1 /*        $NetBSD: isakmp_cfg.h,v 1.8 2025/03/08 16:39:08 christos Exp $        */
2 
3 /*        $KAME$ */
4 
5 /*
6  * Copyright (C) 2004 Emmanuel Dreyfus
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #ifdef HAVE_LIBPAM
35 #include <security/pam_appl.h>
36 #endif
37 
38 /*
39  * XXX don't forget to update
40  * src/racoon/handler.c:exclude_cfg_addr()
41  * if you add IPv6 capability
42  */
43 
44 /* Attribute types */
45 #define INTERNAL_IP4_ADDRESS        1
46 #define INTERNAL_IP4_NETMASK        2
47 #define INTERNAL_IP4_DNS            3
48 #define INTERNAL_IP4_NBNS           4
49 #define INTERNAL_ADDRESS_EXPIRY     5
50 #define INTERNAL_IP4_DHCP           6
51 #define APPLICATION_VERSION         7
52 #define INTERNAL_IP6_ADDRESS        8
53 #define INTERNAL_IP6_NETMASK        9
54 #define INTERNAL_IP6_DNS           10
55 #define INTERNAL_IP6_NBNS          11
56 #define INTERNAL_IP6_DHCP          12
57 #define INTERNAL_IP4_SUBNET        13
58 #define SUPPORTED_ATTRIBUTES       14
59 #define INTERNAL_IP6_SUBNET        15
60 
61 /* For APPLICATION_VERSION */
62 #define ISAKMP_CFG_RACOON_VERSION "racoon / IPsec-tools"
63 
64 /* For the wins servers -- XXX find the value somewhere ? */
65 #define MAXWINS 4
66 
67 /*
68  * Global configuration for ISAKMP mode confiration address allocation
69  * Read from the mode_cfg section of racoon.conf
70  */
71 struct isakmp_cfg_port {
72           char      used;
73 #ifdef HAVE_LIBPAM
74           pam_handle_t *pam;
75 #endif
76 };
77 
78 struct isakmp_cfg_config {
79           in_addr_t           network4;
80           in_addr_t           netmask4;
81           in_addr_t           dns4[MAXNS];
82           int                           dns4_index;
83           in_addr_t           nbns4[MAXWINS];
84           int                           nbns4_index;
85           struct isakmp_cfg_port        *port_pool;
86           int                           authsource;
87           int                           groupsource;
88           char                          **grouplist;
89           int                           groupcount;
90           int                           confsource;
91           int                           accounting;
92           size_t                        pool_size;
93           int                           auth_throttle;
94           /* XXX move this to a unity specific sub-structure */
95           char                          default_domain[MAXPATHLEN + 1];
96           char                          motd[MAXPATHLEN + 1];
97           struct unity_netentry         *splitnet_list;
98           int                           splitnet_count;
99           int                           splitnet_type;
100           char                          *splitdns_list;
101           int                           splitdns_len;
102           int                           pfs_group;
103           int                           save_passwd;
104 };
105 
106 /* For utmp updating */
107 #define TERMSPEC    "vpn%d"
108 
109 /* For authsource */
110 #define ISAKMP_CFG_AUTH_SYSTEM          0
111 #define ISAKMP_CFG_AUTH_RADIUS          1
112 #define ISAKMP_CFG_AUTH_PAM   2
113 #define ISAKMP_CFG_AUTH_LDAP  4
114 
115 /* For groupsource */
116 #define ISAKMP_CFG_GROUP_SYSTEM         0
117 #define ISAKMP_CFG_GROUP_LDAP 1
118 
119 /* For confsource */
120 #define ISAKMP_CFG_CONF_LOCAL 0
121 #define ISAKMP_CFG_CONF_RADIUS          1
122 #define ISAKMP_CFG_CONF_LDAP  2
123 
124 /* For accounting */
125 #define ISAKMP_CFG_ACCT_NONE  0
126 #define ISAKMP_CFG_ACCT_RADIUS          1
127 #define ISAKMP_CFG_ACCT_PAM   2
128 #define ISAKMP_CFG_ACCT_LDAP  3
129 #define ISAKMP_CFG_ACCT_SYSTEM          4
130 
131 /* For pool_size */
132 #define ISAKMP_CFG_MAX_CNX    255
133 
134 /* For motd */
135 #define ISAKMP_CFG_MOTD       "/etc/motd"
136 
137 /* For default domain */
138 #define ISAKMP_CFG_DEFAULT_DOMAIN ""
139 
140 extern struct isakmp_cfg_config isakmp_cfg_config;
141 
142 /*
143  * ISAKMP mode config state
144  */
145 #define LOGINLEN 31
146 struct isakmp_cfg_state {
147           int flags;                              /* See below */
148           unsigned int port;            /* address index */
149           char login[LOGINLEN + 1];     /* login */
