60f431049b2048ac66825a4fba4a9f97a017380a
[strongswan.git] / src / pluto / constants.h
1
2 /* manifest constants
3 * Copyright (C) 1997 Angelos D. Keromytis.
4 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * RCSID $Id$
17 */
18
19 #ifndef _CONSTANTS_H
20 #define _CONSTANTS_H
21
22 #include <utils.h>
23
24 extern const char compile_time_interop_options[];
25
26 extern void init_constants(void);
27
28 /*
29 * NOTE:For debugging purposes, constants.c has tables to map numbers back to names.
30 * Any changes here should be reflected there.
31 */
32
33 #define elemsof(array) (sizeof(array) / sizeof(*(array))) /* number of elements in an array */
34
35 /* Many routines return only success or failure, but wish to describe
36 * the failure in a message. We use the convention that they return
37 * a NULL on success and a pointer to constant string on failure.
38 * The fact that the string is a constant is limiting, but it
39 * avoids storage management issues: the recipient is allowed to assume
40 * that the string will live "long enough" (usually forever).
41 * <freeswan.h> defines err_t for this return type.
42 */
43
44 #define NULL_FD (-1) /* NULL file descriptor */
45 #define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd))
46 #define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }
47
48 #define strcaseeq(a, b) (strcasecmp((a), (b)) == 0) /* clearer shorthand */
49
50 /* set type with room for at least 64 elements for ALG opts (was 32 in stock FS) */
51
52 typedef unsigned long long lset_t;
53 #define LEMPTY 0ULL
54 #define LELEM(opt) (1ULL << (opt))
55 #define LRANGE(lwb, upb) LRANGES(LELEM(lwb), LELEM(upb))
56 #define LRANGES(first, last) (last - first + last)
57 #define LHAS(set, elem) ((LELEM(elem) & (set)) != LEMPTY)
58 #define LIN(subset, set) (((subset) & (set)) == (subset))
59 #define LDISJOINT(a, b) (((a) & (b)) == LEMPTY)
60
61 /* Control and lock pathnames */
62 #ifndef IPSEC_PIDDIR
63 # define IPSEC_PIDDIR "/var/run"
64 #endif
65 #ifndef DEFAULT_CTLBASE
66 # define DEFAULT_CTLBASE IPSEC_PIDDIR "/pluto"
67 #endif
68
69 #define CTL_SUFFIX ".ctl" /* for UNIX domain socket pathname */
70 #define LOCK_SUFFIX ".pid" /* for pluto's lock */
71 #define INFO_SUFFIX ".info" /* for UNIX domain socket for apps */
72
73 /* Routines to check and display values.
74 *
75 * An enum_names describes an enumeration.
76 * enum_name() returns the name of an enum value, or NULL if invalid.
77 * enum_show() is like enum_name, except it formats a numeric representation
78 * for any invalid value (in a static area!)
79 *
80 * bitnames() formats a display of a set of named bits (in a static area)
81 */
82
83 struct enum_names {
84 unsigned long en_first; /* first value in range */
85 unsigned long en_last; /* last value in range (inclusive) */
86 const char *const *en_names;
87 const struct enum_names *en_next_range; /* descriptor of next range */
88 };
89
90 typedef const struct enum_names enum_names;
91
92 extern const char *enum_name(enum_names *ed, unsigned long val);
93 extern const char *enum_show(enum_names *ed, unsigned long val);
94 extern int enum_search(enum_names *ed, const char *string);
95
96 extern bool testset(const char *const table[], lset_t val);
97 extern const char *bitnamesof(const char *const table[], lset_t val);
98
99 /* sparse_names is much like enum_names, except values are
100 * not known to be contiguous or ordered.
101 * The array of names is ended with one with the name sparse_end
102 * (this avoids having to reserve a value to signify the end).
103 * Often appropriate for enums defined by others.
104 */
105 struct sparse_name {
106 unsigned long val;
107 const char *const name;
108 };
109 typedef const struct sparse_name sparse_names[];
110
111 extern const char *sparse_name(sparse_names sd, unsigned long val);
112 extern const char *sparse_val_show(sparse_names sd, unsigned long val);
113 extern const char sparse_end[];
114
115 #define FULL_INET_ADDRESS_SIZE 6
116
117 /* Group parameters from draft-ietf-ike-01.txt section 6 */
118
119 #define MODP_GENERATOR "2"
120
121 #define MODP768_MODULUS \
122 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
123 "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
124 "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
125 "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF"
126
127 #define MODP1024_MODULUS \
128 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
129 "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
130 "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
131 "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \
132 "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 " \
133 "FFFFFFFF FFFFFFFF"
134
135 #define MODP1536_MODULUS \
136 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \
137 "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \
138 "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \
139 "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \
140 "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D " \
141 "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F " \
142 "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D " \
143 "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF "
144
145 /* draft-ietf-ipsec-ike-modp-groups-03.txt */
146 #define MODP2048_MODULUS \
147 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
148 "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
149 "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
150 "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
151 "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
152 "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
153 "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
154 "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
155 "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
156 "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
