5fe936e083806a484a82eff46ccb3fb939b44ee9
[strongswan.git] / src / pluto / constants.h
1 /* manifest constants
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #ifndef _CONSTANTS_H
17 #define _CONSTANTS_H
18
19 #include <utils.h>
20 #include <utils/identification.h>
21 #include <crypto/hashers/hasher.h>
22
23 extern const char compile_time_interop_options[];
24
25 extern void init_constants(void);
26
27 /*
28 * NOTE:For debugging purposes, constants.c has tables to map numbers back to names.
29 * Any changes here should be reflected there.
30 */
31
32 /* Many routines return only success or failure, but wish to describe
33 * the failure in a message. We use the convention that they return
34 * a NULL on success and a pointer to constant string on failure.
35 * The fact that the string is a constant is limiting, but it
36 * avoids storage management issues: the recipient is allowed to assume
37 * that the string will live "long enough" (usually forever).
38 * <freeswan.h> defines err_t for this return type.
39 */
40
41 #define NULL_FD (-1) /* NULL file descriptor */
42 #define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd))
43 #define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }
44
45 /* set type with room for at least 64 elements for ALG opts (was 32 in stock FS) */
46
47 typedef unsigned long long lset_t;
48 #define LEMPTY 0ULL
49 #define LELEM(opt) (1ULL << (opt))
50 #define LRANGE(lwb, upb) LRANGES(LELEM(lwb), LELEM(upb))
51 #define LRANGES(first, last) (last - first + last)
52 #define LHAS(set, elem) ((LELEM(elem) & (set)) != LEMPTY)
53 #define LIN(subset, set) (((subset) & (set)) == (subset))
54 #define LDISJOINT(a, b) (((a) & (b)) == LEMPTY)
55
56 /* Control and lock pathnames */
57 #ifndef IPSEC_PIDDIR
58 # define IPSEC_PIDDIR "/var/run"
59 #endif
60 #ifndef DEFAULT_CTLBASE
61 # define DEFAULT_CTLBASE IPSEC_PIDDIR "/pluto"
62 #endif
63
64 #define CTL_SUFFIX ".ctl" /* for UNIX domain socket pathname */
65 #define LOCK_SUFFIX ".pid" /* for pluto's lock */
66 #define INFO_SUFFIX ".info" /* for UNIX domain socket for apps */
67
68 /* Routines to check and display values.
69 *
70 * An enum_names describes an enumeration.
71 * enum_name() returns the name of an enum value, or NULL if invalid.
72 * enum_show() is like enum_name, except it formats a numeric representation
73 * for any invalid value (in a static area!)
74 *
75 * bitnames() formats a display of a set of named bits (in a static area)
76 */
77
78 struct enum_names {
79 unsigned long en_first; /* first value in range */
80 unsigned long en_last; /* last value in range (inclusive) */
81 const char *const *en_names;
82 const struct enum_names *en_next_range; /* descriptor of next range */
83 };
84
85 typedef const struct enum_names enum_names;
86
87 extern const char *enum_name(enum_names *ed, unsigned long val);
88 extern const char *enum_show(enum_names *ed, unsigned long val);
89 extern int enum_search(enum_names *ed, const char *string);
90
91 extern bool testset(const char *const table[], lset_t val);
92 extern const char *bitnamesof(const char *const table[], lset_t val);
93
94 /* sparse_names is much like enum_names, except values are
95 * not known to be contiguous or ordered.
96 * The array of names is ended with one with the name sparse_end
97 * (this avoids having to reserve a value to signify the end).
98 * Often appropriate for enums defined by others.
99 */
100 struct sparse_name {
101 unsigned long val;
102 const char *const name;
103 };
104 typedef const struct sparse_name sparse_names[];
105
106 extern const char *sparse_name(sparse_names sd, unsigned long val);
107 extern const char *sparse_val_show(sparse_names sd, unsigned long val);
108 extern const char sparse_end[];
109
110 #define FULL_INET_ADDRESS_SIZE 6
111
112 /* limits on nonce sizes. See RFC2409 "The internet key exchange (IKE)" 5 */
113 #define MINIMUM_NONCE_SIZE 8 /* bytes */
114 #define DEFAULT_NONCE_SIZE 16 /* bytes */
115 #define MAXIMUM_NONCE_SIZE 256 /* bytes */
116
117 #define COOKIE_SIZE 8
118 #define MAX_ISAKMP_SPI_SIZE 16
119
120 #define DES_CBC_BLOCK_SIZE (64 / BITS_PER_BYTE)
121
122 /* Maximum is required for SHA2_512 */
123 #define MAX_DIGEST_LEN HASH_SIZE_SHA512
124
125 /* RFC 2404 "HMAC-SHA-1-96" section 3 */
126 #define HMAC_SHA1_KEY_LEN HASH_SIZE_SHA1
127
128 /* RFC 2403 "HMAC-MD5-96" section 3 */
129 #define HMAC_MD5_KEY_LEN HASH_SIZE_MD5
130
131 #define IKE_UDP_PORT 500
132
133 /* IPsec AH transform values
134 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
135 * and in http://www.iana.org/assignments/isakmp-registry
136 */
137 enum ipsec_authentication_algo {
138 AH_NONE = 0,
139 AH_MD5 = 2,
140 AH_SHA = 3,
141 AH_DES = 4,
142 AH_SHA2_256 = 5,
143 AH_SHA2_384 = 6,
144 AH_SHA2_512 = 7,
145 AH_RIPEMD = 8,
