6 * Copyright (C) 2004 Emmanuel Dreyfus
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
35 #include <security/pam_appl.h>
39 * XXX don't forget to update
40 * src/racoon/handler.c:exclude_cfg_addr()
41 * if you add IPv6 capability
45 #define INTERNAL_IP4_ADDRESS 1
46 #define INTERNAL_IP4_NETMASK 2
47 #define INTERNAL_IP4_DNS 3
48 #define INTERNAL_IP4_NBNS 4
49 #define INTERNAL_ADDRESS_EXPIRY 5
50 #define INTERNAL_IP4_DHCP 6
51 #define APPLICATION_VERSION 7
52 #define INTERNAL_IP6_ADDRESS 8
53 #define INTERNAL_IP6_NETMASK 9
54 #define INTERNAL_IP6_DNS 10
55 #define INTERNAL_IP6_NBNS 11
56 #define INTERNAL_IP6_DHCP 12
57 #define INTERNAL_IP4_SUBNET 13
58 #define SUPPORTED_ATTRIBUTES 14
59 #define INTERNAL_IP6_SUBNET 15
61 /* For APPLICATION_VERSION */
62 #define ISAKMP_CFG_RACOON_VERSION "racoon / IPsec-tools"
64 /* For the wins servers -- XXX find the value somewhere ? */
68 * Global configuration for ISAKMP mode confiration address allocation
69 * Read from the mode_cfg section of racoon.conf
71 struct isakmp_cfg_port
{
78 struct isakmp_cfg_config
{
81 in_addr_t dns4
[MAXNS
];
83 in_addr_t nbns4
[MAXWINS
];
85 struct isakmp_cfg_port
*port_pool
;
94 /* XXX move this to a unity specific sub-structure */
95 char default_domain
[MAXPATHLEN
+ 1];
96 char motd
[MAXPATHLEN
+ 1];
97 struct unity_netentry
*splitnet_list
;
106 /* For utmp updating */
107 #define TERMSPEC "vpn%d"
110 #define ISAKMP_CFG_AUTH_SYSTEM 0
111 #define ISAKMP_CFG_AUTH_RADIUS 1
112 #define ISAKMP_CFG_AUTH_PAM 2
113 #define ISAKMP_CFG_AUTH_LDAP 4
115 /* For groupsource */
116 #define ISAKMP_CFG_GROUP_SYSTEM 0
117 #define ISAKMP_CFG_GROUP_LDAP 1
120 #define ISAKMP_CFG_CONF_LOCAL 0
121 #define ISAKMP_CFG_CONF_RADIUS 1
122 #define ISAKMP_CFG_CONF_LDAP 2
125 #define ISAKMP_CFG_ACCT_NONE 0
126 #define ISAKMP_CFG_ACCT_RADIUS 1
127 #define ISAKMP_CFG_ACCT_PAM 2
128 #define ISAKMP_CFG_ACCT_LDAP 3
129 #define ISAKMP_CFG_ACCT_SYSTEM 4
132 #define ISAKMP_CFG_MAX_CNX 255
135 #define ISAKMP_CFG_MOTD "/etc/motd"
137 /* For default domain */
138 #define ISAKMP_CFG_DEFAULT_DOMAIN ""
140 extern struct isakmp_cfg_config isakmp_cfg_config
;
143 * ISAKMP mode config state
146 struct isakmp_cfg_state
{
147 int flags
; /* See below */
148 unsigned int port
; /* address index */
149 char login
[LOGINLEN
+ 1]; /* login */
150 struct in_addr addr4
; /* IPv4 address */
151 struct in_addr mask4
; /* IPv4 netmask */
152 struct in_addr dns4
[MAXNS
]; /* IPv4 DNS (when client only) */
153 int dns4_index
; /* Number of IPv4 DNS (client only) */
154 struct in_addr wins4
[MAXWINS
]; /* IPv4 WINS (when client only) */
155 int wins4_index
; /* Number of IPv4 WINS (client only) */
156 char default_domain
[MAXPATHLEN
+ 1]; /* Default domain recieved */
157 struct unity_netentry
158 *split_include
; /* UNITY_SPLIT_INCLUDE */
159 int include_count
; /* Number of SPLIT_INCLUDES */
160 struct unity_netentry
161 *split_local