157 "15728E5A 8AACAA68 FFFFFFFF FFFFFFFF"
158
159 #define MODP3072_MODULUS \
160 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
161 "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
162 "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
163 "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
164 "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
165 "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
166 "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
167 "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
168 "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
169 "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
170 "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
171 "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
172 "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
173 "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
174 "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
175 "43DB5BFC E0FD108E 4B82D120 A93AD2CA FFFFFFFF FFFFFFFF"
176
177 #define MODP4096_MODULUS \
178 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
179 "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
180 "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
181 "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
182 "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
183 "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
184 "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
185 "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
186 "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
187 "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
188 "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
189 "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
190 "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
191 "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
192 "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
193 "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
194 "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
195 "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
196 "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
197 "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
198 "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34063199" \
199 "FFFFFFFF FFFFFFFF"
200
201 /* copy&pasted from rfc3526: */
202 #define MODP6144_MODULUS \
203 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 29024E08" \
204 "8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD EF9519B3 CD3A431B" \
205 "302B0A6D F25F1437 4FE1356D 6D51C245 E485B576 625E7EC6 F44C42E9" \
206 "A637ED6B 0BFF5CB6 F406B7ED EE386BFB 5A899FA5 AE9F2411 7C4B1FE6" \
207 "49286651 ECE45B3D C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8" \
208 "FD24CF5F 83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
209 "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B E39E772C" \
210 "180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9 DE2BCBF6 95581718" \
211 "3995497C EA956AE5 15D22618 98FA0510 15728E5A 8AAAC42D AD33170D" \
212 "04507A33 A85521AB DF1CBA64 ECFB8504 58DBEF0A 8AEA7157 5D060C7D" \
213 "B3970F85 A6E1E4C7 ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226" \
214 "1AD2EE6B F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
215 "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31 43DB5BFC" \
216 "E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7 88719A10 BDBA5B26" \
217 "99C32718 6AF4E23C 1A946834 B6150BDA 2583E9CA 2AD44CE8 DBBBC2DB" \
218 "04DE8EF9 2E8EFC14 1FBECAA6 287C5947 4E6BC05D 99B2964F A090C3A2" \
219 "233BA186 515BE7ED 1F612970 CEE2D7AF B81BDD76 2170481C D0069127" \
220 "D5B05AA9 93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
221 "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD F8FF9406" \
222 "AD9E530E E5DB382F 413001AE B06A53ED 9027D831 179727B0 865A8918" \
223 "DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B DB7F1447 E6CC254B 33205151" \
224 "2BD7AF42 6FB8F401 378CD2BF 5983CA01 C64B92EC F032EA15 D1721D03" \
225 "F482D7CE 6E74FEF6 D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F" \
226 "BEC7E8F3 23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
227 "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328 06A1D58B" \
228 "B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C DA56C9EC 2EF29632" \
229 "387FE8D7 6E3C0468 043E8F66 3F4860EE 12BF2D5B 0B7474D6 E694F91E" \
230 "6DCC4024 FFFFFFFF FFFFFFFF"
231
232 /* copy&pasted from rfc3526: */
233 #define MODP8192_MODULUS \
234 "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1" \
235 "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD" \
236 "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245" \
237 "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED" \
238 "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D" \
239 "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F" \
240 "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D" \
241 "670C354E 4ABC9804 F1746C08 CA18217C 32905E46 2E36CE3B" \
242 "E39E772C 180E8603 9B2783A2 EC07A28F B5C55DF0 6F4C52C9" \
243 "DE2BCBF6 95581718 3995497C EA956AE5 15D22618 98FA0510" \
244 "15728E5A 8AAAC42D AD33170D 04507A33 A85521AB DF1CBA64" \
245 "ECFB8504 58DBEF0A 8AEA7157 5D060C7D B3970F85 A6E1E4C7" \
246 "ABF5AE8C DB0933D7 1E8C94E0 4A25619D CEE3D226 1AD2EE6B" \
247 "F12FFA06 D98A0864 D8760273 3EC86A64 521F2B18 177B200C" \
248 "BBE11757 7A615D6C 770988C0 BAD946E2 08E24FA0 74E5AB31" \
249 "43DB5BFC E0FD108E 4B82D120 A9210801 1A723C12 A787E6D7" \
250 "88719A10 BDBA5B26 99C32718 6AF4E23C 1A946834 B6150BDA" \
251 "2583E9CA 2AD44CE8 DBBBC2DB 04DE8EF9 2E8EFC14 1FBECAA6" \
252 "287C5947 4E6BC05D 99B2964F A090C3A2 233BA186 515BE7ED" \
253 "1F612970 CEE2D7AF B81BDD76 2170481C D0069127 D5B05AA9" \
254 "93B4EA98 8D8FDDC1 86FFB7DC 90A6C08F 4DF435C9 34028492" \
255 "36C3FAB4 D27C7026 C1D4DCB2 602646DE C9751E76 3DBA37BD" \