146 AH_AES_XCBC_MAC = 9,
147 AH_RSA = 10
148 };
149
150 extern enum_names ah_transformid_names;
151
152 /* IPsec ESP transform values
153 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
154 * and from http://www.iana.org/assignments/isakmp-registry
155 */
156
157 enum ipsec_cipher_algo {
158 ESP_NONE = 0,
159 ESP_DES_IV64 = 1,
160 ESP_DES = 2,
161 ESP_3DES = 3,
162 ESP_RC5 = 4,
163 ESP_IDEA = 5,
164 ESP_CAST = 6,
165 ESP_BLOWFISH = 7,
166 ESP_3IDEA = 8,
167 ESP_DES_IV32 = 9,
168 ESP_RC4 = 10,
169 ESP_NULL = 11,
170 ESP_AES = 12,
171 ESP_AES_CTR = 13,
172 ESP_AES_CCM_8 = 14,
173 ESP_AES_CCM_12 = 15,
174 ESP_AES_CCM_16 = 16,
175 ESP_UNASSIGNED_17 = 17,
176 ESP_AES_GCM_8 = 18,
177 ESP_AES_GCM_12 = 19,
178 ESP_AES_GCM_16 = 20,
179 ESP_SEED_CBC = 21,
180 ESP_CAMELLIA = 22,
181 ESP_SERPENT = 252,
182 ESP_TWOFISH = 253
183 };
184
185 extern enum_names esp_transformid_names;
186
187 /* IPCOMP transform values
188 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
189 */
190
191 enum ipsec_comp_algo {
192 IPSCOMP_NONE = 0,
193 IPCOMP_OUI = 1,
194 IPCOMP_DEFLATE = 2,
195 IPCOMP_LZS = 3,
196 IPCOMP_LZJH = 4
197 };
198
199 extern enum_names ipcomp_transformid_names;
200
201 /* Certificate type values
202 * RFC 2408 ISAKMP, chapter 3.9
203 */
204 enum ipsec_cert_type {
205 CERT_NONE= 0,
206 CERT_PKCS7_WRAPPED_X509= 1,
207 CERT_PGP= 2,
208 CERT_DNS_SIGNED_KEY= 3,
209 CERT_X509_SIGNATURE= 4,
210 CERT_X509_KEY_EXCHANGE= 5,
211 CERT_KERBEROS_TOKENS= 6,
212 CERT_CRL= 7,
213 CERT_ARL= 8,
214 CERT_SPKI= 9,
215 CERT_X509_ATTRIBUTE= 10,
216 CERT_RAW_RSA_KEY= 11
217 };
218
219 /* RFC 2560 OCSP - certificate status */
220
221 typedef enum {
222 CERT_GOOD = 0,
223 CERT_REVOKED = 1,
224 CERT_UNKNOWN = 2,
225 CERT_UNDEFINED = 3
226 } cert_status_t;
227
228 /* RFC 2459 CRL reason codes */
229
230 extern enum_name_t *crl_reason_names;
231
232 typedef enum {
233 REASON_UNSPECIFIED = 0,
234 REASON_KEY_COMPROMISE = 1,
235 REASON_CA_COMPROMISE = 2,
236 REASON_AFFILIATION_CHANGED = 3,
237 REASON_SUPERSEDED = 4,
238 REASON_CESSATION_OF_OPERATON = 5,
239 REASON_CERTIFICATE_HOLD = 6,
240 REASON_REMOVE_FROM_CRL = 8
241 } crl_reason_t;
242
243 /* RFC 3706 Dead Peer Detection */
244
245 extern enum_name_t *dpd_action_names;
246
247 typedef enum {
248 DPD_ACTION_NONE = 0,
249 DPD_ACTION_CLEAR = 1,
250 DPD_ACTION_HOLD = 2,
251 DPD_ACTION_RESTART = 3,
252 DPD_ACTION_UNKNOWN = 4
253 } dpd_action_t;
254
255 /* Timer events */
256
257 extern enum_name_t *timer_event_names;
258
259 enum event_type {
260 EVENT_NULL, /* non-event */
261 EVENT_REINIT_SECRET, /* Refresh cookie secret */
262 #ifdef KLIPS
263 EVENT_SHUNT_SCAN, /* scan shunt eroutes known to kernel */
264 #endif
265 EVENT_SO_DISCARD, /* discard unfinished state object */
266 EVENT_RETRANSMIT, /* Retransmit packet */
267 EVENT_SA_REPLACE, /* SA replacement event */
268 EVENT_SA_REPLACE_IF_USED, /* SA replacement event */
269 EVENT_SA_EXPIRE, /* SA expiration event */
270 EVENT_NAT_T_KEEPALIVE, /* NAT Traversal Keepalive */
271 EVENT_DPD, /* dead peer detection */
272 EVENT_DPD_TIMEOUT, /* dead peer detection timeout */
273 EVENT_LOG_DAILY /* reset certain log events/stats */
274 };
275
276 #define EVENT_REINIT_SECRET_DELAY 3600 /* 1 hour */
277 #define EVENT_RETRANSMIT_DELAY_0 10 /* 10 seconds */
278
279 /* Misc. stuff */
280
281 #define MAXIMUM_RETRANSMISSIONS 2
282 #define MAXIMUM_RETRANSMISSIONS_INITIAL 20
283
284 #define MAX_INPUT_UDP_SIZE 65536
285 #define MAX_OUTPUT_UDP_SIZE 65536
286
287 /* Version numbers */
288
289 #define ISAKMP_MAJOR_VERSION 0x1
290 #define ISAKMP_MINOR_VERSION 0x0
291
292 extern enum_names version_names;
293
294 /* Domain of Interpretation */
295
296 extern enum_names doi_names;
297
298 #define ISAKMP_DOI_ISAKMP 0
299 #define ISAKMP_DOI_IPSEC 1
300
301 /* IPsec DOI things */
302
303 #define IPSEC_DOI_SITUATION_LENGTH 4
304 #define IPSEC_DOI_LDI_LENGTH 4
305 #define IPSEC_DOI_SPI_SIZE 4
306
307 /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
308 * ESP: RFC 2402 2.4; AH: RFC 2406 2.1
309 * IPComp RFC 2393 substitutes a CPI in the place of an SPI.
310 * see also draft-shacham-ippcp-rfc2393bis-05.txt.
311 * We (FreeS/WAN) reserve 0x100 to 0xFFF for manual keying, so
312 * Pluto won't generate these values.
313 */
314 #define IPSEC_DOI_SPI_MIN 0x100
315 #define IPSEC_DOI_SPI_OUR_MIN 0x1000
316
317 /* debugging settings: a set of selections for reporting
318 * These would be more naturally situated in log.h,
319 * but they are shared with whack.
320 * IMPAIR_* actually change behaviour, usually badly,
321 * to aid in testing. Naturally, these are not included in ALL.
322 *
323 * NOTE: changes here must be done in concert with changes to DBGOPT_*
324 * in whack.c. A change to WHACK_MAGIC in whack.h will be required too.
