1/* $NetBSD: remoteconf.h,v 1.7 2006/10/03 08:01:56 vanhu Exp $ */ 2 3/* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#ifndef _REMOTECONF_H 35#define _REMOTECONF_H 36 37/* remote configuration */ 38 39#include <sys/queue.h> 40#include "genlist.h" 41#ifdef ENABLE_HYBRID 42#include "isakmp_var.h" 43#include "isakmp_xauth.h" 44#endif 45#include <CoreFoundation/CFData.h> 46#include "algorithm.h" 47 48 49 50struct proposalspec { 51 time_t lifetime; /* for isakmp/ipsec */ 52 int lifebyte; /* for isakmp/ipsec */ 53 struct secprotospec *spspec; /* the head is always current spec. */ 54 struct proposalspec *next; /* the tail is the most prefered. */ 55 struct proposalspec *prev; 56}; 57 58struct secprotospec { 59 int prop_no; 60 int trns_no; 61 int strength; /* for isakmp/ipsec */ 62 int encklen; /* for isakmp/ipsec */ 63 time_t lifetime; /* for isakmp */ 64 int lifebyte; /* for isakmp */ 65 int proto_id; /* for ipsec (isakmp?) */ 66 int ipsec_level; /* for ipsec */ 67 int encmode; /* for ipsec */ 68 int vendorid; /* for isakmp */ 69 char *gssid; 70 struct sockaddr_storage *remote; 71 int algclass[MAXALGCLASS]; 72 73 struct secprotospec *next; /* the tail is the most prefiered. */ 74 struct secprotospec *prev; 75 struct proposalspec *back; 76}; 77 78 79struct etypes { 80 int type; 81 struct etypes *next; 82}; 83 84enum { 85 DPD_ALGO_DEFAULT = 0, 86 DPD_ALGO_INBOUND_DETECT, 87 DPD_ALGO_BLACKHOLE_DETECT, 88 DPD_ALGO_MAX, 89}; 90 91 92struct remoteconf { 93 struct sockaddr_storage *remote; /* remote IP address */ 94 int remote_prefix; /* allows subnet for remote address */ 95 /* if family is AF_UNSPEC, that is 96 * for anonymous configuration. */ 97 98 struct etypes *etypes; /* exchange type list. the head 99 * is a type to be sent first. */ 100 int doitype; /* doi type */ 101 int sittype; /* situation type */ 102 103 int idvtype; /* my identifier type */ 104 vchar_t *idv; /* my identifier */ 105 vchar_t *key; /* my pre-shared key */ 106 struct genlist *idvl_p; /* peer's identifiers list */ 107 108 int identity_in_keychain; /* cert and private key is in the keychain */ 109 vchar_t *keychainCertRef; /* peristant keychain ref for cert */ 110 int secrettype; /* type of secret [use, key, keychain] */ 111 vchar_t *shared_secret; /* shared secret */ 112 vchar_t *open_dir_auth_group; /* group to be used to authorize user */ 113 114 int certtype; /* certificate type if need */ 115 int getcert_method; /* the way to get peer's certificate */ 116 int cacerttype; /* CA type is needed */ 117 int send_cert; /* send to CERT or not */ 118 int send_cr; /* send to CR or not */ 119 int verify_cert; /* verify a CERT strictly */ 120 int cert_verification; /* openssl or security framework */ 121 int cert_verification_option; /* nothing, peers identifier, or open_dir */ 122 int verify_identifier; /* vefify the peer's identifier */ 123 int nonce_size; /* the number of bytes of nonce */ 124 int passive; /* never initiate */ 125 int ike_frag; /* IKE fragmentation */ 126 int esp_frag; /* ESP fragmentation */ 127 int mode_cfg; /* Gets config through mode config */ 128 int support_proxy; /* support mip6/proxy */ 129#define GENERATE_POLICY_NONE 0 130#define GENERATE_POLICY_REQUIRE 1 131#define GENERATE_POLICY_UNIQUE 2 132 int gen_policy; /* generate policy if no policy found */ 133 int ini_contact; /* initial contact */ 134 int pcheck_level; /* level of propocl checking */ 135 int nat_traversal; /* NAT-Traversal */ 136 int natt_multiple_user; /* special handling