diff options
Diffstat (limited to 'ipsec-tools/src/racoon/proposal.h')
-rw-r--r-- | ipsec-tools/src/racoon/proposal.h | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/ipsec-tools/src/racoon/proposal.h b/ipsec-tools/src/racoon/proposal.h new file mode 100644 index 00000000..11fbab8b --- /dev/null +++ b/ipsec-tools/src/racoon/proposal.h @@ -0,0 +1,214 @@ +/* $NetBSD: proposal.h,v 1.7 2010/02/09 23:05:16 wiz Exp $ */ + +/* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ + +/* + * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * 3. Neither the name of the project nor the names of its contributors + * may be used to endorse or promote products derived from this software + * without specific prior written permission. + * + * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifndef _PROPOSAL_H +#define _PROPOSAL_H + +#include <sys/queue.h> + +/* + * A. chained list of transform, only for single proto_id + * (this is same as set of transforms in single proposal payload) + * B. proposal. this will point to multiple (A) items (order is important + * here so pointer to (A) must be ordered array, or chained list). + * this covers multiple proposal on a packet if proposal # is the same. + * C. finally, (B) needs to be connected as chained list. + * + * head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ... + * | | | | + * | | | +- proto4 <== must preserve order here + * | | +--- proto3 + * | +----- proto2 + * +------- proto1[trans1, trans2, trans3, ...] + * + * incoming packets needs to be parsed to construct the same structure + * (check "prop_pair" too). + */ +/* SA proposal specification */ +struct saprop { + int prop_no; + time_t lifetime; + int lifebyte; + int pfs_group; /* pfs group */ + int claim; /* flag to send RESPONDER-LIFETIME. */ + /* XXX assumed DOI values are 1 or 2. */ +#ifdef HAVE_SECCTX + struct security_ctx sctx; /* security context structure */ +#endif + struct saproto *head; + struct saprop *next; +}; + +/* SA protocol specification */ +struct saproto { + int proto_id; + size_t spisize; /* spi size */ + int encmode; /* encryption mode */ + + int udp_encap; /* UDP encapsulation */ + + /* XXX should be vchar_t * */ + /* these are network byte order */ + u_int32_t spi; /* inbound. i.e. --SA-> me */ + u_int32_t spi_p; /* outbound. i.e. me -SA-> */ + + vchar_t *keymat; /* KEYMAT */ + vchar_t *keymat_p; /* peer's KEYMAT */ + + int reqid_out; /* request id (outbound) */ + int reqid_in; /* request id (inbound) */ + + int ok; /* if 1, success to set SA in kernel */ + + struct satrns *head; /* header of transform */ + struct saproto *next; /* next protocol */ +}; + +/* SA algorithm specification */ +struct satrns { + int trns_no; + int trns_id; /* transform id */ + int encklen; /* key length of encryption algorithm */ + int authtype; /* authentication algorithm if ESP */ + + struct satrns *next; /* next transform */ +}; + +/* + * prop_pair: (proposal number, transform number) + * + * (SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2"))) + * + * p[1] p[2] + * top (P1,T1) (P2",T1") + * | |tnext |tnext + * | v v + * | (P1, T2) (P2", T2") + * v next + * (P1', T1') + * |tnext + * v + * (P1', T2') + * + * when we convert it to saprop in prop2saprop(), it should become like: + * + * (next) + * saprop --------------------> saprop + * | (head) | (head) + * +-> saproto +-> saproto + * | | (head) | (head) + * | +-> satrns(P1 T1) +-> satrns(P2" T1") + * | | (next) | (next) + * | v v + * | satrns(P1, T2) satrns(P2", T2") + * v (next) + * saproto + * | (head) + * +-> satrns(P1' T1') + * | (next) + * v + * satrns(P1', T2') + */ +struct prop_pair { + struct isakmp_pl_p *prop; + struct isakmp_pl_t *trns; + struct prop_pair *next; /* next prop_pair with same proposal # */ + /* (bundle case) */ + struct prop_pair *tnext; /* next prop_pair in same proposal payload */ + /* (multiple tranform case) */ +}; +#define MAXPROPPAIRLEN 256 /* It's enough because field size is 1 octet. */ + +/* + * Lifetime length selection refered to the section 4.5.4 of RFC2407. It does + * not completely conform to the description of RFC. There are four types of + * the behavior. If the value of "proposal_check" in "remote" directive is; + * "obey" + * the responder obey the initiator anytime. + * "strict" + * If the responder's length is longer than the initiator's one, the + * responder uses the intitiator's one. Otherwise rejects the proposal. + * If PFS is not required by the responder, the responder obeys the + * proposal. If PFS is required by both sides and if the responder's + * group is not equal to the initiator's one, then the responder reject + * the proposal. + * "claim" + * If the responder's length is longer than the initiator's one, the + * responder use the intitiator's one. If the responder's length is + * shorter than the initiator's one, the responder uses own length + * AND send RESPONDER-LIFETIME notify message to a initiator in the + * case of lifetime. + * About PFS, this directive is same as "strict". + * "exact" + * If the initiator's length is not equal to the responder's one, the + * responder rejects the proposal. + * If PFS is required and if the responder's group is not equal to + * the initiator's one, then the responder reject the proposal. + * XXX should be defined the behavior of key length. + */ +#define PROP_CHECK_OBEY 1 +#define PROP_CHECK_STRICT 2 +#define PROP_CHECK_CLAIM 3 +#define PROP_CHECK_EXACT 4 + +struct sainfo; +struct ph1handle; +struct secpolicy; +extern struct saprop *newsaprop __P((void)); +extern struct saproto *newsaproto __P((void)); +extern void inssaprop __P((struct saprop **, struct saprop *)); +extern void inssaproto __P((struct saprop *, struct saproto *)); +extern void inssaprotorev __P((struct saprop *, struct saproto *)); +extern struct satrns *newsatrns __P((void)); +extern void inssatrns __P((struct saproto *, struct satrns *)); +extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *, + const struct saprop *, const struct saprop *, int)); +extern int cmpsaprop __P((const struct saprop *, const struct saprop *)); +extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int)); +extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *)); +extern struct saprop *aproppair2saprop __P((struct prop_pair *)); +extern void free_proppair __P((struct prop_pair **)); +extern void flushsaprop __P((struct saprop *)); +extern void flushsaproto __P((struct saproto *)); +extern void flushsatrns __P((struct satrns *)); +extern void printsaprop __P((const int, const struct saprop *)); +extern void printsaprop0 __P((const int, const struct saprop *)); +extern void printsaproto __P((const int, const struct saproto *)); +extern void printsatrns __P((const int, const int, const struct satrns *)); +extern void print_proppair0 __P((int, struct prop_pair *, int)); +extern void print_proppair __P((int, struct prop_pair *)); +extern int set_proposal_from_policy __P((struct ph2handle *, + struct secpolicy *, struct secpolicy *)); +extern int set_proposal_from_proposal __P((struct ph2handle *)); + +#endif /* _PROPOSAL_H */ |