325 */
326 #ifdef DEBUG
327 extern const char *const debug_bit_names[];
328 #endif
329
330 #define DBG_RAW LELEM(0) /* raw packet I/O */
331 #define DBG_CRYPT LELEM(1) /* encryption/decryption of messages */
332 #define DBG_PARSING LELEM(2) /* show decoding of messages */
333 #define DBG_EMITTING LELEM(3) /* show encoding of messages */
334 #define DBG_CONTROL LELEM(4) /* control flow within Pluto */
335 #define DBG_LIFECYCLE LELEM(5) /* SA lifecycle */
336 #define DBG_KLIPS LELEM(6) /* messages to KLIPS */
337 #define DBG_DNS LELEM(7) /* DNS activity */
338 #define DBG_NATT LELEM(8) /* NAT-T */
339 #define DBG_OPPO LELEM(9) /* opportunism */
340 #define DBG_CONTROLMORE LELEM(10) /* more detailed debugging */
341
342 #define DBG_PRIVATE LELEM(11) /* private information: DANGER! */
343
344 #define IMPAIR0 12 /* first bit for IMPAIR_* */
345
346 #define IMPAIR_DELAY_ADNS_KEY_ANSWER LELEM(IMPAIR0+0) /* sleep before answering */
347 #define IMPAIR_DELAY_ADNS_TXT_ANSWER LELEM(IMPAIR0+1) /* sleep before answering */
348 #define IMPAIR_BUST_MI2 LELEM(IMPAIR0+2) /* make MI2 really large */
349 #define IMPAIR_BUST_MR2 LELEM(IMPAIR0+3) /* make MI2 really large */
350
351 #define DBG_NONE 0 /* no options on, including impairments */
352 #define DBG_ALL LRANGES(DBG_RAW, DBG_CONTROLMORE) /* all logging options on EXCEPT DBG_PRIVATE */
353
354 /* State of exchanges
355 *
356 * The name of the state describes the last message sent, not the
357 * message currently being input or output (except during retry).
358 * In effect, the state represents the last completed action.
359 *
360 * Messages are named [MQ][IR]n where
361 * - M stands for Main Mode (Phase 1);
362 * Q stands for Quick Mode (Phase 2)
363 * - I stands for Initiator;
364 * R stands for Responder
365 * - n, a digit, stands for the number of the message
366 *
367 * It would be more convenient if each state accepted a message
368 * and produced one. This is the case for states at the start
369 * or end of an exchange. To fix this, we pretend that there are
370 * MR0 and QR0 messages before the MI1 and QR1 messages. Similarly,
371 * we pretend that there are MR4 and QR2 messages.
372 *
373 * STATE_MAIN_R0 and STATE_QUICK_R0 are intermediate states (not
374 * retained between messages) representing the state that accepts the
375 * first message of an exchange has been read but not processed.
376 *
377 * state_microcode state_microcode_table in demux.c describes
378 * other important details.
379 */
380
381 extern enum_names state_names;
382 extern const char *const state_story[];
383
384 enum state_kind {
385 STATE_UNDEFINED, /* 0 -- most likely accident */
386
387 /* Opportunism states: see "Opportunistic Encryption" 2.2 */
388
389 OPPO_ACQUIRE, /* got an ACQUIRE message for this pair */
390 OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
391
392 /* IKE states */
393
394 STATE_MAIN_R0,
395 STATE_MAIN_I1,
396 STATE_MAIN_R1,
397 STATE_MAIN_I2,
398 STATE_MAIN_R2,
399 STATE_MAIN_I3,
400 STATE_MAIN_R3,
401 STATE_MAIN_I4,
402
403 STATE_QUICK_R0,
404 STATE_QUICK_I1,
405 STATE_QUICK_R1,
406 STATE_QUICK_I2,
407 STATE_QUICK_R2,
408
409 STATE_INFO,
410 STATE_INFO_PROTECTED,
411
412 /* XAUTH states */
413
414 STATE_XAUTH_I0, /* initiator state (client) */
415 STATE_XAUTH_R1, /* responder state (server) */
416 STATE_XAUTH_I1,
417 STATE_XAUTH_R2,
418 STATE_XAUTH_I2,
419 STATE_XAUTH_R3,
420
421 /* Mode Config pull states */
422
423 STATE_MODE_CFG_R0, /* responder state (server) */
424 STATE_MODE_CFG_I1, /* initiator state (client) */
425 STATE_MODE_CFG_R1,
426 STATE_MODE_CFG_I2,
427
428 /* Mode Config push states */
429
430 STATE_MODE_CFG_I0, /* initiator state (client) */
431 STATE_MODE_CFG_R3, /* responder state (server) */
432 STATE_MODE_CFG_I3,
433 STATE_MODE_CFG_R4,
434
435 STATE_IKE_ROOF
436 };
437
438 #define STATE_IKE_FLOOR STATE_MAIN_R0
439
440 #define PHASE1_INITIATOR_STATES (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
441 | LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4))
442 #define ISAKMP_SA_ESTABLISHED_STATES ( \
443 LELEM(STATE_MAIN_R3) | LELEM(STATE_MAIN_I4) \
444 | LELEM(STATE_XAUTH_R1) | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
445 | LELEM(STATE_XAUTH_I1) | LELEM(STATE_XAUTH_I2) \
446 | LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
447 | LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
448
449 #define IS_PHASE1(s) ((STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) \
450 || (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
451 || (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
452
453 #define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
454 #define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_I2 <= (s))
455
456 #define IS_ISAKMP_SA_ESTABLISHED(s) ( \
457 (s) == STATE_MAIN_R3 \
458 || (s) == STATE_MAIN_I4 \
459 || (s) == STATE_XAUTH_I2 \
460 || (s) == STATE_XAUTH_R3 \
461 || (s) == STATE_MODE_CFG_R1 \
462 || (s) == STATE_MODE_CFG_I2 \
463 || (s) == STATE_MODE_CFG_I3 \
464 || (s) == STATE_MODE_CFG_R4)
465
466 #define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
467 #define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)
468
469 /* kind of struct connection
470 * Ordered (mostly) by concreteness. Order is exploited.
471 */
472
473 extern enum_names connection_kind_names;
474
475 enum connection_kind {
476 CK_GROUP, /* policy group: instantiates to template */
477 CK_TEMPLATE, /* abstract connection, with wildcard */
478 CK_PERMANENT, /* normal connection */
479 CK_INSTANCE, /* instance of template, created for a particular attempt */
480 CK_GOING_AWAY /* instance being deleted -- don't delete again */
481 };
482
483
484 /* routing status.