256 "F8FF9406 AD9E530E E5DB382F 413001AE B06A53ED 9027D831" \
257 "179727B0 865A8918 DA3EDBEB CF9B14ED 44CE6CBA CED4BB1B" \
258 "DB7F1447 E6CC254B 33205151 2BD7AF42 6FB8F401 378CD2BF" \
259 "5983CA01 C64B92EC F032EA15 D1721D03 F482D7CE 6E74FEF6" \
260 "D55E702F 46980C82 B5A84031 900B1C9E 59E7C97F BEC7E8F3" \
261 "23A97A7E 36CC88BE 0F1D45B7 FF585AC5 4BD407B2 2B4154AA" \
262 "CC8F6D7E BF48E1D8 14CC5ED2 0F8037E0 A79715EE F29BE328" \
263 "06A1D58B B7C5DA76 F550AA3D 8A1FBFF0 EB19CCB1 A313D55C" \
264 "DA56C9EC 2EF29632 387FE8D7 6E3C0468 043E8F66 3F4860EE" \
265 "12BF2D5B 0B7474D6 E694F91E 6DBE1159 74A3926F 12FEE5E4" \
266 "38777CB6 A932DF8C D8BEC4D0 73B931BA 3BC832B6 8D9DD300" \
267 "741FA7BF 8AFC47ED 2576F693 6BA42466 3AAB639C 5AE4F568" \
268 "3423B474 2BF1C978 238F16CB E39D652D E3FDB8BE FC848AD9" \
269 "22222E04 A4037C07 13EB57A8 1A23F0C7 3473FC64 6CEA306B" \
270 "4BCBC886 2F8385DD FA9D4B7F A2C087E8 79683303 ED5BDD3A" \
271 "062B3CF5 B3A278A6 6D2A13F8 3F44F82D DF310EE0 74AB6A36" \
272 "4597E899 A0255DC1 64F31CC5 0846851D F9AB4819 5DED7EA1" \
273 "B1D510BD 7EE74D73 FAF36BC3 1ECFA268 359046F4 EB879F92" \
274 "4009438B 481C6CD7 889A002E D5EE382B C9190DA6 FC026E47" \
275 "9558E447 5677E9AA 9E3050E2 765694DF C81F56E8 80B96E71" \
276 "60C980DD 98EDD3DF FFFFFFFF FFFFFFFF"
277 #define LOCALSECRETSIZE (512 / BITS_PER_BYTE)
278
279 /* limits on nonce sizes. See RFC2409 "The internet key exchange (IKE)" 5 */
280 #define MINIMUM_NONCE_SIZE 8 /* bytes */
281 #define DEFAULT_NONCE_SIZE 16 /* bytes */
282 #define MAXIMUM_NONCE_SIZE 256 /* bytes */
283
284 #define COOKIE_SIZE 8
285 #define MAX_ISAKMP_SPI_SIZE 16
286
287 #define MD2_DIGEST_SIZE (128 / BITS_PER_BYTE)
288 #define MD5_DIGEST_SIZE (128 / BITS_PER_BYTE)
289 #define SHA1_DIGEST_SIZE (160 / BITS_PER_BYTE)
290 #define SHA2_256_DIGEST_SIZE (256 / BITS_PER_BYTE)
291 #define SHA2_384_DIGEST_SIZE (384 / BITS_PER_BYTE)
292 #define SHA2_512_DIGEST_SIZE (512 / BITS_PER_BYTE)
293
294 #define MD5_BLOCK_SIZE (512 / BITS_PER_BYTE)
295 #define SHA1_BLOCK_SIZE (512 / BITS_PER_BYTE)
296 #define SHA2_256_BLOCK_SIZE (512 / BITS_PER_BYTE)
297 #define SHA2_384_BLOCK_SIZE (1024 / BITS_PER_BYTE)
298 #define SHA2_512_BLOCK_SIZE (1024 / BITS_PER_BYTE)
299
300 #define DES_CBC_BLOCK_SIZE (64 / BITS_PER_BYTE)
301
302 #define DSS_QBITS 160 /* bits in DSS's "q" (FIPS 186-1) */
303
304 /* Maximum is required for SHA2_512 */
305 #define MAX_DIGEST_LEN SHA2_512_DIGEST_SIZE
306 #define MAX_HASH_BLOCK_SIZE SHA2_512_BLOCK_SIZE
307
308 /* RFC 2404 "HMAC-SHA-1-96" section 3 */
309 #define HMAC_SHA1_KEY_LEN SHA1_DIGEST_SIZE
310
311 /* RFC 2403 "HMAC-MD5-96" section 3 */
312 #define HMAC_MD5_KEY_LEN MD5_DIGEST_SIZE
313
314 #define IKE_UDP_PORT 500
315
316 /* RFC 2560 OCSP - certificate status */
317
318 typedef enum {
319 CERT_GOOD = 0,
320 CERT_REVOKED = 1,
321 CERT_UNKNOWN = 2,
322 CERT_UNDEFINED = 3
323 } cert_status_t;
324
325 /* RFC 2459 CRL reason codes */
326
327 extern enum_names crl_reason_names;
328
329 typedef enum {
330 REASON_UNSPECIFIED = 0,
331 REASON_KEY_COMPROMISE = 1,
332 REASON_CA_COMPROMISE = 2,
333 REASON_AFFILIATION_CHANGED = 3,
334 REASON_SUPERSEDED = 4,
335 REASON_CESSATION_OF_OPERATON = 5,
336 REASON_CERTIFICATE_HOLD = 6,
337 REASON_REMOVE_FROM_CRL = 8
338 } crl_reason_t;
339
340 /* RFC 3706 Dead Peer Detection */
341
342 extern enum_names dpd_action_names;
343
344 typedef enum {
345 DPD_ACTION_NONE = 0,
346 DPD_ACTION_CLEAR = 1,
347 DPD_ACTION_HOLD = 2,
348 DPD_ACTION_RESTART = 3,
349 DPD_ACTION_UNKNOWN = 4
350 } dpd_action_t;
351
352 /* Timer events */
353
354 extern enum_names timer_event_names;
355
356 enum event_type {
357 EVENT_NULL, /* non-event */
358 EVENT_REINIT_SECRET, /* Refresh cookie secret */
359 #ifdef KLIPS
360 EVENT_SHUNT_SCAN, /* scan shunt eroutes known to kernel */
361 #endif
362 EVENT_SO_DISCARD, /* discard unfinished state object */
363 EVENT_RETRANSMIT, /* Retransmit packet */
364 EVENT_SA_REPLACE, /* SA replacement event */
365 EVENT_SA_REPLACE_IF_USED, /* SA replacement event */
366 EVENT_SA_EXPIRE, /* SA expiration event */
367 EVENT_NAT_T_KEEPALIVE, /* NAT Traversal Keepalive */
368 EVENT_DPD, /* dead peer detection */
369 EVENT_DPD_TIMEOUT, /* dead peer detection timeout */
370 EVENT_LOG_DAILY /* reset certain log events/stats */
371 };
372
373 #define EVENT_REINIT_SECRET_DELAY 3600 /* 1 hour */
374 #define EVENT_RETRANSMIT_DELAY_0 10 /* 10 seconds */
375
376 /* Misc. stuff */
377
378 #define MAXIMUM_RETRANSMISSIONS 2
379 #define MAXIMUM_RETRANSMISSIONS_INITIAL 20
380
381 #define MAX_INPUT_UDP_SIZE 65536
382 #define MAX_OUTPUT_UDP_SIZE 65536
383
384 /* Version numbers */
385
386 #define ISAKMP_MAJOR_VERSION 0x1
387 #define ISAKMP_MINOR_VERSION 0x0
388
389 extern enum_names version_names;
390
391 /* Domain of Interpretation */
392
393 extern enum_names doi_names;
394
395 #define ISAKMP_DOI_ISAKMP 0
396 #define ISAKMP_DOI_IPSEC 1
397
398 /* IPsec DOI things */
399
400 #define IPSEC_DOI_SITUATION_LENGTH 4
401 #define IPSEC_DOI_LDI_LENGTH 4
402 #define IPSEC_DOI_SPI_SIZE 4
403
404 /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
405 * ESP: RFC 2402 2.4; AH: RFC 2406 2.1
406 * IPComp RFC 2393 substitutes a CPI in the place of an SPI.
407 * see also draft-shacham-ippcp-rfc2393bis-05.txt.
408 * We (FreeS/WAN) reserve 0x100 to 0xFFF for manual keying, so
409 * Pluto won't generate these values.
410 */
411 #define IPSEC_DOI_SPI_MIN 0x100
412 #define IPSEC_DOI_SPI_OUR_MIN 0x1000
413
414 /* debugging settings: a set of selections for reporting
415 * These would be more naturally situated in log.h,
416 * but they are shared with whack.
417 * IMPAIR_* actually change behaviour, usually badly,
418 * to aid in testing. Naturally, these are not included in ALL.
419 *
420 * NOTE: changes here must be done in concert with changes to DBGOPT_*
421 * in whack.c. A change to WHACK_MAGIC in whack.h will be required too.
