1 /* $NetBSD: remoteconf.h,v 1.18 2025/03/08 16:39:08 christos Exp $ */
2
3 /* Id: remoteconf.h,v 1.26 2006/05/06 15:52:44 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _REMOTECONF_H
35 #define _REMOTECONF_H
36
37 /* remote configuration */
38
39 #include <sys/queue.h>
40 #include "genlist.h"
41 #ifdef ENABLE_HYBRID
42 #include "isakmp_var.h"
43 #include "isakmp_xauth.h"
44 #endif
45
46 struct ph1handle;
47 struct secprotospec;
48
49 struct etypes {
50 int type;
51 struct etypes *next;
52 };
53
54 /* ISAKMP SA specification */
55 struct isakmpsa {
56 int prop_no;
57 int trns_no;
58 time_t lifetime;
59 size_t lifebyte;
60 int enctype;
61 int encklen;
62 int authmethod;
63 int hashtype;
64 int vendorid;
65 #ifdef HAVE_GSSAPI
66 vchar_t *gssid;
67 #endif
68 int dh_group; /* don't use it if aggressive mode */
69 struct dhgroup *dhgrp; /* don't use it if aggressive mode */
70
71 struct isakmpsa *next; /* next transform */
72 };
73
74 /* Certificate information */
75 struct rmconf_cert {
76 vchar_t *data; /* certificate payload */
77 char *filename; /* name of local file */
78 };
79
80 /* Script hooks */
81 #define SCRIPT_PHASE1_UP 0
82 #define SCRIPT_PHASE1_DOWN 1
83 #define SCRIPT_PHASE1_DEAD 2
84 #define SCRIPT_MAX 2
85 extern const char *script_names[SCRIPT_MAX + 1];
86
87 struct remoteconf {
88 char *name; /* remote configuration name */
89 struct sockaddr *remote; /* remote IP address */
90 /* if family is AF_UNSPEC, that is
91 * for anonymous configuration. */
92
93 struct etypes *etypes; /* exchange type list. the head
94 * is a type to be sent first. */
95 int doitype; /* doi type */
96 int sittype; /* situation type */
97
98 int idvtype; /* my identifier type */
99 vchar_t *idv; /* my identifier */
100 vchar_t *key; /* my pre-shared key */
101 struct genlist *idvl_p; /* peer's identifiers list */
102
103 char *myprivfile; /* file name of my private key file */
104 char *mycertfile; /* file name of my certificate */
105 vchar_t *mycert; /* my certificate */
106 char *peerscertfile; /* file name of peer's certifcate */
107 vchar_t *peerscert; /* peer's certificate */
108 char *cacertfile; /* file name of CA */
109 vchar_t *cacert; /* CA certificate */
110
111 int send_cert; /* send to CERT or not */
112 int send_cr; /* send to CR or not */
113 int match_empty_cr; /* does this match if CR is empty */
114 int verify_cert; /* verify a CERT strictly */
115 int verify_identifier; /* vefify the peer's identifier */
116 int nonce_size; /* the number of bytes of nonce */
117 int passive; /* never initiate */
118 int ike_frag; /* IKE fragmentation */
119 int esp_frag; /* ESP fragmentation */
120 int mode_cfg; /* Gets config through mode config */
121 int support_proxy; /* support mip6/proxy */
122 #define GENERATE_POLICY_NONE 0
123 #define GENERATE_POLICY_REQUIRE 1
124 #define GENERATE_POLICY_UNIQUE 2
125 int gen_policy; /* generate policy if no policy found */
126 int ini_contact; /* initial contact */
127 int pcheck_level; /* level of propocl checking */
128 int nat_traversal; /* NAT-Traversal */
129 vchar_t *script[SCRIPT_MAX + 1];/* script hooks paths */
130 int dh_group; /* use it when only aggressive mode */
131 struct dhgroup *dhgrp; /* use it when only aggressive mode */
132 /* above two can't be defined by user*/
133
134 int dpd; /* Negociate DPD support ? */
135 int dpd_retry; /* in seconds */
136 int dpd_interval; /* in seconds */
137 int dpd_maxfails;
138