485 * Note: routing ignores source address, but erouting does not!
486 * Note: a connection can only be routed if it is NEVER_NEGOTIATE
487 * or HAS_IPSEC_POLICY.
488 */
489
490 extern enum_names routing_story;
491
492 /* note that this is assumed to be ordered! */
493 enum routing_t {
494 RT_UNROUTED, /* unrouted */
495 RT_UNROUTED_HOLD, /* unrouted, but HOLD shunt installed */
496 RT_ROUTED_ECLIPSED, /* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
497 RT_ROUTED_PROSPECTIVE, /* routed, and prospective shunt installed */
498 RT_ROUTED_HOLD, /* routed, and HOLD shunt installed */
499 RT_ROUTED_FAILURE, /* routed, and failure-context shunt installed */
500 RT_ROUTED_TUNNEL, /* routed, and erouted to an IPSEC SA group */
501 RT_UNROUTED_KEYED /* keyed, but not routed, on purpose */
502 };
503
504 #define routed(rs) ((rs) > RT_UNROUTED_HOLD)
505 #define erouted(rs) ((rs) != RT_UNROUTED)
506 #define shunt_erouted(rs) (erouted(rs) && (rs) != RT_ROUTED_TUNNEL)
507
508 /* Payload types
509 * RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
510 * section 3.1
511 *
512 * RESERVED 14-127
513 * Private USE 128-255
514 */
515
516 extern enum_names payload_names;
517 extern const char *const payload_name[];
518
519 #define ISAKMP_NEXT_NONE 0 /* No other payload following */
520 #define ISAKMP_NEXT_SA 1 /* Security Association */
521 #define ISAKMP_NEXT_P 2 /* Proposal */
522 #define ISAKMP_NEXT_T 3 /* Transform */
523 #define ISAKMP_NEXT_KE 4 /* Key Exchange */
524 #define ISAKMP_NEXT_ID 5 /* Identification */
525 #define ISAKMP_NEXT_CERT 6 /* Certificate */
526 #define ISAKMP_NEXT_CR 7 /* Certificate Request */
527 #define ISAKMP_NEXT_HASH 8 /* Hash */
528 #define ISAKMP_NEXT_SIG 9 /* Signature */
529 #define ISAKMP_NEXT_NONCE 10 /* Nonce */
530 #define ISAKMP_NEXT_N 11 /* Notification */
531 #define ISAKMP_NEXT_D 12 /* Delete */
532 #define ISAKMP_NEXT_VID 13 /* Vendor ID */
533 #define ISAKMP_NEXT_ATTR 14 /* Mode config Attribute */
534
535 #define ISAKMP_NEXT_NATD_RFC 20 /* NAT-Traversal: NAT-D (rfc) */
536 #define ISAKMP_NEXT_NATOA_RFC 21 /* NAT-Traversal: NAT-OA (rfc) */
537 #define ISAKMP_NEXT_ROOF 22 /* roof on payload types */
538
539 #define ISAKMP_NEXT_NATD_DRAFTS 130 /* NAT-Traversal: NAT-D (drafts) */
540 #define ISAKMP_NEXT_NATOA_DRAFTS 131 /* NAT-Traversal: NAT-OA (drafts) */
541
542 /* These values are to be used within the Type field of an Attribute (14)
543 * ISAKMP payload.
544 */
545 #define ISAKMP_CFG_REQUEST 1
546 #define ISAKMP_CFG_REPLY 2
547 #define ISAKMP_CFG_SET 3
548 #define ISAKMP_CFG_ACK 4
549
550 extern enum_names attr_msg_type_names;
551
552 /* Mode Config attribute values */
553 #define INTERNAL_IP4_ADDRESS 1
554 #define INTERNAL_IP4_NETMASK 2
555 #define INTERNAL_IP4_DNS 3
556 #define INTERNAL_IP4_NBNS 4
557 #define INTERNAL_ADDRESS_EXPIRY 5
558 #define INTERNAL_IP4_DHCP 6
559 #define APPLICATION_VERSION 7
560 #define INTERNAL_IP6_ADDRESS 8
561 #define INTERNAL_IP6_NETMASK 9
562 #define INTERNAL_IP6_DNS 10
563 #define INTERNAL_IP6_NBNS 11
564 #define INTERNAL_IP6_DHCP 12
565 #define INTERNAL_IP4_SUBNET 13
566 #define SUPPORTED_ATTRIBUTES 14
567 #define INTERNAL_IP6_SUBNET 15
568
569
570 extern enum_names modecfg_attr_names;
571
572 /* XAUTH attribute values */
573 #define XAUTH_TYPE 16520
574 #define XAUTH_USER_NAME 16521
575 #define XAUTH_USER_PASSWORD 16522
576 #define XAUTH_PASSCODE 16523
577 #define XAUTH_MESSAGE 16524
578 #define XAUTH_CHALLENGE 16525
579 #define XAUTH_DOMAIN 16526
580 #define XAUTH_STATUS 16527
581 #define XAUTH_NEXT_PIN 16528
582 #define XAUTH_ANSWER 16529
583
584 #define XAUTH_BASE XAUTH_TYPE
585
586 extern enum_names xauth_attr_names;
587
588 /* ISAKMP mode config attributes specific to Microsoft */
589 #define INTERNAL_IP4_SERVER 23456
590 #define INTERNAL_IP6_SERVER 23457
591
592 extern enum_names microsoft_attr_names;
593
594 /* ISAKMP mode config attributes specific to the Unity vendor ID */
595 #define UNITY_BANNER 28672
596 #define UNITY_SAVE_PASSWD 28673
597 #define UNITY_DEF_DOMAIN 28674
598 #define UNITY_SPLITDNS_NAME 28675
599 #define UNITY_SPLIT_INCLUDE 28676
600 #define UNITY_NATT_PORT 28677
601 #define UNITY_LOCAL_LAN 28678
602 #define UNITY_PFS 28679
603 #define UNITY_FW_TYPE 28680
604 #define UNITY_BACKUP_SERVERS 28681
605 #define UNITY_DDNS_HOSTNAME 28682
606
607 #define UNITY_BASE UNITY_BANNER
608
609 extern enum_names unity_attr_names;
610
611 /* XAUTH authentication types */
612 #define XAUTH_TYPE_GENERIC 0
613 #define XAUTH_TYPE_CHAP 1
614 #define XAUTH_TYPE_OTP 2
615 #define XAUTH_TYPE_SKEY 3
616
617 /* Values for XAUTH_STATUS */
618 #define XAUTH_STATUS_FAIL 0
619 #define XAUTH_STATUS_OK 1
620
621 extern enum_names xauth_type_names;
622
623 /* Exchange types
624 * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
625 * section 3.1
626 *
627 * ISAKMP Future Use 6 - 31
628 * DOI Specific Use 32 - 239
629 * Private Use 240 - 255
630 *
631 * Note: draft-ietf-ipsec-dhless-enc-mode-00.txt Appendix A
632 * defines "DHless RSA Encryption" as 6.