422 */
423 #ifdef DEBUG
424 extern const char *const debug_bit_names[];
425 #endif
426
427 #define DBG_RAW LELEM(0) /* raw packet I/O */
428 #define DBG_CRYPT LELEM(1) /* encryption/decryption of messages */
429 #define DBG_PARSING LELEM(2) /* show decoding of messages */
430 #define DBG_EMITTING LELEM(3) /* show encoding of messages */
431 #define DBG_CONTROL LELEM(4) /* control flow within Pluto */
432 #define DBG_LIFECYCLE LELEM(5) /* SA lifecycle */
433 #define DBG_KLIPS LELEM(6) /* messages to KLIPS */
434 #define DBG_DNS LELEM(7) /* DNS activity */
435 #define DBG_NATT LELEM(8) /* NAT-T */
436 #define DBG_OPPO LELEM(9) /* opportunism */
437 #define DBG_CONTROLMORE LELEM(10) /* more detailed debugging */
438
439 #define DBG_PRIVATE LELEM(11) /* private information: DANGER! */
440
441 #define IMPAIR0 12 /* first bit for IMPAIR_* */
442
443 #define IMPAIR_DELAY_ADNS_KEY_ANSWER LELEM(IMPAIR0+0) /* sleep before answering */
444 #define IMPAIR_DELAY_ADNS_TXT_ANSWER LELEM(IMPAIR0+1) /* sleep before answering */
445 #define IMPAIR_BUST_MI2 LELEM(IMPAIR0+2) /* make MI2 really large */
446 #define IMPAIR_BUST_MR2 LELEM(IMPAIR0+3) /* make MI2 really large */
447
448 #define DBG_NONE 0 /* no options on, including impairments */
449 #define DBG_ALL LRANGES(DBG_RAW, DBG_CONTROLMORE) /* all logging options on EXCEPT DBG_PRIVATE */
450
451 /* State of exchanges
452 *
453 * The name of the state describes the last message sent, not the
454 * message currently being input or output (except during retry).
455 * In effect, the state represents the last completed action.
456 *
457 * Messages are named [MQ][IR]n where
458 * - M stands for Main Mode (Phase 1);
459 * Q stands for Quick Mode (Phase 2)
460 * - I stands for Initiator;
461 * R stands for Responder
462 * - n, a digit, stands for the number of the message
463 *
464 * It would be more convenient if each state accepted a message
465 * and produced one. This is the case for states at the start
466 * or end of an exchange. To fix this, we pretend that there are
467 * MR0 and QR0 messages before the MI1 and QR1 messages. Similarly,
468 * we pretend that there are MR4 and QR2 messages.
469 *
470 * STATE_MAIN_R0 and STATE_QUICK_R0 are intermediate states (not
471 * retained between messages) representing the state that accepts the
472 * first message of an exchange has been read but not processed.
473 *
474 * state_microcode state_microcode_table in demux.c describes
475 * other important details.
476 */
477
478 extern enum_names state_names;
479 extern const char *const state_story[];
480
481 enum state_kind {
482 STATE_UNDEFINED, /* 0 -- most likely accident */
483
484 /* Opportunism states: see "Opportunistic Encryption" 2.2 */
485
486 OPPO_ACQUIRE, /* got an ACQUIRE message for this pair */
487 OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
488
489 /* IKE states */
490
491 STATE_MAIN_R0,
492 STATE_MAIN_I1,
493 STATE_MAIN_R1,
494 STATE_MAIN_I2,
495 STATE_MAIN_R2,
496 STATE_MAIN_I3,
497 STATE_MAIN_R3,
498 STATE_MAIN_I4,
499
500 STATE_QUICK_R0,
501 STATE_QUICK_I1,
502 STATE_QUICK_R1,
503 STATE_QUICK_I2,
504 STATE_QUICK_R2,
505
506 STATE_INFO,
507 STATE_INFO_PROTECTED,
508
509 /* XAUTH states */
510
511 STATE_XAUTH_I0, /* initiator state (client) */
512 STATE_XAUTH_R1, /* responder state (server) */
513 STATE_XAUTH_I1,
514 STATE_XAUTH_R2,
515 STATE_XAUTH_I2,
516 STATE_XAUTH_R3,
517
518 /* Mode Config pull states */
519
520 STATE_MODE_CFG_R0, /* responder state (server) */
521 STATE_MODE_CFG_I1, /* initiator state (client) */
522 STATE_MODE_CFG_R1,
523 STATE_MODE_CFG_I2,
524
525 /* Mode Config push states */
526
527 STATE_MODE_CFG_I0, /* initiator state (client) */
528 STATE_MODE_CFG_R3, /* responder state (server) */
529 STATE_MODE_CFG_I3,
530 STATE_MODE_CFG_R4,
531
532 STATE_IKE_ROOF
533 };
534
535 #define STATE_IKE_FLOOR STATE_MAIN_R0
536
537 #define PHASE1_INITIATOR_STATES (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
538 | LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4))
539 #define ISAKMP_SA_ESTABLISHED_STATES ( \
540 LELEM(STATE_MAIN_R3) | LELEM(STATE_MAIN_I4) \
541 | LELEM(STATE_XAUTH_R1) | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
542 | LELEM(STATE_XAUTH_I1) | LELEM(STATE_XAUTH_I2) \
543 | LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
544 | LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
545
546 #define IS_PHASE1(s) ((STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) \
547 || (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
548 || (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
549
550 #define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
551 #define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_I2 <= (s))
552
553 #define IS_ISAKMP_SA_ESTABLISHED(s) ( \
554 (s) == STATE_MAIN_R3 \
555 || (s) == STATE_MAIN_I4 \
556 || (s) == STATE_XAUTH_I2 \
557 || (s) == STATE_XAUTH_R3 \
558 || (s) == STATE_MODE_CFG_R1 \
559 || (s) == STATE_MODE_CFG_I2 \
560 || (s) == STATE_MODE_CFG_I3 \
561 || (s) == STATE_MODE_CFG_R4)
562
563 #define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
564 #define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)
565
566 /* kind of struct connection
567 * Ordered (mostly) by concreteness. Order is exploited.
568 */
569
570 extern enum_names connection_kind_names;
571
572 enum connection_kind {
573 CK_GROUP, /* policy group: instantiates to template */
574 CK_TEMPLATE, /* abstract connection, with wildcard */
575 CK_PERMANENT, /* normal connection */
576 CK_INSTANCE, /* instance of template, created for a particular attempt */
577 CK_GOING_AWAY /* instance being deleted -- don't delete again */
578 };
579
580
581 /* routing status.
582 * Note: routing ignores source address, but erouting does not!
583 * Note: a connection can only be routed if it is NEVER_NEGOTIATE
584 * or HAS_IPSEC_POLICY.
