1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
|
/* $NetBSD: proposal.h,v 1.7 2010/02/09 23:05:16 wiz Exp $ */
/* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _PROPOSAL_H
#define _PROPOSAL_H
#include <sys/queue.h>
/*
* A. chained list of transform, only for single proto_id
* (this is same as set of transforms in single proposal payload)
* B. proposal. this will point to multiple (A) items (order is important
* here so pointer to (A) must be ordered array, or chained list).
* this covers multiple proposal on a packet if proposal # is the same.
* C. finally, (B) needs to be connected as chained list.
*
* head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ...
* | | | |
* | | | +- proto4 <== must preserve order here
* | | +--- proto3
* | +----- proto2
* +------- proto1[trans1, trans2, trans3, ...]
*
* incoming packets needs to be parsed to construct the same structure
* (check "prop_pair" too).
*/
/* SA proposal specification */
struct saprop {
int prop_no;
time_t lifetime;
int lifebyte;
int pfs_group; /* pfs group */
int claim; /* flag to send RESPONDER-LIFETIME. */
/* XXX assumed DOI values are 1 or 2. */
#ifdef HAVE_SECCTX
struct security_ctx sctx; /* security context structure */
#endif
struct saproto *head;
struct saprop *next;
};
/* SA protocol specification */
struct saproto {
int proto_id;
size_t spisize; /* spi size */
int encmode; /* encryption mode */
int udp_encap; /* UDP encapsulation */
/* XXX should be vchar_t * */
/* these are network byte order */
u_int32_t spi; /* inbound. i.e. --SA-> me */
u_int32_t spi_p; /* outbound. i.e. me -SA-> */
vchar_t *keymat; /* KEYMAT */
vchar_t *keymat_p; /* peer's KEYMAT */
int reqid_out; /* request id (outbound) */
int reqid_in; /* request id (inbound) */
int ok; /* if 1, success to set SA in kernel */
struct satrns *head; /* header of transform */
struct saproto *next; /* next protocol */
};
/* SA algorithm specification */
struct satrns {
int trns_no;
int trns_id; /* transform id */
int encklen; /* key length of encryption algorithm */
int authtype; /* authentication algorithm if ESP */
struct satrns *next; /* next transform */
};
/*
* prop_pair: (proposal number, transform number)
*
* (SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2")))
*
* p[1] p[2]
* top (P1,T1) (P2",T1")
* | |tnext |tnext
* | v v
* | (P1, T2) (P2", T2")
* v next
* (P1', T1')
* |tnext
* v
* (P1', T2')
*
* when we convert it to saprop in prop2saprop(), it should become like:
*
* (next)
* saprop --------------------> saprop
* | (head) | (head)
* +-> saproto +-> saproto
* | | (head) | (head)
* | +-> satrns(P1 T1) +-> satrns(P2" T1")
* | | (next) | (next)
* | v v
* | satrns(P1, T2) satrns(P2", T2")
* v (next)
* saproto
* | (head)
* +-> satrns(P1' T1')
* | (next)
* v
* satrns(P1', T2')
*/
struct prop_pair {
struct isakmp_pl_p *prop;
struct isakmp_pl_t *trns;
struct prop_pair *next; /* next prop_pair with same proposal # */
/* (bundle case) */
struct prop_pair *tnext; /* next prop_pair in same proposal payload */
/* (multiple tranform case) */
};
#define MAXPROPPAIRLEN 256 /* It's enough because field size is 1 octet. */
/*
* Lifetime length selection refered to the section 4.5.4 of RFC2407. It does
* not completely conform to the description of RFC. There are four types of
* the behavior. If the value of "proposal_check" in "remote" directive is;
* "obey"
* the responder obey the initiator anytime.
* "strict"
* If the responder's length is longer than the initiator's one, the
* responder uses the intitiator's one. Otherwise rejects the proposal.
* If PFS is not required by the responder, the responder obeys the
* proposal. If PFS is required by both sides and if the responder's
* group is not equal to the initiator's one, then the responder reject
* the proposal.
* "claim"
* If the responder's length is longer than the initiator's one, the
* responder use the intitiator's one. If the responder's length is
* shorter than the initiator's one, the responder uses own length
* AND send RESPONDER-LIFETIME notify message to a initiator in the
* case of lifetime.
* About PFS, this directive is same as "strict".
* "exact"
* If the initiator's length is not equal to the responder's one, the
* responder rejects the proposal.
* If PFS is required and if the responder's group is not equal to
* the initiator's one, then the responder reject the proposal.
* XXX should be defined the behavior of key length.
*/
#define PROP_CHECK_OBEY 1
#define PROP_CHECK_STRICT 2
#define PROP_CHECK_CLAIM 3
#define PROP_CHECK_EXACT 4
struct sainfo;
struct ph1handle;
struct secpolicy;
extern struct saprop *newsaprop __P((void));
extern struct saproto *newsaproto __P((void));
extern void inssaprop __P((struct saprop **, struct saprop *));
extern void inssaproto __P((struct saprop *, struct saproto *));
extern void inssaprotorev __P((struct saprop *, struct saproto *));
extern struct satrns *newsatrns __P((void));
extern void inssatrns __P((struct saproto *, struct satrns *));
extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *,
const struct saprop *, const struct saprop *, int));
extern int cmpsaprop __P((const struct saprop *, const struct saprop *));
extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int));
extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *));
extern struct saprop *aproppair2saprop __P((struct prop_pair *));
extern void free_proppair __P((struct prop_pair **));
extern void flushsaprop __P((struct saprop *));
extern void flushsaproto __P((struct saproto *));
extern void flushsatrns __P((struct satrns *));
extern void printsaprop __P((const int, const struct saprop *));
extern void printsaprop0 __P((const int, const struct saprop *));
extern void printsaproto __P((const int, const struct saproto *));
extern void printsatrns __P((const int, const int, const struct satrns *));
extern void print_proppair0 __P((int, struct prop_pair *, int));
extern void print_proppair __P((int, struct prop_pair *));
extern int set_proposal_from_policy __P((struct ph2handle *,
struct secpolicy *, struct secpolicy *));
extern int set_proposal_from_proposal __P((struct ph2handle *));
#endif /* _PROPOSAL_H */
|