633 */
634
635 extern enum_names exchange_names;
636
637 #define ISAKMP_XCHG_NONE 0
638 #define ISAKMP_XCHG_BASE 1
639 #define ISAKMP_XCHG_IDPROT 2 /* ID Protection */
640 #define ISAKMP_XCHG_AO 3 /* Authentication Only */
641 #define ISAKMP_XCHG_AGGR 4 /* Aggressive */
642 #define ISAKMP_XCHG_INFO 5 /* Informational */
643 #define ISAKMP_XCHG_MODE_CFG 6 /* Mode Config */
644
645 /* Extra exchange types, defined by Oakley
646 * RFC2409 "The Internet Key Exchange (IKE)", near end of Appendix A
647 */
648 #define ISAKMP_XCHG_QUICK 32 /* Oakley Quick Mode */
649 #define ISAKMP_XCHG_NGRP 33 /* Oakley New Group Mode */
650 /* added in draft-ietf-ipsec-ike-01.txt, near end of Appendix A */
651 #define ISAKMP_XCHG_ACK_INFO 34 /* Oakley Acknowledged Informational */
652
653 /* Flag bits */
654
655 extern const char *const flag_bit_names[];
656
657 #define ISAKMP_FLAG_ENCRYPTION 0x1
658 #define ISAKMP_FLAG_COMMIT 0x2
659
660 /* Situation definition for IPsec DOI */
661
662 extern const char *const sit_bit_names[];
663
664 #define SIT_IDENTITY_ONLY 0x01
665 #define SIT_SECRECY 0x02
666 #define SIT_INTEGRITY 0x04
667
668 /* Protocol IDs
669 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.1
670 */
671
672 extern enum_names protocol_names;
673
674 #define PROTO_ISAKMP 1
675 #define PROTO_IPSEC_AH 2
676 #define PROTO_IPSEC_ESP 3
677 #define PROTO_IPCOMP 4
678
679 /* warning: trans_show uses enum_show, so same static buffer is used */
680 #define trans_show(p, t) \
681 ((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \
682 : (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \
683 : (p)==PROTO_IPCOMP ? enum_show(&ipcomp_transformid_names, (t)) \
684 : "??")
685
686 #define KEY_IKE 1
687
688 extern enum_names isakmp_transformid_names;
689
690 /* the following are from RFC 2393/draft-shacham-ippcp-rfc2393bis-05.txt 3.3 */
691 typedef u_int16_t cpi_t;
692 #define IPCOMP_CPI_SIZE 2
693 #define IPCOMP_FIRST_NEGOTIATED 256
694 #define IPCOMP_LAST_NEGOTIATED 61439
695
696 /* Identification type values
697 * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
698 */
699
700 extern enum_names ident_names;
701 extern enum_names cert_type_names;
702
703 extern enum_name_t *cert_policy_names;
704
705 typedef enum certpolicy {
706 CERT_ALWAYS_SEND = 0,
707 CERT_SEND_IF_ASKED = 1,
708 CERT_NEVER_SEND = 2,
709
710 CERT_YES_SEND = 3, /* synonym for CERT_ALWAYS_SEND */
711 CERT_NO_SEND = 4 /* synonym for CERT_NEVER_SEND */
712 } certpolicy_t;
713
714 /* Policies for establishing an SA
715 *
716 * These are used to specify attributes (eg. encryption) and techniques
717 * (eg PFS) for an SA.
718 * Note: certain CD_ definitions in whack.c parallel these -- keep them
719 * in sync!
720 */
721
722 extern const char *const sa_policy_bit_names[];
723 extern const char *prettypolicy(lset_t policy);
724
725 /* ISAKMP auth techniques (none means never negotiate) */
726 #define POLICY_PSK LELEM(0)
727 #define POLICY_PUBKEY LELEM(1)
728
729 #define POLICY_ISAKMP_SHIFT 0 /* log2(POLICY_PSK) */
730 #define POLICY_ID_AUTH_MASK (POLICY_PSK | POLICY_PUBKEY | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
731 #define POLICY_ISAKMP_MASK POLICY_ID_AUTH_MASK /* all so far */
732
733 /* Quick Mode (IPSEC) attributes */
734 #define POLICY_ENCRYPT LELEM(2) /* must be first of IPSEC policies */
735 #define POLICY_AUTHENTICATE LELEM(3) /* must be second */
736 #define POLICY_COMPRESS LELEM(4) /* must be third */
737 #define POLICY_TUNNEL LELEM(5)
738 #define POLICY_PFS LELEM(6)
739 #define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */
740
741 #define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
742 #define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
743
744 /* shunt attributes: what to do when routed without tunnel (2 bits) */
745 #define POLICY_SHUNT_SHIFT 8 /* log2(POLICY_SHUNT_PASS) */
746 #define POLICY_SHUNT_MASK (03ul << POLICY_SHUNT_SHIFT)
747
748 #define POLICY_SHUNT_TRAP (0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
749 #define POLICY_SHUNT_PASS (1ul << POLICY_SHUNT_SHIFT)
750 #define POLICY_SHUNT_DROP (2ul << POLICY_SHUNT_SHIFT)
751 #define POLICY_SHUNT_REJECT (3ul << POLICY_SHUNT_SHIFT)
752
753 /* fail attributes: what to do with failed negotiation (2 bits) */
754
755 #define POLICY_FAIL_SHIFT 10 /* log2(POLICY_FAIL_PASS) */
756 #define POLICY_FAIL_MASK (03ul << POLICY_FAIL_SHIFT)
757
758 #define POLICY_FAIL_NONE (0ul << POLICY_FAIL_SHIFT) /* default */
759 #define POLICY_FAIL_PASS (1ul << POLICY_FAIL_SHIFT)
760 #define POLICY_FAIL_DROP (2ul << POLICY_FAIL_SHIFT)
761 #define POLICY_FAIL_REJECT (3ul << POLICY_FAIL_SHIFT)
762
763 /* connection policy
764 * Other policies could vary per state object. These live in connection.