585 */
586
587 extern enum_names routing_story;
588
589 /* note that this is assumed to be ordered! */
590 enum routing_t {
591 RT_UNROUTED, /* unrouted */
592 RT_UNROUTED_HOLD, /* unrouted, but HOLD shunt installed */
593 RT_ROUTED_ECLIPSED, /* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
594 RT_ROUTED_PROSPECTIVE, /* routed, and prospective shunt installed */
595 RT_ROUTED_HOLD, /* routed, and HOLD shunt installed */
596 RT_ROUTED_FAILURE, /* routed, and failure-context shunt installed */
597 RT_ROUTED_TUNNEL, /* routed, and erouted to an IPSEC SA group */
598 RT_UNROUTED_KEYED /* keyed, but not routed, on purpose */
599 };
600
601 #define routed(rs) ((rs) > RT_UNROUTED_HOLD)
602 #define erouted(rs) ((rs) != RT_UNROUTED)
603 #define shunt_erouted(rs) (erouted(rs) && (rs) != RT_ROUTED_TUNNEL)
604
605 /* Payload types
606 * RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
607 * section 3.1
608 *
609 * RESERVED 14-127
610 * Private USE 128-255
611 */
612
613 extern enum_names payload_names;
614 extern const char *const payload_name[];
615
616 #define ISAKMP_NEXT_NONE 0 /* No other payload following */
617 #define ISAKMP_NEXT_SA 1 /* Security Association */
618 #define ISAKMP_NEXT_P 2 /* Proposal */
619 #define ISAKMP_NEXT_T 3 /* Transform */
620 #define ISAKMP_NEXT_KE 4 /* Key Exchange */
621 #define ISAKMP_NEXT_ID 5 /* Identification */
622 #define ISAKMP_NEXT_CERT 6 /* Certificate */
623 #define ISAKMP_NEXT_CR 7 /* Certificate Request */
624 #define ISAKMP_NEXT_HASH 8 /* Hash */
625 #define ISAKMP_NEXT_SIG 9 /* Signature */
626 #define ISAKMP_NEXT_NONCE 10 /* Nonce */
627 #define ISAKMP_NEXT_N 11 /* Notification */
628 #define ISAKMP_NEXT_D 12 /* Delete */
629 #define ISAKMP_NEXT_VID 13 /* Vendor ID */
630 #define ISAKMP_NEXT_ATTR 14 /* Mode config Attribute */
631
632 #define ISAKMP_NEXT_NATD_RFC 20 /* NAT-Traversal: NAT-D (rfc) */
633 #define ISAKMP_NEXT_NATOA_RFC 21 /* NAT-Traversal: NAT-OA (rfc) */
634 #define ISAKMP_NEXT_ROOF 22 /* roof on payload types */
635
636 #define ISAKMP_NEXT_NATD_DRAFTS 130 /* NAT-Traversal: NAT-D (drafts) */
637 #define ISAKMP_NEXT_NATOA_DRAFTS 131 /* NAT-Traversal: NAT-OA (drafts) */
638
639 /* These values are to be used within the Type field of an Attribute (14)
640 * ISAKMP payload.
641 */
642 #define ISAKMP_CFG_REQUEST 1
643 #define ISAKMP_CFG_REPLY 2
644 #define ISAKMP_CFG_SET 3
645 #define ISAKMP_CFG_ACK 4
646
647 extern enum_names attr_msg_type_names;
648
649 /* Mode Config attribute values */
650 #define INTERNAL_IP4_ADDRESS 1
651 #define INTERNAL_IP4_NETMASK 2
652 #define INTERNAL_IP4_DNS 3
653 #define INTERNAL_IP4_NBNS 4
654 #define INTERNAL_ADDRESS_EXPIRY 5
655 #define INTERNAL_IP4_DHCP 6
656 #define APPLICATION_VERSION 7
657 #define INTERNAL_IP6_ADDRESS 8
658 #define INTERNAL_IP6_NETMASK 9
659 #define INTERNAL_IP6_DNS 10
660 #define INTERNAL_IP6_NBNS 11
661 #define INTERNAL_IP6_DHCP 12
662 #define INTERNAL_IP4_SUBNET 13
663 #define SUPPORTED_ATTRIBUTES 14
664 #define INTERNAL_IP6_SUBNET 15
665
666
667 extern enum_names modecfg_attr_names;
668
669 /* XAUTH attribute values */
670 #define XAUTH_TYPE 16520
671 #define XAUTH_USER_NAME 16521
672 #define XAUTH_USER_PASSWORD 16522
673 #define XAUTH_PASSCODE 16523
674 #define XAUTH_MESSAGE 16524
675 #define XAUTH_CHALLENGE 16525
676 #define XAUTH_DOMAIN 16526
677 #define XAUTH_STATUS 16527
678 #define XAUTH_NEXT_PIN 16528
679 #define XAUTH_ANSWER 16529
680
681 #define XAUTH_BASE XAUTH_TYPE
682
683 extern enum_names xauth_attr_names;
684
685 /* ISAKMP mode config attributes specific to the Unity vendor Id */
686 #define UNITY_BANNER 28672
687 #define UNITY_SAVE_PASSWD 28673
688 #define UNITY_DEF_DOMAIN 28674
689 #define UNITY_SPLITDNS_NAME 28675
690 #define UNITY_SPLIT_INCLUDE 28676
691 #define UNITY_NATT_PORT 28677
692 #define UNITY_LOCAL_LAN 28678
693 #define UNITY_PFS 28679
694 #define UNITY_FW_TYPE 28680
695 #define UNITY_BACKUP_SERVERS 28681
696 #define UNITY_DDNS_HOSTNAME 28682
697
698 #define UNITY_BASE UNITY_BANNER
699
700 extern enum_names unity_attr_names;
701
702 /* XAUTH authentication types */
703 #define XAUTH_TYPE_GENERIC 0
704 #define XAUTH_TYPE_CHAP 1
705 #define XAUTH_TYPE_OTP 2
706 #define XAUTH_TYPE_SKEY 3
707
708 /* Values for XAUTH_STATUS */
709 #define XAUTH_STATUS_FAIL 0
710 #define XAUTH_STATUS_OK 1
711
712 extern enum_names xauth_type_names;
713
714 /* Exchange types
715 * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
716 * section 3.1
717 *
718 * ISAKMP Future Use 6 - 31
719 * DOI Specific Use 32 - 239
720 * Private Use 240 - 255
721 *
722 * Note: draft-ietf-ipsec-dhless-enc-mode-00.txt Appendix A
723 * defines "DHless RSA Encryption" as 6.
