1 /*	$NetBSD: proposal.h,v 1.6 2006/12/09 05:52:57 manu Exp $	*/
2 
3 /* Id: proposal.h,v 1.5 2004/06/11 16:00:17 ludvigm Exp */
4 
5 /*
6  * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7  * All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  * 3. Neither the name of the project nor the names of its contributors
18  *    may be used to endorse or promote products derived from this software
19  *    without specific prior written permission.
20  *
21  * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24  * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31  * SUCH DAMAGE.
32  */
33 
34 #ifndef _PROPOSAL_H
35 #define _PROPOSAL_H
36 
37 #include <sys/queue.h>
38 
39 /*
40  *   A. chained list of transform, only for single proto_id
41  *      (this is same as set of transforms in single proposal payload)
42  *   B. proposal.  this will point to multiple (A) items (order is important
43  *      here so pointer to (A) must be ordered array, or chained list).
44  *      this covers multiple proposal on a packet if proposal # is the same.
45  *   C. finally, (B) needs to be connected as chained list.
46  *
47  * 	head ---> prop[.......] ---> prop[...] ---> prop[...] ---> ...
48  * 	               | | | |
49  * 	               | | | +- proto4  <== must preserve order here
50  * 	               | | +--- proto3
51  * 	               | +----- proto2
52  * 	               +------- proto1[trans1, trans2, trans3, ...]
53  *
54  *   incoming packets needs to be parsed to construct the same structure
55  *   (check "prop_pair" too).
56  */
57 /* SA proposal specification */
58 struct saprop {
59 	int prop_no;
60 	time_t lifetime;
61 	int lifebyte;
62 	int pfs_group;			/* pfs group */
63 	int claim;			/* flag to send RESPONDER-LIFETIME. */
64 					/* XXX assumed DOI values are 1 or 2. */
65 #ifdef HAVE_SECCTX
66 	struct security_ctx sctx;       /* security context structure */
67 #endif
68 	struct saproto *head;
69 	struct saprop *next;
70 };
71 
72 /* SA protocol specification */
73 struct saproto {
74 	int proto_id;
75 	size_t spisize;			/* spi size */
76 	int encmode;			/* encryption mode */
77 
78 	int udp_encap;			/* UDP encapsulation */
79 
80 	/* XXX should be vchar_t * */
81 	/* these are network byte order */
82 	u_int32_t spi;			/* inbound. i.e. --SA-> me */
83 	u_int32_t spi_p;		/* outbound. i.e. me -SA-> */
84 
85 	vchar_t *keymat;		/* KEYMAT */
86 	vchar_t *keymat_p;		/* peer's KEYMAT */
87 
88 	int reqid_out;			/* request id (outbound) */
89 	int reqid_in;			/* request id (inbound) */
90 
91 	int ok;				/* if 1, success to set SA in kenrel */
92 
93 	struct satrns *head;		/* header of transform */
94 	struct saproto *next;		/* next protocol */
95 };
96 
97 /* SA algorithm specification */
98 struct satrns {
99 	int trns_no;
100 	int trns_id;			/* transform id */
101 	int encklen;			/* key length of encryption algorithm */
102 	int authtype;			/* authentication algorithm if ESP */
103 
104 	struct satrns *next;		/* next transform */
105 };
106 
107 /*
108  * prop_pair: (proposal number, transform number)
109  *
110  *	(SA (P1 (T1 T2)) (P1' (T1' T2')) (P2 (T1" T2")))
111  *
112  *              p[1]      p[2]
113  *      top     (P1,T1)   (P2",T1")
114  *		 |  |tnext     |tnext
115  *		 |  v          v
116  *		 | (P1, T2)   (P2", T2")
117  *		 v next
118  *		(P1', T1')
119  *		    |tnext
120  *		    v
121  *		   (P1', T2')
122  *
123  * when we convert it to saprop in prop2saprop(), it should become like:
124  *
125  * 		 (next)
126  * 	saprop --------------------> saprop
127  * 	 | (head)                     | (head)
128  * 	 +-> saproto                  +-> saproto
129  * 	      | | (head)                     | (head)
130  * 	      | +-> satrns(P1 T1)            +-> satrns(P2" T1")
131  * 	      |      | (next)                     | (next)
132  * 	      |      v                            v
133  * 	      |     satrns(P1, T2)               satrns(P2", T2")
134  * 	      v (next)
135  * 	     saproto
136  * 		| (head)
137  * 		+-> satrns(P1' T1')
138  * 		     | (next)
139  * 		     v
140  * 		    satrns(P1', T2')
141  */
142 struct prop_pair {
143 	struct isakmp_pl_p *prop;
144 	struct isakmp_pl_t *trns;
145 	struct prop_pair *next;	/* next prop_pair with same proposal # */
146 				/* (bundle case) */
147 	struct prop_pair *tnext; /* next prop_pair in same proposal payload */
148 				/* (multiple tranform case) */
149 };
150 #define MAXPROPPAIRLEN	256	/* It's enough because field size is 1 octet. */
151 
152 /*
153  * Lifetime length selection refered to the section 4.5.4 of RFC2407.  It does
154  * not completely conform to the description of RFC.  There are four types of
155  * the behavior.  If the value of "proposal_check" in "remote" directive is;
156  *     "obey"
157  *         the responder obey the initiator anytime.