765 */
766 #define POLICY_DONT_REKEY LELEM(12) /* don't rekey state either Phase */
767 #define POLICY_OPPO LELEM(13) /* is this opportunistic? */
768 #define POLICY_GROUP LELEM(14) /* is this a group template? */
769 #define POLICY_GROUTED LELEM(15) /* do we want this group routed? */
770 #define POLICY_UP LELEM(16) /* do we want this up? */
771 #define POLICY_MODECFG_PUSH LELEM(17) /* is modecfg pushed by server? */
772 #define POLICY_XAUTH_PSK LELEM(18) /* do we support XAUTH????PreShared? */
773 #define POLICY_XAUTH_RSASIG LELEM(19) /* do we support XAUTH????RSA? */
774 #define POLICY_XAUTH_SERVER LELEM(20) /* are we an XAUTH server? */
775 #define POLICY_DONT_REAUTH LELEM(21) /* don't reauthenticate on rekeying, IKEv2 only */
776 #define POLICY_BEET LELEM(22) /* bound end2end tunnel, IKEv2 */
777 #define POLICY_MOBIKE LELEM(23) /* enable MOBIKE for IKEv2 */
778 #define POLICY_FORCE_ENCAP LELEM(24) /* force UDP encapsulation (IKEv2) */
779 #define POLICY_PROXY LELEM(25) /* proxy transport mode (MIPv6) */
780
781 /* Any IPsec policy? If not, a connection description
782 * is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.)
783 * Note: a connection can only be routed if it is NEVER_NEGOTIATE
784 * or HAS_IPSEC_POLICY.
785 */
786 #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
787
788 /* Don't allow negotiation? */
789 #define NEVER_NEGOTIATE(p) (LDISJOINT((p), POLICY_ID_AUTH_MASK))
790
791
792 /* Oakley transform attributes
793 * draft-ietf-ipsec-ike-01.txt appendix A
794 */
795
796 extern enum_names oakley_attr_names;
797 extern const char *const oakley_attr_bit_names[];
798
799 #define OAKLEY_ENCRYPTION_ALGORITHM 1
800 #define OAKLEY_HASH_ALGORITHM 2
801 #define OAKLEY_AUTHENTICATION_METHOD 3
802 #define OAKLEY_GROUP_DESCRIPTION 4
803 #define OAKLEY_GROUP_TYPE 5
804 #define OAKLEY_GROUP_PRIME 6 /* B/V */
805 #define OAKLEY_GROUP_GENERATOR_ONE 7 /* B/V */
806 #define OAKLEY_GROUP_GENERATOR_TWO 8 /* B/V */
807 #define OAKLEY_GROUP_CURVE_A 9 /* B/V */
808 #define OAKLEY_GROUP_CURVE_B 10 /* B/V */
809 #define OAKLEY_LIFE_TYPE 11
810 #define OAKLEY_LIFE_DURATION 12 /* B/V */
811 #define OAKLEY_PRF 13
812 #define OAKLEY_KEY_LENGTH 14
813 #define OAKLEY_FIELD_SIZE 15
814 #define OAKLEY_GROUP_ORDER 16 /* B/V */
815 #define OAKLEY_BLOCK_SIZE 17
816
817 /* for each Oakley attribute, which enum_names describes its values? */
818 extern enum_names *oakley_attr_val_descs[];
819
820 /* IPsec DOI attributes
821 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
822 */
823
824 extern enum_names ipsec_attr_names;
825
826 #define SA_LIFE_TYPE 1
827 #define SA_LIFE_DURATION 2 /* B/V */
828 #define GROUP_DESCRIPTION 3
829 #define ENCAPSULATION_MODE 4
830 #define AUTH_ALGORITHM 5
831 #define KEY_LENGTH 6
832 #define KEY_ROUNDS 7
833 #define COMPRESS_DICT_SIZE 8
834 #define COMPRESS_PRIVATE_ALG 9 /* B/V */
835
836 /* for each IPsec attribute, which enum_names describes its values? */
837 extern enum_names *ipsec_attr_val_descs[];
838
839 /* SA Lifetime Type attribute
840 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
841 * Default time specified in 4.5
842 *
843 * There are two defaults for IPSEC SA lifetime, SA_LIFE_DURATION_DEFAULT,
844 * and PLUTO_SA_LIFE_DURATION_DEFAULT.
845 * SA_LIFE_DURATION_DEFAULT is specified in RFC2407 "The Internet IP
846 * Security Domain of Interpretation for ISAKMP" 4.5. It applies when
847 * an ISAKMP negotiation does not explicitly specify a life duration.
848 * PLUTO_SA_LIFE_DURATION_DEFAULT is specified in pluto(8). It applies
849 * when a connection description does not specify --ipseclifetime.
850 * The value of SA_LIFE_DURATION_MAXIMUM is our local policy.