724 */
725
726 extern enum_names exchange_names;
727
728 #define ISAKMP_XCHG_NONE 0
729 #define ISAKMP_XCHG_BASE 1
730 #define ISAKMP_XCHG_IDPROT 2 /* ID Protection */
731 #define ISAKMP_XCHG_AO 3 /* Authentication Only */
732 #define ISAKMP_XCHG_AGGR 4 /* Aggressive */
733 #define ISAKMP_XCHG_INFO 5 /* Informational */
734 #define ISAKMP_XCHG_MODE_CFG 6 /* Mode Config */
735
736 /* Extra exchange types, defined by Oakley
737 * RFC2409 "The Internet Key Exchange (IKE)", near end of Appendix A
738 */
739 #define ISAKMP_XCHG_QUICK 32 /* Oakley Quick Mode */
740 #define ISAKMP_XCHG_NGRP 33 /* Oakley New Group Mode */
741 /* added in draft-ietf-ipsec-ike-01.txt, near end of Appendix A */
742 #define ISAKMP_XCHG_ACK_INFO 34 /* Oakley Acknowledged Informational */
743
744 /* Flag bits */
745
746 extern const char *const flag_bit_names[];
747
748 #define ISAKMP_FLAG_ENCRYPTION 0x1
749 #define ISAKMP_FLAG_COMMIT 0x2
750
751 /* Situation definition for IPsec DOI */
752
753 extern const char *const sit_bit_names[];
754
755 #define SIT_IDENTITY_ONLY 0x01
756 #define SIT_SECRECY 0x02
757 #define SIT_INTEGRITY 0x04
758
759 /* Protocol IDs
760 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.1
761 */
762
763 extern enum_names protocol_names;
764
765 #define PROTO_ISAKMP 1
766 #define PROTO_IPSEC_AH 2
767 #define PROTO_IPSEC_ESP 3
768 #define PROTO_IPCOMP 4
769
770 /* warning: trans_show uses enum_show, so same static buffer is used */
771 #define trans_show(p, t) \
772 ((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \
773 : (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \
774 : (p)==PROTO_IPCOMP ? enum_show(&ipcomp_transformid_names, (t)) \
775 : "??")
776
777 /* many transform values are moved to freeswan/ipsec_policy.h */
778
779 extern enum_names isakmp_transformid_names;
780
781 #define KEY_IKE 1
782
783 extern enum_names ah_transformid_names;
784 extern enum_names esp_transformid_names;
785 extern enum_names ipcomp_transformid_names;
786
787 /* the following are from RFC 2393/draft-shacham-ippcp-rfc2393bis-05.txt 3.3 */
788 typedef u_int16_t cpi_t;
789 #define IPCOMP_CPI_SIZE 2
790 #define IPCOMP_FIRST_NEGOTIATED 256
791 #define IPCOMP_LAST_NEGOTIATED 61439
792
793 /* Identification type values
794 * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
795 */
796
797 extern enum_names ident_names;
798 extern enum_names cert_type_names;
799 extern enum_names cert_policy_names;
800
801 typedef enum certpolicy {
802 CERT_ALWAYS_SEND = 0, /* the default */
803 CERT_SEND_IF_ASKED = 1,
804 CERT_NEVER_SEND = 2,
805
806 CERT_YES_SEND = 3, /* synonym for CERT_ALWAYS_SEND */
807 CERT_NO_SEND = 4 /* synonym for CERT_NEVER_SEND */
808 } certpolicy_t;
809
810 /* Policies for establishing an SA
811 *
812 * These are used to specify attributes (eg. encryption) and techniques
813 * (eg PFS) for an SA.
814 * Note: certain CD_ definitions in whack.c parallel these -- keep them
815 * in sync!
816 */
817
818 extern const char *const sa_policy_bit_names[];
819 extern const char *prettypolicy(lset_t policy);
820
821 /* ISAKMP auth techniques (none means never negotiate) */
822 #define POLICY_PSK LELEM(0)
823 #define POLICY_RSASIG LELEM(1)
824
825 #define POLICY_ISAKMP_SHIFT 0 /* log2(POLICY_PSK) */
826 #define POLICY_ID_AUTH_MASK (POLICY_PSK | POLICY_RSASIG | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
827 #define POLICY_ISAKMP_MASK POLICY_ID_AUTH_MASK /* all so far */
828
829 /* Quick Mode (IPSEC) attributes */
830 #define POLICY_ENCRYPT LELEM(2) /* must be first of IPSEC policies */
831 #define POLICY_AUTHENTICATE LELEM(3) /* must be second */
832 #define POLICY_COMPRESS LELEM(4) /* must be third */
833 #define POLICY_TUNNEL LELEM(5)
834 #define POLICY_PFS LELEM(6)
835 #define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */
836
837 #define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
838 #define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
839
840 /* shunt attributes: what to do when routed without tunnel (2 bits) */
841 #define POLICY_SHUNT_SHIFT 8 /* log2(POLICY_SHUNT_PASS) */
842 #define POLICY_SHUNT_MASK (03ul << POLICY_SHUNT_SHIFT)
843
844 #define POLICY_SHUNT_TRAP (0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
845 #define POLICY_SHUNT_PASS (1ul << POLICY_SHUNT_SHIFT)
846 #define POLICY_SHUNT_DROP (2ul << POLICY_SHUNT_SHIFT)
847 #define POLICY_SHUNT_REJECT (3ul << POLICY_SHUNT_SHIFT)
848
849 /* fail attributes: what to do with failed negotiation (2 bits) */
850
851 #define POLICY_FAIL_SHIFT 10 /* log2(POLICY_FAIL_PASS) */
852 #define POLICY_FAIL_MASK (03ul << POLICY_FAIL_SHIFT)
853
854 #define POLICY_FAIL_NONE (0ul << POLICY_FAIL_SHIFT) /* default */
855 #define POLICY_FAIL_PASS (1ul << POLICY_FAIL_SHIFT)
856 #define POLICY_FAIL_DROP (2ul << POLICY_FAIL_SHIFT)
857 #define POLICY_FAIL_REJECT (3ul << POLICY_FAIL_SHIFT)
858
859 /* connection policy
860 * Other policies could vary per state object. These live in connection.