150           struct in_addr addr4;                   /* IPv4 address */
151           struct in_addr mask4;                   /* IPv4 netmask */
152           struct in_addr dns4[MAXNS];   /* IPv4 DNS (when client only) */
153           int dns4_index;                         /* Number of IPv4 DNS (client only) */
154           struct in_addr wins4[MAXWINS];          /* IPv4 WINS (when client only) */
155           int wins4_index;              /* Number of IPv4 WINS (client only) */
156           char default_domain[MAXPATHLEN + 1];    /* Default domain recieved */
157           struct unity_netentry
158               *split_include;                     /* UNITY_SPLIT_INCLUDE */
159           int include_count;            /* Number of SPLIT_INCLUDES */
160           struct unity_netentry
161               *split_local;             /* UNITY_LOCAL_LAN */
162           int local_count;              /* Number of SPLIT_LOCAL */
163           struct xauth_state xauth;     /* Xauth state, if revelant */
164           struct isakmp_ivm *ivm;                 /* XXX Use iph1's ivm? */
165           uint32_t last_msgid;           /* Last message-ID */
166 };
167 
168 /* flags */
169 #define ISAKMP_CFG_VENDORID_XAUTH       0x01      /* Supports Xauth */
170 #define ISAKMP_CFG_VENDORID_UNITY       0x02      /* Cisco Unity compliant */
171 #define ISAKMP_CFG_PORT_ALLOCATED       0x04      /* Port allocated */
172 #define ISAKMP_CFG_ADDR4_EXTERN                   0x08      /* Address from external config  */
173 #define ISAKMP_CFG_MASK4_EXTERN                   0x10      /* Netmask from external config */
174 #define ISAKMP_CFG_ADDR4_LOCAL                    0x20      /* Address from local pool */
175 #define ISAKMP_CFG_MASK4_LOCAL                    0x40      /* Netmask from local pool */
176 #define ISAKMP_CFG_GOT_ADDR4            0x80      /* Client got address */
177 #define ISAKMP_CFG_GOT_MASK4            0x100     /* Client got mask */
178 #define ISAKMP_CFG_GOT_DNS4             0x200     /* Client got DNS */
179 #define ISAKMP_CFG_GOT_WINS4            0x400     /* Client got WINS */
180 #define ISAKMP_CFG_DELETE_PH1           0x800     /* phase 1 should be deleted */
181 #define ISAKMP_CFG_GOT_DEFAULT_DOMAIN   0x1000    /* Client got default domain */
182 #define ISAKMP_CFG_GOT_SPLIT_INCLUDE    0x2000    /* Client got a split network config */
183 #define ISAKMP_CFG_GOT_SPLIT_LOCAL      0x4000    /* Client got a split LAN config */
184 
185 struct isakmp_pl_attr;
186 struct ph1handle;
187 struct isakmp_ivm;
188 void isakmp_cfg_r(struct ph1handle *, vchar_t *);
189 int isakmp_cfg_attr_r(struct ph1handle *, uint32_t, struct isakmp_pl_attr *);
190 int isakmp_cfg_reply(struct ph1handle *, struct isakmp_pl_attr *);
191 int isakmp_cfg_request(struct ph1handle *, struct isakmp_pl_attr *);
192 int isakmp_cfg_set(struct ph1handle *, struct isakmp_pl_attr *);
193 int isakmp_cfg_send(struct ph1handle *, vchar_t *, uint32_t, int, int);
194 struct isakmp_ivm *isakmp_cfg_newiv(struct ph1handle *, uint32_t);
195 void isakmp_cfg_rmstate(struct ph1handle *);
196 struct isakmp_cfg_state *isakmp_cfg_mkstate(void);
197 vchar_t *isakmp_cfg_copy(struct ph1handle *, struct isakmp_data *);
198 vchar_t *isakmp_cfg_short(struct ph1handle *, struct isakmp_data *, int);
199 vchar_t *isakmp_cfg_varlen(struct ph1handle *, struct isakmp_data *, const char *, size_t);
200 vchar_t *isakmp_cfg_string(struct ph1handle *, struct isakmp_data *, const char *);
201 int isakmp_cfg_getconfig(struct ph1handle *);
202 int isakmp_cfg_setenv(struct ph1handle *, char ***, int *);
203 
204 int isakmp_cfg_resize_pool(int);
205 int isakmp_cfg_getport(struct ph1handle *);
206 int isakmp_cfg_putport(struct ph1handle *, unsigned int);
207 int isakmp_cfg_init(int);
208 #define ISAKMP_CFG_INIT_COLD  1
209 #define ISAKMP_CFG_INIT_WARM  0
210 
211 #ifdef HAVE_LIBRADIUS
212 struct rad_handle;
213 extern struct rad_handle *radius_acct_state;
214 int isakmp_cfg_radius_common(struct rad_handle *, int);
215 #endif
216 
217 #ifdef HAVE_LIBPAM
218 int isakmp_cfg_accounting_pam(int, int);
219 void cleanup_pam(int);
220 #endif
221 
222 int isakmp_cfg_accounting_system(int, struct sockaddr *, char *, int);
223