851 */
852
853 extern enum_names sa_lifetime_names;
854
855 #define SA_LIFE_TYPE_SECONDS 1
856 #define SA_LIFE_TYPE_KBYTES 2
857
858 #define SA_LIFE_DURATION_DEFAULT 28800 /* eight hours (RFC2407 4.5) */
859 #define PLUTO_SA_LIFE_DURATION_DEFAULT 3600 /* one hour (pluto(8)) */
860 #define SA_LIFE_DURATION_MAXIMUM 86400 /* one day */
861
862 #define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* (IPSEC & IKE) nine minutes */
863 #define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* (IPSEC & IKE) 100% of MARGIN */
864 #define SA_REPLACEMENT_RETRIES_DEFAULT 3 /* (IPSEC & IKE) */
865
866 #define SA_LIFE_DURATION_K_DEFAULT 0xFFFFFFFFlu
867
868 /* Encapsulation Mode attribute */
869
870 extern enum_names enc_mode_names;
871
872 #define ENCAPSULATION_MODE_UNSPECIFIED 0 /* not legal -- used internally */
873 #define ENCAPSULATION_MODE_TUNNEL 1
874 #define ENCAPSULATION_MODE_TRANSPORT 2
875
876 #define ENCAPSULATION_MODE_UDP_TUNNEL_RFC 3
877 #define ENCAPSULATION_MODE_UDP_TRANSPORT_RFC 4
878
879 #define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS 61443
880 #define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS 61444
881
882 /* Auth Algorithm attribute */
883
884 extern enum_names auth_alg_names, extended_auth_alg_names;
885
886 #define AUTH_ALGORITHM_NONE 0 /* our private designation */
887 #define AUTH_ALGORITHM_HMAC_MD5 1
888 #define AUTH_ALGORITHM_HMAC_SHA1 2
889 #define AUTH_ALGORITHM_DES_MAC 3
890 #define AUTH_ALGORITHM_KPDK 4
891 #define AUTH_ALGORITHM_HMAC_SHA2_256 5
892 #define AUTH_ALGORITHM_HMAC_SHA2_384 6
893 #define AUTH_ALGORITHM_HMAC_SHA2_512 7
894 #define AUTH_ALGORITHM_HMAC_RIPEMD 8
895 #define AUTH_ALGORITHM_AES_XCBC_MAC 9
896 #define AUTH_ALGORITHM_SIG_RSA 10
897 #define AUTH_ALGORITHM_NULL 251
898
899 /* Oakley Lifetime Type attribute
900 * draft-ietf-ipsec-ike-01.txt appendix A
901 * As far as I can see, there is not specification for
902 * OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT. This could lead to interop problems!
903 * For no particular reason, we chose three hours.
904 * The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our local policy.
905 */
906 extern enum_names oakley_lifetime_names;
907
908 #define OAKLEY_LIFE_SECONDS 1
909 #define OAKLEY_LIFE_KILOBYTES 2
910
911 #define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 10800 /* three hours */
912 #define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* one day */
913
914 /* Oakley PRF attribute (none defined)
915 * draft-ietf-ipsec-ike-01.txt appendix A
916 */
917 extern enum_names oakley_prf_names;
918
919 /* HMAC (see rfc2104.txt) */
920
921 #define HMAC_IPAD 0x36
922 #define HMAC_OPAD 0x5C
923
924 /* Oakley Encryption Algorithm attribute
925 * draft-ietf-ipsec-ike-01.txt appendix A
926 * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
927 */
928
929 extern enum_names oakley_enc_names;
930
931 #define OAKLEY_DES_CBC 1
932 #define OAKLEY_IDEA_CBC 2
933 #define OAKLEY_BLOWFISH_CBC 3
934 #define OAKLEY_RC5_R16_B64_CBC 4
935 #define OAKLEY_3DES_CBC 5
936 #define OAKLEY_CAST_CBC 6
937 #define OAKLEY_AES_CBC 7
938 #define OAKLEY_CAMELLIA_CBC 8
939
940 #define OAKLEY_MARS_CBC 65001
941 #define OAKLEY_RC6_CBC 65002
942 #define OAKLEY_ID_65003 65003
943 #define OAKLEY_SERPENT_CBC 65004
944 #define OAKLEY_TWOFISH_CBC 65005
945
946 #define OAKLEY_TWOFISH_CBC_SSH 65289
947
948 #define OAKLEY_ENCRYPT_MAX 65535 /* pretty useless :) */
949
950 /* Oakley Hash Algorithm attribute
951 * draft-ietf-ipsec-ike-01.txt appendix A
952 * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
953 */
954
955 extern enum_names oakley_hash_names;
956
957 #define OAKLEY_MD5 1
958 #define OAKLEY_SHA 2
959 #define OAKLEY_TIGER 3
960 #define OAKLEY_SHA2_256 4
961 #define OAKLEY_SHA2_384 5
962 #define OAKLEY_SHA2_512 6
963
964 #define OAKLEY_HASH_MAX 7
965
966 /* Oakley Authentication Method attribute
967 * draft-ietf-ipsec-ike-01.txt appendix A
968 * Goofy Hybrid extensions from draft-ietf-ipsec-isakmp-hybrid-auth-05.txt
969 * Goofy XAUTH extensions from draft-ietf-ipsec-isakmp-xauth-06.txt
970 */
971
972 extern enum_names oakley_auth_names;
973
974 #define OAKLEY_PRESHARED_KEY 1
975 #define OAKLEY_DSS_SIG 2
976 #define OAKLEY_RSA_SIG 3
977 #define OAKLEY_RSA_ENC 4
978 #define OAKLEY_RSA_ENC_REV 5
979 #define OAKLEY_ELGAMAL_ENC 6
980 #define OAKLEY_ELGAMAL_ENC_REV 7
981 #define OAKLEY_ECDSA_SIG 8
982 #define OAKLEY_ECDSA_256 9
983 #define OAKLEY_ECDSA_384 10
984 #define OAKLEY_ECDSA_521 11
985
986 #define OAKLEY_AUTH_ROOF 12 /* roof on auth values THAT WE SUPPORT */
987
988 #define HybridInitRSA 64221
989 #define HybridRespRSA 64222
990 #define HybridInitDSS 64223
991 #define HybridRespDSS 64224
992
993 #define XAUTHInitPreShared 65001
994 #define XAUTHRespPreShared 65002
995 #define XAUTHInitDSS 65003
996 #define XAUTHRespDSS 65004
997 #define XAUTHInitRSA 65005
998 #define XAUTHRespRSA 65006
999 #define XAUTHInitRSAEncryption 65007
1000 #define XAUTHRespRSAEncryption 65008