of multiple users behind a nat - for VPN server */ 137 int natt_keepalive; /* do we need to send natt keep alive */ 138 int dh_group; /* use it when only aggressive mode */ 139 struct dhgroup *dhgrp; /* use it when only aggressive mode */ 140 /* above two can't be defined by user*/ 141 142 int retry_counter; /* times to retry. */ 143 int retry_interval; /* interval each retry. */ 144 /* above 2 values are copied from localconf. */ 145 146 int dpd; /* Negociate DPD support ? */ 147 int dpd_retry; /* in seconds */ 148 int dpd_interval; /* in seconds */ 149 int dpd_maxfails; 150 int dpd_algo; 151 int idle_timeout; /* in seconds */ 152 int idle_timeout_dir; /* direction to check */ 153 154 int ph1id; /* ph1id to be matched with sainfo sections */ 155 156 int weak_phase1_check; /* act on unencrypted deletions ? */ 157 158 struct isakmpsa *proposal; /* proposal list */ 159 struct remoteconf *inherited_from; /* the original rmconf 160 from which this one 161 was inherited */ 162 struct proposalspec *prhead; 163 164#ifdef ENABLE_HYBRID 165 struct xauth_rmconf *xauth; 166#endif 167 int initiate_ph1rekey; 168 int in_list; // in the linked list 169 int refcount; // ref count - in use 170 int ike_version; 171 172 // IKEV2 configs 173 struct etypes *eap_types; 174 CFDictionaryRef eap_options; 175 CFDictionaryRef ikev2_cfg_request; 176 177 TAILQ_ENTRY(remoteconf) chain; /* next remote conf */ 178}; 179 180struct dhgroup; 181 182/* ISAKMP SA specification */ 183struct isakmpsa { 184 int version; 185 int prop_no; 186 int trns_no; 187 time_t lifetime; 188 time_t lifetimegap; 189 size_t lifebyte; 190 int enctype; 191 int encklen; 192 int authmethod; 193 int hashtype; 194 int vendorid; 195 int dh_group; /* don't use it if aggressive mode */ 196 struct dhgroup *dhgrp; /* don't use it if aggressive mode */ 197 int prf; 198 int prfklen; 199 200 struct isakmpsa *next; /* next transform */ 201 struct remoteconf *rmconf; /* backpointer to remoteconf */ 202}; 203 204struct idspec { 205 int idtype; /* identifier type */ 206 vchar_t *id; /* identifier */ 207}; 208 209typedef struct remoteconf *(rmconf_func_t) (struct remoteconf *rmconf, void *data); 210 211extern struct remoteconf *getrmconf (struct sockaddr_storage *); 212extern struct remoteconf *getrmconf_strict 213 (struct sockaddr_storage *remote, int allow_anon); 214 215extern int no_remote_configs (int); 216extern struct remoteconf *copyrmconf (struct sockaddr_storage *); 217extern struct remoteconf *create_rmconf (void); 218extern void retain_rmconf(struct remoteconf *); 219extern void release_rmconf(struct remoteconf *); 220extern struct remoteconf *duprmconf (struct remoteconf *); 221extern void delrmconf (struct remoteconf *); 222extern void delisakmpsa (struct isakmpsa *); 223extern void deletypes (struct etypes *); 224extern struct etypes * dupetypes (struct etypes *); 225extern void insrmconf (struct remoteconf *); 226extern void remrmconf (struct remoteconf *); 227extern void flushrmconf (void); 228extern void initrmconf (void); 229extern struct etypes *check_etypeok 230 (struct remoteconf *, u_int8_t); 231extern struct remoteconf *foreachrmconf (rmconf_func_t rmconf_func, 232 void *data); 233 234extern struct isakmpsa *newisakmpsa (void); 235extern struct isakmpsa *dupisakmpsa (struct isakmpsa *); 236 237extern void insisakmpsa (struct isakmpsa *, struct remoteconf *); 238 239extern void dumprmconf (void); 240 241extern struct idspec *newidspec (void); 242 243#endif /* _REMOTECONF_H */ 244