1 /* $NetBSD: proposal.h,v 1.8 2025/03/07 15:55:29 christos Exp $ */ 2 3 /* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #ifndef _PROPOSAL_H 35 #define _PROPOSAL_H 36 37 #include <sys/queue.h> 38 39 /* 40 * A. chained list of transform, only for single proto_id 41 * (this is same as set of transforms in single proposal payload) 42 * B. proposal. this will point to multiple (A) items (order is important 43 * here so pointer to (A) must be ordered array, or chained list). 44 * this covers multiple proposal on a packet if proposal # is the same. 45 * C. finally, (B) needs to be connected as chained list. 46 * 47 * head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ... 48 * | | | | 49 * | | | +- proto4 <== must preserve order here 50 * | | +--- proto3 51 * | +----- proto2 52 * +------- proto1[trans1, trans2, trans3, ...] 53 * 54 * incoming packets needs to be parsed to construct the same structure 55 * (check "prop_pair" too). 56 */ 57 /* SA proposal specification */ 58 struct saprop { 59 int prop_no; 60 time_t lifetime; 61 int lifebyte; 62 int pfs_group; /* pfs group */ 63 int claim; /* flag to send RESPONDER-LIFETIME. */ 64 /* XXX assumed DOI values are 1 or 2. */ 65 #ifdef HAVE_SECCTX 66 struct security_ctx sctx; /* security context structure */ 67 #endif 68 struct saproto *head; 69 struct saprop *next; 70 }; 71 72 /* SA protocol specification */ 73 struct saproto { 74 int proto_id; 75 size_t spisize; /* spi size */ 76 int encmode; /* encryption mode */ 77 78 int udp_encap; /* UDP encapsulation */ 79 80 /* XXX should be vchar_t * */ 81 /* these are network byte order */ 82 uint32_t spi; /* inbound. i.e. --SA-> me */ 83 uint32_t spi_p; /* outbound. i.e. me -SA-> */ 84 85 vchar_t *keymat; /* KEYMAT */ 86 vchar_t *keymat_p; /* peer's KEYMAT */ 87 88 int reqid_out; /* request id (outbound) */ 89 int reqid_in; /* request id (inbound) */ 90 91 int ok; /* if 1, success to set SA in kernel */ 92 93 struct satrns *head; /* header of transform */ 94 struct saproto *next; /* next protocol */ 95 }; 96 97 /* SA algorithm specification */ 98 struct satrns { 99 int trns_no; 100 int trns_id; /* transform id */ 101 int encklen; /* key length of encryption algorithm */ 102 int authtype; /* authentication algorithm if ESP */ 103 104 struct satrns *next; /* next transform */ 105 }; 106 107 /* 108 * prop_pair: (proposal number, transform number) 109 * 110 * (SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2"))) 111 * 112 * p[1] p[2] 113 * top (P1,T1) (P2",T1") 114 * | |tnext |tnext 115 * | v v 116 * | (P1, T2) (P2", T2") 117 * v next 118 * (P1', T1') 119 * |tnext 120 * v 121 * (P1', T2') 122 * 123 * when we convert it to saprop in prop2saprop(), it should become like: 124 * 125 * (next) 126 * saprop --------------------> saprop 127 * | (head) | (head) 128 * +-> saproto +-> saproto 129 * | | (head) | (head) 130 * | +-> satrns(P1 T1) +-> satrns(P2" T1") 131 * | | (next) | (next) 132 * | v v 133 * | satrns(P1, T2) satrns(P2", T2") 134 * v (next) 135 * saproto 136 * | (head) 137 * +-> satrns(P1' T1') 138 * | (next) 139 * v 140 * satrns(P1', T2') 141 */ 142 struct prop_pair { 143 struct isakmp_pl_p *prop; 144 struct isakmp_pl_t *trns; 145 struct prop_pair *next; /* next prop_pair with same proposal # */ 146 /* (bundle case) */ 147 struct prop_pair *tnext; /* next prop_pair in same proposal payload */ 148 /* (multiple tranform case) */ 149 }; 150 #define MAXPROPPAIRLEN 256 /* It's enough because field size is 1 octet. */ 151 152 /* 153 * Lifetime length selection refered to the section 4.5.4 of RFC2407. It does 154 * not completely conform to the description of RFC. There are four types of 155 * the behavior. If the value of "proposal_check" in "remote" directive is; 156 * "obey" 157 * the responder obey the initiator anytime. 158 * "strict" 159 * If the responder's length is longer than the initiator's one, the 160 * responder uses the intitiator's one. Otherwise rejects the proposal. 161 * If PFS is not required by the responder, the responder obeys the 162 * proposal. If PFS is required by both sides and if the responder's 163 * group is not equal to the initiator's one, then the responder reject 164 * the proposal. 165 * "claim" 166 * If the responder's length is longer than the initiator's one, the 167 * responder use the intitiator's one. If the responder's length is 168 * shorter than the initiator's one, the responder uses own length 169 * AND send RESPONDER-LIFETIME notify message to a initiator in the 170 * case of lifetime. 171 * About PFS, this directive is same as "strict". 172 * "exact" 173 * If the initiator's length is not equal to the responder's one, the 174 * responder rejects the proposal. 175 * If PFS is required and if the responder's group is not equal to 176 * the initiator's one, then the responder reject the proposal. 177 * XXX should be defined the behavior of key length. 178 */ 179 #define PROP_CHECK_OBEY 1 180 #define PROP_CHECK_STRICT 2 181 #define PROP_CHECK_CLAIM 3 182 #define PROP_CHECK_EXACT 4 183 184 struct sainfo; 185 struct ph1handle; 186 struct secpolicy; 187 extern struct saprop *newsaprop(void); 188 extern struct saproto *newsaproto(void); 189 extern void inssaprop(struct saprop **, struct saprop *); 190 extern void inssaproto(struct saprop *, struct saproto *); 191 extern void inssaprotorev(struct saprop *, struct saproto *); 192 extern struct satrns *newsatrns(void); 193 extern void inssatrns(struct saproto *, struct satrns *); 194 extern struct saprop *cmpsaprop_alloc(struct ph1handle *, 195 const struct saprop *, const struct saprop *, int); 196 extern int cmpsaprop(const struct saprop *, const struct saprop *); 197 extern int cmpsatrns(int, const struct satrns *, const struct satrns *, int); 198 extern int set_satrnsbysainfo(struct saproto *, struct sainfo *); 199 extern struct saprop *aproppair2saprop(struct prop_pair *); 200 extern void free_proppair(struct prop_pair **); 201 extern void flushsaprop(struct saprop *); 202 extern void flushsaproto(struct saproto *); 203 extern void flushsatrns(struct satrns *); 204 extern void printsaprop(const int, const struct saprop *); 205 extern void printsaprop0(const int, const struct saprop *); 206 extern void printsaproto(const int, const struct saproto *); 207 extern void printsatrns(const int, const int, const struct satrns *); 208 extern void print_proppair0(int, struct prop_pair *, int); 209 extern void print_proppair(int, struct prop_pair *); 210 extern int set_proposal_from_policy(struct ph2handle *, 211 struct secpolicy *, struct secpolicy *); 212 extern int set_proposal_from_proposal(struct ph2handle *); 213 214 #endif /* _PROPOSAL_H */ 215