1001 #define XAUTHInitRSARevisedEncryption 65009
1002 #define XAUTHRespRSARevisedEncryption 65010
1003
1004 /* Oakley Group Description attribute
1005 * draft-ietf-ipsec-ike-01.txt appendix A
1006 */
1007 extern enum_names oakley_group_names;
1008
1009 /* you must also touch: constants.c, crypto.c */
1010
1011 /* Oakley Group Type attribute
1012 * draft-ietf-ipsec-ike-01.txt appendix A
1013 */
1014 extern enum_names oakley_group_type_names;
1015
1016 #define OAKLEY_GROUP_TYPE_MODP 1
1017 #define OAKLEY_GROUP_TYPE_ECP 2
1018 #define OAKLEY_GROUP_TYPE_EC2N 3
1019
1020
1021 /* Notify messages -- error types
1022 * See RFC2408 ISAKMP 3.14.1
1023 */
1024
1025 extern enum_names notification_names;
1026 extern enum_names ipsec_notification_names;
1027
1028 typedef enum {
1029 NOTHING_WRONG = 0, /* unofficial! */
1030
1031 INVALID_PAYLOAD_TYPE = 1,
1032 DOI_NOT_SUPPORTED = 2,
1033 SITUATION_NOT_SUPPORTED = 3,
1034 INVALID_COOKIE = 4,
1035 INVALID_MAJOR_VERSION = 5,
1036 INVALID_MINOR_VERSION = 6,
1037 INVALID_EXCHANGE_TYPE = 7,
1038 INVALID_FLAGS = 8,
1039 INVALID_MESSAGE_ID = 9,
1040 INVALID_PROTOCOL_ID = 10,
1041 INVALID_SPI = 11,
1042 INVALID_TRANSFORM_ID = 12,
1043 ATTRIBUTES_NOT_SUPPORTED = 13,
1044 NO_PROPOSAL_CHOSEN = 14,
1045 BAD_PROPOSAL_SYNTAX = 15,
1046 PAYLOAD_MALFORMED = 16,
1047 INVALID_KEY_INFORMATION = 17,
1048 INVALID_ID_INFORMATION = 18,
1049 INVALID_CERT_ENCODING = 19,
1050 INVALID_CERTIFICATE = 20,
1051 CERT_TYPE_UNSUPPORTED = 21,
1052 INVALID_CERT_AUTHORITY = 22,
1053 INVALID_HASH_INFORMATION = 23,
1054 AUTHENTICATION_FAILED = 24,
1055 INVALID_SIGNATURE = 25,
1056 ADDRESS_NOTIFICATION = 26,
1057 NOTIFY_SA_LIFETIME = 27,
1058 CERTIFICATE_UNAVAILABLE = 28,
1059 UNSUPPORTED_EXCHANGE_TYPE = 29,
1060 UNEQUAL_PAYLOAD_LENGTHS = 30,
1061
1062 /* ISAKMP status type */
1063 CONNECTED = 16384,
1064
1065 /* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
1066 * These must be sent under the protection of an ISAKMP SA.
1067 */
1068 IPSEC_RESPONDER_LIFETIME = 24576,
1069 IPSEC_REPLAY_STATUS = 24577,
1070 IPSEC_INITIAL_CONTACT = 24578,
1071
1072 /* RFC 3706 DPD */
1073 R_U_THERE = 36136,
1074 R_U_THERE_ACK = 36137
1075
1076 } notification_t;
1077
1078
1079 /* Public key algorithm number
1080 * Same numbering as used in DNSsec
1081 * See RFC 2535 DNSsec 3.2 The KEY Algorithm Number Specification.
1082 * Also found in BIND 8.2.2 include/isc/dst.h as DST algorithm codes.
1083 */
1084
1085 enum pubkey_alg
1086 {
1087 PUBKEY_ALG_RSA = 1,
1088 PUBKEY_ALG_DSA = 3,
1089 };
1090
1091 /* Limits on size of RSA moduli.
1092 * The upper bound matches that of DNSsec (see RFC 2537).
1093 * The lower bound must be more than 11 octets for certain
1094 * the encoding to work, but it must be much larger for any
1095 * real security. For now, we require 512 bits.
1096 */
1097
1098 #define RSA_MIN_OCTETS_RFC 12
1099
1100 #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
1101 #define RSA_MIN_OCTETS_UGH "RSA modulus too small for security: less than 512 bits"
1102
1103 #define RSA_MAX_OCTETS (8192 / BITS_PER_BYTE)
1104 #define RSA_MAX_OCTETS_UGH "RSA modulus too large: more than 8192 bits"
1105
1106 /* Note: RFC 2537 encoding adds a few bytes. If you use a small
1107 * modulus like 3, the overhead is only 2 bytes
1108 */
1109 #define RSA_MAX_ENCODING_BYTES (RSA_MAX_OCTETS + 2)
1110
1111 /* socket address family info */
1112
1113 struct af_info
1114 {
1115 int af;
1116 const char *name;
1117 size_t ia_sz;
1118 size_t sa_sz;
1119 int mask_cnt;
1120 u_int8_t id_addr, id_subnet, id_range;
1121 const ip_address *any;
1122 const ip_subnet *none; /* 0.0.0.0/32 or IPv6 equivalent */
1123 const ip_subnet *all; /* 0.0.0.0/0 or IPv6 equivalent */
1124 };
1125
1126 extern const struct af_info
1127 af_inet4_info,
1128 af_inet6_info;
1129
1130 extern const struct af_info *aftoinfo(int af);
1131
1132 extern enum_names af_names;
1133
1134 #define subnetisaddr(sn, a) (subnetishost(sn) && addrinsubnet((a), (sn)))
1135 extern bool subnetisnone(const ip_subnet *sn);
1136
1137 /* BIND enumerated types */
1138
1139 extern enum_names
1140 rr_qtype_names,
1141 rr_type_names,
1142 rr_class_names;
1143
1144 /* How authenticated is info that might have come from DNS?
1145 * In order of increasing confidence.
1146 */
1147 enum dns_auth_level {
1148 DAL_UNSIGNED, /* AD in response, but no signature: no authentication */
1149 DAL_NOTSEC, /* no AD in response: authentication impossible */
1150 DAL_SIGNED, /* AD and signature in response: authentic */
1151 DAL_LOCAL /* locally provided (pretty good) */
1152 };
1153
1154 /*
1155 * define a macro for use in error messages
1156 */
1157
1158 #ifdef USE_KEYRR
1159 #define RRNAME "TXT or KEY"
1160 #else
1161 #define RRNAME "TXT"
1162 #endif
1163
1164 /* natt traversal types */
1165 extern const char *const natt_type_bitnames[];
1166
1167 /* secret value for responder cookies */
1168 extern u_char secret_of_the_day[HASH_SIZE_SHA1];
1169
1170 #endif /* _CONSTANTS_H */