861 */
862 #define POLICY_DONT_REKEY LELEM(12) /* don't rekey state either Phase */
863 #define POLICY_OPPO LELEM(13) /* is this opportunistic? */
864 #define POLICY_GROUP LELEM(14) /* is this a group template? */
865 #define POLICY_GROUTED LELEM(15) /* do we want this group routed? */
866 #define POLICY_UP LELEM(16) /* do we want this up? */
867 #define POLICY_MODECFG_PUSH LELEM(17) /* is modecfg pushed by server? */
868 #define POLICY_XAUTH_PSK LELEM(18) /* do we support XAUTH????PreShared? */
869 #define POLICY_XAUTH_RSASIG LELEM(19) /* do we support XAUTH????RSA? */
870 #define POLICY_XAUTH_SERVER LELEM(20) /* are we an XAUTH server? */
871 #define POLICY_DONT_REAUTH LELEM(21) /* don't reauthenticate on rekeying, IKEv2 only */
872 #define POLICY_BEET LELEM(22) /* bound end2end tunnel, IKEv2 */
873 #define POLICY_MOBIKE LELEM(23) /* enable MOBIKE for IKEv2 */
874 #define POLICY_FORCE_ENCAP LELEM(24) /* force UDP encapsulation (IKEv2) */
875 #define POLICY_ECDSASIG LELEM(25) /* ECDSA signature (IKEv2) */
876 #define POLICY_PROXY LELEM(26) /* proxy transport mode (MIPv6) */
877
878 /* Any IPsec policy? If not, a connection description
879 * is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.)
880 * Note: a connection can only be routed if it is NEVER_NEGOTIATE
881 * or HAS_IPSEC_POLICY.
882 */
883 #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
884
885 /* Don't allow negotiation? */
886 #define NEVER_NEGOTIATE(p) (LDISJOINT((p), POLICY_ID_AUTH_MASK))
887
888
889 /* Oakley transform attributes
890 * draft-ietf-ipsec-ike-01.txt appendix A
891 */
892
893 extern enum_names oakley_attr_names;
894 extern const char *const oakley_attr_bit_names[];
895
896 #define OAKLEY_ENCRYPTION_ALGORITHM 1
897 #define OAKLEY_HASH_ALGORITHM 2
898 #define OAKLEY_AUTHENTICATION_METHOD 3
899 #define OAKLEY_GROUP_DESCRIPTION 4
900 #define OAKLEY_GROUP_TYPE 5
901 #define OAKLEY_GROUP_PRIME 6 /* B/V */
902 #define OAKLEY_GROUP_GENERATOR_ONE 7 /* B/V */
903 #define OAKLEY_GROUP_GENERATOR_TWO 8 /* B/V */
904 #define OAKLEY_GROUP_CURVE_A 9 /* B/V */
905 #define OAKLEY_GROUP_CURVE_B 10 /* B/V */
906 #define OAKLEY_LIFE_TYPE 11
907 #define OAKLEY_LIFE_DURATION 12 /* B/V */
908 #define OAKLEY_PRF 13
909 #define OAKLEY_KEY_LENGTH 14
910 #define OAKLEY_FIELD_SIZE 15
911 #define OAKLEY_GROUP_ORDER 16 /* B/V */
912 #define OAKLEY_BLOCK_SIZE 17
913
914 /* for each Oakley attribute, which enum_names describes its values? */
915 extern enum_names *oakley_attr_val_descs[];
916
917 /* IPsec DOI attributes
918 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
919 */
920
921 extern enum_names ipsec_attr_names;
922
923 #define SA_LIFE_TYPE 1
924 #define SA_LIFE_DURATION 2 /* B/V */
925 #define GROUP_DESCRIPTION 3
926 #define ENCAPSULATION_MODE 4
927 #define AUTH_ALGORITHM 5
928 #define KEY_LENGTH 6
929 #define KEY_ROUNDS 7
930 #define COMPRESS_DICT_SIZE 8
931 #define COMPRESS_PRIVATE_ALG 9 /* B/V */
932
933 /* for each IPsec attribute, which enum_names describes its values? */
934 extern enum_names *ipsec_attr_val_descs[];
935
936 /* SA Lifetime Type attribute
937 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
938 * Default time specified in 4.5
939 *
940 * There are two defaults for IPSEC SA lifetime, SA_LIFE_DURATION_DEFAULT,
941 * and PLUTO_SA_LIFE_DURATION_DEFAULT.
942 * SA_LIFE_DURATION_DEFAULT is specified in RFC2407 "The Internet IP
943 * Security Domain of Interpretation for ISAKMP" 4.5. It applies when
944 * an ISAKMP negotiation does not explicitly specify a life duration.
945 * PLUTO_SA_LIFE_DURATION_DEFAULT is specified in pluto(8). It applies
946 * when a connection description does not specify --ipseclifetime.
947 * The value of SA_LIFE_DURATION_MAXIMUM is our local policy.
948 */
949
950 extern enum_names sa_lifetime_names;
951
952 #define SA_LIFE_TYPE_SECONDS 1
953 #define SA_LIFE_TYPE_KBYTES 2
954
955 #define SA_LIFE_DURATION_DEFAULT 28800 /* eight hours (RFC2407 4.5) */
956 #define PLUTO_SA_LIFE_DURATION_DEFAULT 3600 /* one hour (pluto(8)) */
957 #define SA_LIFE_DURATION_MAXIMUM 86400 /* one day */
958
959 #define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* (IPSEC & IKE) nine minutes */
960 #define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* (IPSEC & IKE) 100% of MARGIN */
961 #define SA_REPLACEMENT_RETRIES_DEFAULT 3 /* (IPSEC & IKE) */
962
963 #define SA_LIFE_DURATION_K_DEFAULT 0xFFFFFFFFlu
964
965 /* Encapsulation Mode attribute */
966
967 extern enum_names enc_mode_names;
968
969 #define ENCAPSULATION_MODE_UNSPECIFIED 0 /* not legal -- used internally */
970 #define ENCAPSULATION_MODE_TUNNEL 1
971 #define ENCAPSULATION_MODE_TRANSPORT 2
972
973 #define ENCAPSULATION_MODE_UDP_TUNNEL_RFC 3
974 #define ENCAPSULATION_MODE_UDP_TRANSPORT_RFC 4
975
976 #define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS 61443
977 #define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS 61444
978
979 /* Auth Algorithm attribute */
980
981 extern enum_names auth_alg_names, extended_auth_alg_names;
982
983 #define AUTH_ALGORITHM_NONE 0 /* our private designation */
984 #define AUTH_ALGORITHM_HMAC_MD5 1
985 #define AUTH_ALGORITHM_HMAC_SHA1 2
986 #define AUTH_ALGORITHM_DES_MAC 3
987 #define AUTH_ALGORITHM_KPDK 4
988 #define AUTH_ALGORITHM_HMAC_SHA2_256 5
989 #define AUTH_ALGORITHM_HMAC_SHA2_384 6
990 #define AUTH_ALGORITHM_HMAC_SHA2_512 7
991 #define AUTH_ALGORITHM_HMAC_RIPEMD 8
992 #define AUTH_ALGORITHM_AES_XCBC_MAC 9
993 #define AUTH_ALGORITHM_SIG_RSA 10
994 #define AUTH_ALGORITHM_NULL 251
995
996 /* Oakley Lifetime Type attribute
997 * draft-ietf-ipsec-ike-01.txt appendix A
998 * As far as I can see, there is not specification for
999 * OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT. This could lead to interop problems!
