/* $NetBSD: proposal.h,v 1.6 2006/12/09 05:52:57 manu Exp $ */ /* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ /* * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. * All rights reserved. * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: * 1. Redistributions of source code must retain the above copyright * notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in the * documentation and/or other materials provided with the distribution. * 3. Neither the name of the project nor the names of its contributors * may be used to endorse or promote products derived from this software * without specific prior written permission. * * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. */ #ifndef _PROPOSAL_H #define _PROPOSAL_H #include <sys/queue.h> /* * A. chained list of transform, only for single proto_id * (this is same as set of transforms in single proposal payload) * B. proposal. this will point to multiple (A) items (order is important * here so pointer to (A) must be ordered array, or chained list). * this covers multiple proposal on a packet if proposal # is the same. * C. finally, (B) needs to be connected as chained list. * * head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ... * | | | | * | | | +- proto4 <== must preserve order here * | | +--- proto3 * | +----- proto2 * +------- proto1[trans1, trans2, trans3, ...] * * incoming packets needs to be parsed to construct the same structure * (check "prop_pair" too). */ /* SA proposal specification */ struct saprop { int prop_no; time_t lifetime; int lifebyte; int pfs_group; /* pfs group */ int claim; /* flag to send RESPONDER-LIFETIME. */ /* XXX assumed DOI values are 1 or 2. */ #ifdef HAVE_SECCTX struct security_ctx sctx; /* security context structure */ #endif struct saproto *head; struct saprop *next; }; /* SA protocol specification */ struct saproto { int proto_id; size_t spisize; /* spi size */ int encmode; /* encryption mode */ int udp_encap; /* UDP encapsulation */ /* XXX should be vchar_t * */ /* these are network byte order */ u_int32_t spi; /* inbound. i.e. --SA-> me */ u_int32_t spi_p; /* outbound. i.e. me -SA-> */ vchar_t *keymat; /* KEYMAT */ vchar_t *keymat_p; /* peer's KEYMAT */ int reqid_out; /* request id (outbound) */ int reqid_in; /* request id (inbound) */ int ok; /* if 1, success to set SA in kenrel */ struct satrns *head; /* header of transform */ struct saproto *next; /* next protocol */ }; /* SA algorithm specification */ struct satrns { int trns_no; int trns_id; /* transform id */ int encklen; /* key length of encryption algorithm */ int authtype; /* authentication algorithm if ESP */ struct satrns *next; /* next transform */ }; /* * prop_pair: (proposal number, transform number) * * (SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2"))) * * p[1] p[2] * top (P1,T1) (P2",T1") * | |tnext |tnext * | v v * | (P1, T2) (P2", T2") * v next * (P1', T1') * |tnext * v * (P1', T2') * * when we convert it to saprop in prop2saprop(), it should become like: * * (next) * saprop --------------------> saprop * | (head) | (head) * +-> saproto +-> saproto * | | (head) | (head) * | +-> satrns(P1 T1) +-> satrns(P2" T1") * | | (next) | (next) * | v v * | satrns(P1, T2) satrns(P2", T2") * v (next) * saproto * | (head) * +-> satrns(P1' T1') * | (next) * v * satrns(P1', T2') */ struct prop_pair { struct isakmp_pl_p *prop; struct isakmp_pl_t *trns; struct prop_pair *next; /* next prop_pair with same proposal # */ /* (bundle case) */ struct prop_pair *tnext; /* next prop_pair in same proposal payload */ /* (multiple tranform case) */ }; #define MAXPROPPAIRLEN 256 /* It's enough because field size is 1 octet. */ /* * Lifetime length selection refered to the section 4.5.4 of RFC2407. It does * not completely conform to the description of RFC. There are four types of * the behavior. If the value of "proposal_check" in "remote" directive is; * "obey" * the responder obey the initiator anytime. * "strict" * If the responder's length is longer than the initiator's one, the * responder uses the intitiator's one. Otherwise rejects the proposal. * If PFS is not required by the responder, the responder obeys the * proposal. If PFS is required by both sides and if the responder's * group is not equal to the initiator's one, then the responder reject * the proposal. * "claim" * If the responder's length is longer than the initiator's one, the * responder use the intitiator's one. If the responder's length is * shorter than the initiator's one, the responder uses own length * AND send RESPONDER-LIFETIME notify message to a initiator in the * case of lifetime. * About PFS, this directive is same as "strict". * "exact" * If the initiator's length is not equal to the responder's one, the * responder rejects the proposal. * If PFS is required and if the responder's group is not equal to * the initiator's one, then the responder reject the proposal. * XXX should be defined the behavior of key length. */ #define PROP_CHECK_OBEY 1 #define PROP_CHECK_STRICT 2 #define PROP_CHECK_CLAIM 3 #define PROP_CHECK_EXACT 4 struct sainfo; struct ph1handle; struct secpolicy; extern struct saprop *newsaprop __P((void)); extern struct saproto *newsaproto __P((void)); extern void inssaprop __P((struct saprop **, struct saprop *)); extern void inssaproto __P((struct saprop *, struct saproto *)); extern void inssaprotorev __P((struct saprop *, struct saproto *)); extern struct satrns *newsatrns __P((void)); extern void inssatrns __P((struct saproto *, struct satrns *)); extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *, const struct saprop *, const struct saprop *, int)); extern int cmpsaprop __P((const struct saprop *, const struct saprop *)); extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int)); extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *)); extern struct saprop *aproppair2saprop __P((struct prop_pair *)); extern void free_proppair __P((struct prop_pair **)); extern void flushsaprop __P((struct saprop *)); extern void flushsaproto __P((struct saproto *)); extern void flushsatrns __P((struct satrns *)); extern void printsaprop __P((const int, const struct saprop *)); extern void printsaprop0 __P((const int, const struct saprop *)); extern void printsaproto __P((const int, const struct saproto *)); extern void printsatrns __P((const int, const int, const struct satrns *)); extern void print_proppair0 __P((int, struct prop_pair *, int)); extern void print_proppair __P((int, struct prop_pair *)); extern int set_proposal_from_policy __P((struct ph2handle *, struct secpolicy *, struct secpolicy *)); extern int set_proposal_from_proposal __P((struct ph2handle *)); #endif /* _PROPOSAL_H */