139 int rekey; /* rekey ph1 when active ph2s? */
140 #define REKEY_OFF FALSE
141 #define REKEY_ON TRUE
142 #define REKEY_FORCE 2
143
144 uint32_t ph1id; /* ph1id to be matched with sainfo sections */
145
146 int weak_phase1_check; /* act on unencrypted deletions ? */
147
148 struct isakmpsa *proposal; /* proposal list */
149 struct remoteconf *inherited_from; /* the original rmconf
150 from which this one
151 was inherited */
152
153 time_t lifetime; /* for isakmp/ipsec */
154 int lifebyte; /* for isakmp/ipsec */
155 struct secprotospec *spspec; /* the head is always current spec. */
156
157 struct genlist *rsa_private, /* lists of PlainRSA keys to use */
158 *rsa_public;
159
160 #ifdef ENABLE_HYBRID
161 struct xauth_rmconf *xauth;
162 #endif
163
164 TAILQ_ENTRY(remoteconf) chain; /* next remote conf */
165 };
166
167 #define RMCONF_NONCE_SIZE(rmconf) \
168 (rmconf != NULL ? rmconf->nonce_size : DEFAULT_NONCE_SIZE)
169
170 struct dhgroup;
171
172 struct idspec {
173 int idtype; /* identifier type */
174 vchar_t *id; /* identifier */
175 };
176
177 struct rmconfselector {
178 int flags;
179 struct sockaddr *remote;
180 int etype;
181 struct isakmpsa *approval;
182 vchar_t *identity;
183 vchar_t *certificate_request;
184 };
185
186 extern void rmconf_selector_from_ph1(struct rmconfselector *rmsel,
187 struct ph1handle *iph1);
188 extern int enumrmconf(struct rmconfselector *rmsel,
189 int (* enum_func)(struct remoteconf *rmconf, void *arg), void *enum_arg);
190
191 #define GETRMCONF_F_NO_ANONYMOUS 0x0001
192 #define GETRMCONF_F_NO_PASSIVE 0x0002
193
194 #define RMCONF_ERR_MULTIPLE ((struct remoteconf *) -1)
195
196 extern int rmconf_match_identity(struct remoteconf *rmconf, vchar_t *id_p);
197 extern struct remoteconf *getrmconf(struct sockaddr *remote, int flags);
198 extern struct remoteconf *getrmconf_by_ph1(struct ph1handle *iph1);
199 extern struct remoteconf *getrmconf_by_name(const char *name);
200
201 extern struct remoteconf *newrmconf(void);
202 extern struct remoteconf *duprmconf_shallow(struct remoteconf *);
203 extern int duprmconf_finish(struct remoteconf *);
204 extern void delrmconf(struct remoteconf *);
205 extern void deletypes(struct etypes *);
206 extern struct etypes * dupetypes(struct etypes *);
207 extern void insrmconf(struct remoteconf *);
208 extern void remrmconf(struct remoteconf *);
209 extern void flushrmconf(void);
210 extern void dupspspec_list(struct remoteconf *, struct remoteconf *);
211 extern void flushspspec(struct remoteconf *);
212 extern void initrmconf(void);
213 extern void rmconf_start_reload(void);
214 extern void rmconf_finish_reload(void);
215
216 extern int check_etypeok(struct remoteconf *, void *);
217
218 extern struct isakmpsa *newisakmpsa(void);
219 extern struct isakmpsa *dupisakmpsa(struct isakmpsa *);
220 extern void delisakmpsa(struct isakmpsa *);
221 extern void insisakmpsa(struct isakmpsa *, struct remoteconf *);
222 #ifdef ENABLE_HYBRID
223 extern int isakmpsa_switch_authmethod(int authmethod);
224 #else
isakmpsa_switch_authmethod(int authmethod)225 static inline int isakmpsa_switch_authmethod(int authmethod)
226 {
227 return authmethod;
228 }
229 #endif
230 extern struct isakmpsa * checkisakmpsa(int pcheck, struct isakmpsa *proposal,
231 struct isakmpsa *acceptable);
232
233
234 extern void dumprmconf(void);
235
236 extern struct idspec *newidspec(void);
237
238 extern vchar_t *script_path_add(vchar_t *);
239
240 #endif /* _REMOTECONF_H */
241