; /* UNITY_LOCAL_LAN */
162 int local_count
; /* Number of SPLIT_LOCAL */
163 struct xauth_state xauth
; /* Xauth state, if revelant */
164 struct isakmp_ivm
*ivm
; /* XXX Use iph1's ivm? */
165 u_int32_t last_msgid
; /* Last message-ID */
169 #define ISAKMP_CFG_VENDORID_XAUTH 0x01 /* Supports Xauth */
170 #define ISAKMP_CFG_VENDORID_UNITY 0x02 /* Cisco Unity compliant */
171 #define ISAKMP_CFG_PORT_ALLOCATED 0x04 /* Port allocated */
172 #define ISAKMP_CFG_ADDR4_EXTERN 0x08 /* Address from external config */
173 #define ISAKMP_CFG_MASK4_EXTERN 0x10 /* Netmask from external config */
174 #define ISAKMP_CFG_ADDR4_LOCAL 0x20 /* Address from local pool */
175 #define ISAKMP_CFG_MASK4_LOCAL 0x40 /* Netmask from local pool */
176 #define ISAKMP_CFG_GOT_ADDR4 0x80 /* Client got address */
177 #define ISAKMP_CFG_GOT_MASK4 0x100 /* Client got mask */
178 #define ISAKMP_CFG_GOT_DNS4 0x200 /* Client got DNS */
179 #define ISAKMP_CFG_GOT_WINS4 0x400 /* Client got WINS */
180 #define ISAKMP_CFG_DELETE_PH1 0x800 /* phase 1 should be deleted */
181 #define ISAKMP_CFG_GOT_DEFAULT_DOMAIN 0x1000 /* Client got default domain */
182 #define ISAKMP_CFG_GOT_SPLIT_INCLUDE 0x2000 /* Client got a split network config */
183 #define ISAKMP_CFG_GOT_SPLIT_LOCAL 0x4000 /* Client got a split LAN config */
185 struct isakmp_pl_attr
;
188 void isakmp_cfg_r(struct ph1handle
*, vchar_t
*);
189 int isakmp_cfg_attr_r(struct ph1handle
*, u_int32_t
, struct isakmp_pl_attr
*);
190 int isakmp_cfg_reply(struct ph1handle
*, struct isakmp_pl_attr
*);
191 int isakmp_cfg_request(struct ph1handle
*, struct isakmp_pl_attr
*);
192 int isakmp_cfg_set(struct ph1handle
*, struct isakmp_pl_attr
*);
193 int isakmp_cfg_send(struct ph1handle
*, vchar_t
*, u_int32_t
, int, int);
194 struct isakmp_ivm
*isakmp_cfg_newiv(struct ph1handle
*, u_int32_t
);
195 void isakmp_cfg_rmstate(struct ph1handle
*);
196 struct isakmp_cfg_state
*isakmp_cfg_mkstate(void);
197 vchar_t
*isakmp_cfg_copy(struct ph1handle
*, struct isakmp_data
*);
198 vchar_t
*isakmp_cfg_short(struct ph1handle
*, struct isakmp_data
*, int);
199 vchar_t
*isakmp_cfg_varlen(struct ph1handle
*, struct isakmp_data
*, char *, size_t);
200 vchar_t
*isakmp_cfg_string(struct ph1handle
*, struct isakmp_data
*, char *);
201 int isakmp_cfg_getconfig(struct ph1handle
*);
202 int isakmp_cfg_setenv(struct ph1handle
*, char ***, int *);
204 int isakmp_cfg_resize_pool(int);
205 int isakmp_cfg_getport(struct ph1handle
*);
206 int isakmp_cfg_putport(struct ph1handle
*, unsigned int);
207 int isakmp_cfg_init(int);
208 #define ISAKMP_CFG_INIT_COLD 1
209 #define ISAKMP_CFG_INIT_WARM 0
211 #ifdef HAVE_LIBRADIUS
213 extern struct rad_handle
*radius_acct_state
;
214 int isakmp_cfg_radius_common(struct rad_handle
*, int);
218 int isakmp_cfg_accounting_pam(int, int);
219 void cleanup_pam(int);
222 int isakmp_cfg_accounting_system(int, struct sockaddr
*, char *, int);