1 /*	$NetBSD: isakmp_xauth.h,v 1.6 2008/09/19 11:01:08 tteras Exp $	*/
2 
3 /*	$KAME$ */
4 
5 /*
6  * Copyright (C) 2004 Emmanuel Dreyfus
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #ifndef _ISAKMP_XAUTH_H
35 #define _ISAKMP_XAUTH_H
36 
37 #include "schedule.h"
38 
39 /* ISAKMP mode config attribute types specific to the Xauth vendor ID */
40 #define	XAUTH_TYPE                16520
41 #define	XAUTH_USER_NAME           16521
42 #define	XAUTH_USER_PASSWORD       16522
43 #define	XAUTH_PASSCODE            16523
44 #define	XAUTH_MESSAGE             16524
45 #define	XAUTH_CHALLENGE           16525
46 #define	XAUTH_DOMAIN              16526
47 #define	XAUTH_STATUS              16527
48 #define	XAUTH_NEXT_PIN            16528
49 #define	XAUTH_ANSWER              16529
50 
51 /* Types for XAUTH_TYPE */
52 #define	XAUTH_TYPE_GENERIC 	0
53 #define	XAUTH_TYPE_CHAP    	1
54 #define	XAUTH_TYPE_OTP     	2
55 #define	XAUTH_TYPE_SKEY    	3
56 
57 /* Values for XAUTH_STATUS */
58 #define	XAUTH_STATUS_FAIL       0
59 #define	XAUTH_STATUS_OK         1
60 
61 /* For phase 1 Xauth status */
62 struct xauth_state {
63 	int status; /* authentication status, used only on server side */
64 	int vendorid;
65 	int authtype;
66 	union {
67 		struct authgeneric {
68 			char *usr;
69 			char *pwd;
70 		} generic;
71 	} authdata;
72 #ifdef HAVE_LIBLDAP
73 	char *udn; /* ldap user dn */
74 #endif
75 };
76 
77 /* What's been sent */
78 #define XAUTH_SENT_USERNAME 1
79 #define XAUTH_SENT_PASSWORD 2
80 #define XAUTH_SENT_EVERYTHING (XAUTH_SENT_USERNAME | XAUTH_SENT_PASSWORD)
81 
82 /* For rmconf Xauth data */
83 struct xauth_rmconf {
84 	vchar_t *login;	/* xauth login */
85 	vchar_t *pass;	/* xauth password */
86 	int state;      /* what's been sent */
87 };
88 
89 /* status */
90 #define XAUTHST_NOTYET	0
91 #define XAUTHST_REQSENT	1
92 #define XAUTHST_OK	2
93 
94 struct xauth_reply_arg {
95 	struct sched sc;
96 	isakmp_index index;
97 	int port;
98 	int id;
99 	int res;
100 };
101 
102 struct ph1handle;
103 struct isakmp_data;
104 void xauth_sendreq(struct ph1handle *);
105 int xauth_attr_reply(struct ph1handle *, struct isakmp_data *, int);
106 int xauth_login_system(char *, char *);
107 void xauth_sendstatus(struct ph1handle *, int, int);
108 int xauth_check(struct ph1handle *);
109 int group_check(struct ph1handle *, char **, int);
110 vchar_t *isakmp_xauth_req(struct ph1handle *, struct isakmp_data *);
111 vchar_t *isakmp_xauth_set(struct ph1handle *, struct isakmp_data *);
112 void xauth_rmstate(struct xauth_state *);
113 void xauth_reply_stub(struct sched *);
114 int xauth_reply(struct ph1handle *, int, int, int);
115 int xauth_rmconf_used(struct xauth_rmconf **);
116 void xauth_rmconf_delete(struct xauth_rmconf **);
117 
118 #ifdef HAVE_LIBPAM
119 int xauth_login_pam(int, struct sockaddr *, char *, char *);
120 #endif
121 
122 #ifdef HAVE_LIBRADIUS
123 
124 #define RADIUS_MAX_SERVERS 5
125 
126 struct rad_serv {
127 	vchar_t		*host;
128 	int		port;
129 	vchar_t		*secret;
130 };
131 
132 struct xauth_rad_config {
133 	struct rad_serv	auth_server_list[RADIUS_MAX_SERVERS];
134 	int		auth_server_count;
135 	struct rad_serv	acct_server_list[RADIUS_MAX_SERVERS];
136 	int		acct_server_count;
137 	int		timeout;
138 	int		retries;
139 };
140 
141 extern struct xauth_rad_config xauth_rad_config;
142 
143 int xauth_radius_init_conf(int free);
144 int xauth_radius_init(void);
145 int xauth_login_radius(struct ph1handle *, char *, char *);
146 
147 #endif
148 
149 #ifdef HAVE_LIBLDAP
150 
151 #define LDAP_DFLT_HOST		"localhost"
152 #define LDAP_DFLT_USER		"cn"
153 #define LDAP_DFLT_ADDR		"racoon-address"
154 #define LDAP_DFLT_MASK		"racoon-netmask"
155 #define LDAP_DFLT_GROUP		"cn"
156 #define LDAP_DFLT_MEMBER	"member"
157 
158 struct xauth_ldap_config {
159 	int		pver;
160 	vchar_t 	*host;
161 	int		port;
162 	vchar_t		*base;
163 	int		subtree;
164 	vchar_t		*bind_dn;
165 	vchar_t		*bind_pw;
166 	int		auth_type;
167 	vchar_t		*attr_user;
168 	vchar_t		*attr_addr;
169 	vchar_t		*attr_mask;
170 	vchar_t		*attr_group;
171 	vchar_t		*attr_member;
172 };
173 
174 extern struct xauth_ldap_config xauth_ldap_config;
175 
176 int xauth_ldap_init_conf(void);
177 int xauth_login_ldap(struct ph1handle *, char *, char *);
178 
179 #endif
180 
181 #endif /* _ISAKMP_XAUTH_H */
182