Home | History | Annotate | Download | only in racoon 
      1 /*	$NetBSD: proposal.h,v 1.6 2006/12/09 05:52:57 manu Exp $	*/
      2 
      3 /* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
      4 
      5 /*
      6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
      7  * All rights reserved.
      8  *
      9  * Redistribution and use in source and binary forms, with or without
     10  * modification, are permitted provided that the following conditions
     11  * are met:
     12  * 1. Redistributions of source code must retain the above copyright
     13  *    notice, this list of conditions and the following disclaimer.
     14  * 2. Redistributions in binary form must reproduce the above copyright
     15  *    notice, this list of conditions and the following disclaimer in the
     16  *    documentation and/or other materials provided with the distribution.
     17  * 3. Neither the name of the project nor the names of its contributors
     18  *    may be used to endorse or promote products derived from this software
     19  *    without specific prior written permission.
     20  *
     21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
     22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
     23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
     24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
     25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
     26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
     27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
     28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
     30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
     31  * SUCH DAMAGE.
     32  */
     33 
     34 #ifndef _PROPOSAL_H
     35 #define _PROPOSAL_H
     36 
     37 #include <sys/queue.h>
     38 
     39 /*
     40  *   A. chained list of transform, only for single proto_id
     41  *      (this is same as set of transforms in single proposal payload)
     42  *   B. proposal.  this will point to multiple (A) items (order is important
     43  *      here so pointer to (A) must be ordered array, or chained list).
     44  *      this covers multiple proposal on a packet if proposal # is the same.
     45  *   C. finally, (B) needs to be connected as chained list.
     46  *
     47  * 	head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ...
     48  * 	               | | | |
     49  * 	               | | | +- proto4  <== must preserve order here
     50  * 	               | | +--- proto3
     51  * 	               | +----- proto2
     52  * 	               +------- proto1[trans1, trans2, trans3, ...]
     53  *
     54  *   incoming packets needs to be parsed to construct the same structure
     55  *   (check "prop_pair" too).
     56  */
     57 /* SA proposal specification */
     58 struct saprop {
     59 	int prop_no;
     60 	time_t lifetime;
     61 	int lifebyte;
     62 	int pfs_group;			/* pfs group */
     63 	int claim;			/* flag to send RESPONDER-LIFETIME. */
     64 					/* XXX assumed DOI values are 1 or 2. */
     65 #ifdef HAVE_SECCTX
     66 	struct security_ctx sctx;       /* security context structure */
     67 #endif
     68 	struct saproto *head;
     69 	struct saprop *next;
     70 };
     71 
     72 /* SA protocol specification */
     73 struct saproto {
     74 	int proto_id;
     75 	size_t spisize;			/* spi size */
     76 	int encmode;			/* encryption mode */
     77 
     78 	int udp_encap;			/* UDP encapsulation */
     79 
     80 	/* XXX should be vchar_t * */
     81 	/* these are network byte order */
     82 	u_int32_t spi;			/* inbound. i.e. --SA-> me */
     83 	u_int32_t spi_p;		/* outbound. i.e. me -SA-> */
     84 
     85 	vchar_t *keymat;		/* KEYMAT */
     86 	vchar_t *keymat_p;		/* peer's KEYMAT */
     87 
     88 	int reqid_out;			/* request id (outbound) */
     89 	int reqid_in;			/* request id (inbound) */
     90 
     91 	int ok;				/* if 1, success to set SA in kenrel */
     92 
     93 	struct satrns *head;		/* header of transform */
     94 	struct saproto *next;		/* next protocol */
     95 };
     96 
     97 /* SA algorithm specification */
     98 struct satrns {
     99 	int trns_no;
    100 	int trns_id;			/* transform id */
    101 	int encklen;			/* key length of encryption algorithm */
    102 	int authtype;			/* authentication algorithm if ESP */
    103 
    104 	struct satrns *next;		/* next transform */
    105 };
    106 
    107 /*
    108  * prop_pair: (proposal number, transform number)
    109  *
    110  *	(SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2")))
    111  *
    112  *              p[1]      p[2]
    113  *      top     (P1,T1)   (P2",T1")
    114  *		 |  |tnext     |tnext
    115  *		 |  v          v
    116  *		 | (P1, T2)   (P2", T2")
    117  *		 v next
    118  *		(P1', T1')
    119  *		    |tnext
    120  *		    v
    121  *		   (P1', T2')
