	int sittype;			/* situation type */
102
103	int idvtype;			/* my identifier type */
104	vchar_t *idv;			/* my identifier */
105	vchar_t *key;			/* my pre-shared key */
106	struct genlist *idvl_p;         /* peer's identifiers list */
107
108	int	identity_in_keychain;	/* cert and private key is in the keychain */
109	vchar_t *keychainCertRef;	/* peristant keychain ref for cert */
110	int secrettype;			/* type of secret [use, key, keychain] */
111	vchar_t *shared_secret;	/* shared secret */
112	vchar_t *open_dir_auth_group;	/* group to be used to authorize user */
113
114	int certtype;			/* certificate type if need */
115	int getcert_method;		/* the way to get peer's certificate */
116	int cacerttype;			/* CA type is needed */
117	int send_cert;			/* send to CERT or not */
118	int send_cr;			/* send to CR or not */
119	int verify_cert;		/* verify a CERT strictly */
120	int cert_verification;	/* openssl or security framework */
121	int cert_verification_option;	/* nothing, peers identifier, or open_dir */
122	int verify_identifier;		/* vefify the peer's identifier */
123	int nonce_size;			/* the number of bytes of nonce */
124	int passive;			/* never initiate */
125	int ike_frag;			/* IKE fragmentation */
126	int esp_frag;			/* ESP fragmentation */
127	int mode_cfg;			/* Gets config through mode config */
128	int support_proxy;		/* support mip6/proxy */
129#define GENERATE_POLICY_NONE   0
130#define GENERATE_POLICY_REQUIRE        1
131#define GENERATE_POLICY_UNIQUE 2
132	int gen_policy;			/* generate policy if no policy found */
133	int ini_contact;		/* initial contact */
134	int pcheck_level;		/* level of propocl checking */
135	int nat_traversal;		/* NAT-Traversal */
136	int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */
137	int natt_keepalive;		/* do we need to send natt keep alive */
138	int dh_group;			/* use it when only aggressive mode */
139	struct dhgroup *dhgrp;		/* use it when only aggressive mode */
140					/* above two can't be defined by user*/
141
142	int retry_counter;		/* times to retry. */
143	int retry_interval;		/* interval each retry. */
144				/* above 2 values are copied from localconf. */
145
146	int dpd;				/* Negociate DPD support ? */
147	int dpd_retry;			/* in seconds */
148	int dpd_interval;		/* in seconds */
149	int dpd_maxfails;
150    int dpd_algo;
151    int idle_timeout;       /* in seconds */
152    int idle_timeout_dir;   /* direction to check */
153
154	int ph1id; /* ph1id to be matched with sainfo sections */
155
156	int weak_phase1_check;		/* act on unencrypted deletions ? */
157
158	struct isakmpsa *proposal;	/* proposal list */
159	struct remoteconf *inherited_from;	/* the original rmconf
160						   from which this one
161						   was inherited */
162	struct proposalspec *prhead;
163
164#ifdef ENABLE_HYBRID
165	struct xauth_rmconf *xauth;
166#endif
167    int initiate_ph1rekey;
168    int in_list;            // in the linked list
169    int refcount;           // ref count - in use
170    int ike_version;
171
172	// IKEV2 configs
173    struct etypes *eap_types;
174    CFDictionaryRef eap_options;
175    CFDictionaryRef ikev2_cfg_request;
176
177	TAILQ_ENTRY(remoteconf) chain;	/* next remote conf */
178};
179
180struct dhgroup;
181
182/* ISAKMP SA specification */
183struct isakmpsa {
184	int version;
185	int prop_no;
186	int trns_no;
187	time_t lifetime;
188	time_t lifetimegap;
189	size_t lifebyte;
190	int enctype;
191	int encklen;
192	int authmethod;
193	int hashtype;
194	int vendorid;
195	int dh_group;				/* don't use it if aggressive mode */
196	struct dhgroup *dhgrp;		/* don't use it if aggressive mode */
197	int             prf;
198	int             prfklen;
199
200	struct isakmpsa *next;		/* next transform */
201	struct remoteconf *rmconf;	/* backpointer to remoteconf */
202};
203
204struct idspec {
205	int idtype;                     /* identifier type */
206	vchar_t *id;                    /* identifier */
207};
208
209typedef struct remoteconf *(rmconf_func_t) (struct remoteconf *rmconf, void *data);
210
211extern struct remoteconf *getrmconf (struct sockaddr_storage *);
212extern struct remoteconf *getrmconf_strict
213	(struct sockaddr_storage *remote, int allow_anon);
214
215extern int no_remote_configs (int);
216extern struct remoteconf *copyrmconf (struct sockaddr_storage *);
217extern struct remoteconf *create_rmconf (void);
218extern void retain_rmconf(struct remoteconf *);
219extern void release_rmconf(struct remoteconf *);
220extern struct remoteconf *duprmconf (struct remoteconf *);
221extern void delrmconf (struct remoteconf *);
222extern void delisakmpsa (struct isakmpsa *);
223extern void deletypes (struct etypes *);
224extern struct etypes * dupetypes (struct etypes *);
225extern void insrmconf (struct remoteconf *);
226extern void remrmconf (struct remoteconf *);
227extern void flushrmconf (void);
228extern void initrmconf (void);
229extern struct etypes *check_etypeok
230	(struct remoteconf *, u_int8_t);
231extern struct remoteconf *foreachrmconf (rmconf_func_t rmconf_func,
232					     void *data);
233
234extern struct isakmpsa *newisakmpsa (void);
235extern struct isakmpsa *dupisakmpsa (struct isakmpsa *);
236
237extern void insisakmpsa (struct isakmpsa *, struct remoteconf *);
238
239extern void dumprmconf (void);
240
241extern struct idspec *newidspec (void);
242
243#endif /* _REMOTECONF_H */
244