158  *     "strict"
159  *         If the responder's length is longer than the initiator's one, the
160  *         responder uses the intitiator's one.  Otherwise rejects the proposal.
161  *         If PFS is not required by the responder, the responder obeys the
162  *         proposal.  If PFS is required by both sides and if the responder's
163  *         group is not equal to the initiator's one, then the responder reject
164  *         the proposal.
165  *     "claim"
166  *         If the responder's length is longer than the initiator's one, the
167  *         responder use the intitiator's one.  If the responder's length is
168  *         shorter than the initiator's one, the responder uses own length
169  *         AND send RESPONDER-LIFETIME notify message to a initiator in the
170  *         case of lifetime.
171  *         About PFS, this directive is same as "strict".
172  *     "exact"
173  *         If the initiator's length is not equal to the responder's one, the
174  *         responder rejects the proposal.
175  *         If PFS is required and if the responder's group is not equal to
176  *         the initiator's one, then the responder reject the proposal.
177  * XXX should be defined the behavior of key length.
178  */
179 #define PROP_CHECK_OBEY		1
180 #define PROP_CHECK_STRICT	2
181 #define PROP_CHECK_CLAIM	3
182 #define PROP_CHECK_EXACT	4
183 
184 struct sainfo;
185 struct ph1handle;
186 struct secpolicy;
187 extern struct saprop *newsaprop __P((void));
188 extern struct saproto *newsaproto __P((void));
189 extern void inssaprop __P((struct saprop **, struct saprop *));
190 extern void inssaproto __P((struct saprop *, struct saproto *));
191 extern void inssaprotorev __P((struct saprop *, struct saproto *));
192 extern struct satrns *newsatrns __P((void));
193 extern void inssatrns __P((struct saproto *, struct satrns *));
194 extern struct saprop *cmpsaprop_alloc __P((struct ph1handle *,
195 	const struct saprop *, const struct saprop *, int));
196 extern int cmpsaprop __P((const struct saprop *, const struct saprop *));
197 extern int cmpsatrns __P((int, const struct satrns *, const struct satrns *, int));
198 extern int set_satrnsbysainfo __P((struct saproto *, struct sainfo *));
199 extern struct saprop *aproppair2saprop __P((struct prop_pair *));
200 extern void free_proppair __P((struct prop_pair **));
201 extern void flushsaprop __P((struct saprop *));
202 extern void flushsaproto __P((struct saproto *));
203 extern void flushsatrns __P((struct satrns *));
204 extern void printsaprop __P((const int, const struct saprop *));
205 extern void printsaprop0 __P((const int, const struct saprop *));
206 extern void printsaproto __P((const int, const struct saproto *));
207 extern void printsatrns __P((const int, const int, const struct satrns *));
208 extern void print_proppair0 __P((int, struct prop_pair *, int));
209 extern void print_proppair __P((int, struct prop_pair *));
210 extern int set_proposal_from_policy __P((struct ph2handle *,
211 	struct secpolicy *, struct secpolicy *));
212 extern int set_proposal_from_proposal __P((struct ph2handle *));
213 
214 #endif /* _PROPOSAL_H */
215