    122  *
    123  * when we convert it to saprop in prop2saprop(), it should become like:
    124  *
    125  * 		 (next)
    126  * 	saprop --------------------> saprop
    127  * 	 | (head)                     | (head)
    128  * 	 +-> saproto                  +-> saproto
    129  * 	      | | (head)                     | (head)
    130  * 	      | +-> satrns(P1 T1)            +-> satrns(P2" T1")
    131  * 	      |      | (next)                     | (next)
    132  * 	      |      v                            v
    133  * 	      |     satrns(P1, T2)               satrns(P2", T2")
    134  * 	      v (next)
    135  * 	     saproto
    136  * 		| (head)
    137  * 		+-> satrns(P1' T1')
    138  * 		     | (next)
    139  * 		     v
    140  * 		    satrns(P1', T2')
    141  */
    142 struct prop_pair {
    143 	struct isakmp_pl_p *prop;
    144 	struct isakmp_pl_t *trns;
    145 	struct prop_pair *next;	/* next prop_pair with same proposal # */
    146 				/* (bundle case) */
    147 	struct prop_pair *tnext; /* next prop_pair in same proposal payload */
    148 				/* (multiple tranform case) */
    149 };
    150 #define MAXPROPPAIRLEN	256	/* It's enough because field size is 1 octet. */
    151 
    152 /*
    153  * Lifetime length selection refered to the section 4.5.4 of RFC2407.  It does
    154  * not completely conform to the description of RFC.  There are four types of
    155  * the behavior.  If the value of "proposal_check" in "remote" directive is;
    156  *     "obey"
    157  *         the responder obey the initiator anytime.
    158  *     "strict"
    159  *         If the responder's length is longer than the initiator's one, the
    160  *         responder uses the intitiator's one.  Otherwise rejects the proposal.
    161  *         If PFS is not required by the responder, the responder obeys the
    162  *         proposal.  If PFS is required by both sides and if the responder's
    163  *         group is not equal to the initiator's one, then the responder reject
    164  *         the proposal.
    165  *     "claim"
    166  *         If the responder's length is longer than the initiator's one, the
    167  *         responder use the intitiator's one.  If the responder's length is
    168  *         shorter than the initiator's one, the responder uses own length
    169  *         AND send RESPONDER-LIFETIME notify message to a initiator in the
    170  *         case of lifetime.
    171  *         About PFS, this directive is same as "strict".
    172  *     "exact"
    173  *         If the initiator's length is not equal to the responder's one, the
    174  *         responder rejects the proposal.
    175  *         If PFS is required and if the responder's group is not equal to
    176  *         the initiator's one, then the responder reject the proposal.
    177  * XXX should be defined the behavior of key length.
    178  */
    179 #define PROP_CHECK_OBEY		1
    180 #define PROP_CHECK_STRICT	2
    181 #define PROP_CHECK_CLAIM	3
    182 #define PROP_CHECK_EXACT	4
    183 
    184 struct sainfo;
    185 struct ph1handle;
    186 struct secpolicy;
    187 extern struct saprop *newsaprop __P((void));
    188 extern struct saproto *newsaproto __P((void));
    189 extern void inssaprop __P((struct saprop **, struct saprop *));
    190 extern void inssaproto __P((struct saprop *, struct saproto *));
    191 extern void inssaprotorev __P((struct saprop *, struct saproto *));
    192 extern struct satrns *newsatrns __P((void));
    193 extern void inssatrns __P((struct saproto *, struct satrns *));
    194 extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *,
    195 	const struct saprop *, const struct saprop *, int));
    196 extern int cmpsaprop __P((const struct saprop *, const struct saprop *));
    197 extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int));
    198 extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *));
    199 extern struct saprop *aproppair2saprop __P((struct prop_pair *));
    200 extern void free_proppair __P((struct prop_pair **));
    201 extern void flushsaprop __P((struct saprop *));
    202 extern void flushsaproto __P((struct saproto *));
    203 extern void flushsatrns __P((struct satrns *));
    204 extern void printsaprop __P((const int, const struct saprop *));
    205 extern void printsaprop0 __P((const int, const struct saprop *));
    206 extern void printsaproto __P((const int, const struct saproto *));
    207 extern void printsatrns __P((const int, const int, const struct satrns *));
    208 extern void print_proppair0 __P((int, struct prop_pair *, int));
    209 extern void print_proppair __P((int, struct prop_pair *));
    210 extern int set_proposal_from_policy __P((struct ph2handle *,
    211 	struct secpolicy *, struct secpolicy *));
    212 extern int set_proposal_from_proposal __P((struct ph2handle *));
    213 
    214 #endif /* _PROPOSAL_H */
    215