1000 * For no particular reason, we chose three hours.
1001 * The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our local policy.
1002 */
1003 extern enum_names oakley_lifetime_names;
1004
1005 #define OAKLEY_LIFE_SECONDS 1
1006 #define OAKLEY_LIFE_KILOBYTES 2
1007
1008 #define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 10800 /* three hours */
1009 #define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* one day */
1010
1011 /* Oakley PRF attribute (none defined)
1012 * draft-ietf-ipsec-ike-01.txt appendix A
1013 */
1014 extern enum_names oakley_prf_names;
1015
1016 /* HMAC (see rfc2104.txt) */
1017
1018 #define HMAC_IPAD 0x36
1019 #define HMAC_OPAD 0x5C
1020
1021 /* Oakley Encryption Algorithm attribute
1022 * draft-ietf-ipsec-ike-01.txt appendix A
1023 * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
1024 */
1025
1026 extern enum_names oakley_enc_names;
1027
1028 #define OAKLEY_DES_CBC 1
1029 #define OAKLEY_IDEA_CBC 2
1030 #define OAKLEY_BLOWFISH_CBC 3
1031 #define OAKLEY_RC5_R16_B64_CBC 4
1032 #define OAKLEY_3DES_CBC 5
1033 #define OAKLEY_CAST_CBC 6
1034 #define OAKLEY_AES_CBC 7
1035
1036 #define OAKLEY_MARS_CBC 65001
1037 #define OAKLEY_RC6_CBC 65002
1038 #define OAKLEY_ID_65003 65003
1039 #define OAKLEY_SERPENT_CBC 65004
1040 #define OAKLEY_TWOFISH_CBC 65005
1041
1042 #define OAKLEY_TWOFISH_CBC_SSH 65289
1043
1044 #define OAKLEY_ENCRYPT_MAX 65535 /* pretty useless :) */
1045
1046 /* Oakley Hash Algorithm attribute
1047 * draft-ietf-ipsec-ike-01.txt appendix A
1048 * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
1049 */
1050
1051 extern enum_names oakley_hash_names;
1052
1053 #define OAKLEY_MD5 1
1054 #define OAKLEY_SHA 2
1055 #define OAKLEY_TIGER 3
1056 #define OAKLEY_SHA2_256 4
1057 #define OAKLEY_SHA2_384 5
1058 #define OAKLEY_SHA2_512 6
1059
1060 #define OAKLEY_HASH_MAX 7
1061
1062 /* Oakley Authentication Method attribute
1063 * draft-ietf-ipsec-ike-01.txt appendix A
1064 * Goofy Hybrid extensions from draft-ietf-ipsec-isakmp-hybrid-auth-05.txt
1065 * Goofy XAUTH extensions from draft-ietf-ipsec-isakmp-xauth-06.txt
1066 */
1067
1068 extern enum_names oakley_auth_names;
1069
1070 #define OAKLEY_PRESHARED_KEY 1
1071 #define OAKLEY_DSS_SIG 2
1072 #define OAKLEY_RSA_SIG 3
1073 #define OAKLEY_RSA_ENC 4
1074 #define OAKLEY_RSA_ENC_REV 5
1075 #define OAKLEY_ELGAMAL_ENC 6
1076 #define OAKLEY_ELGAMAL_ENC_REV 7
1077
1078 #define OAKLEY_AUTH_ROOF 8 /* roof on auth values THAT WE SUPPORT */
1079
1080 #define HybridInitRSA 64221
1081 #define HybridRespRSA 64222
1082 #define HybridInitDSS 64223
1083 #define HybridRespDSS 64224
1084
1085 #define XAUTHInitPreShared 65001
1086 #define XAUTHRespPreShared 65002
1087 #define XAUTHInitDSS 65003
1088 #define XAUTHRespDSS 65004
1089 #define XAUTHInitRSA 65005
1090 #define XAUTHRespRSA 65006
1091 #define XAUTHInitRSAEncryption 65007
1092 #define XAUTHRespRSAEncryption 65008
1093 #define XAUTHInitRSARevisedEncryption 65009
1094 #define XAUTHRespRSARevisedEncryption 65010
1095
1096 /* Oakley Group Description attribute
1097 * draft-ietf-ipsec-ike-01.txt appendix A
1098 */
1099 extern enum_names oakley_group_names;
1100
1101 #define OAKLEY_GROUP_MODP768 1
1102 #define OAKLEY_GROUP_MODP1024 2
1103 #define OAKLEY_GROUP_GP155 3
1104 #define OAKLEY_GROUP_GP185 4
1105 #define OAKLEY_GROUP_MODP1536 5
1106
1107 #define OAKLEY_GROUP_MODP2048 14
1108 #define OAKLEY_GROUP_MODP3072 15
1109 #define OAKLEY_GROUP_MODP4096 16
1110 #define OAKLEY_GROUP_MODP6144 17
1111 #define OAKLEY_GROUP_MODP8192 18
1112 /* you must also touch: constants.c, crypto.c */
1113
1114 /* Oakley Group Type attribute
1115 * draft-ietf-ipsec-ike-01.txt appendix A
1116 */
1117 extern enum_names oakley_group_type_names;
1118
1119 #define OAKLEY_GROUP_TYPE_MODP 1
1120 #define OAKLEY_GROUP_TYPE_ECP 2
1121 #define OAKLEY_GROUP_TYPE_EC2N 3
1122
1123
1124 /* Notify messages -- error types
1125 * See RFC2408 ISAKMP 3.14.1
1126 */
1127
1128 extern enum_names notification_names;
1129 extern enum_names ipsec_notification_names;
1130
1131 typedef enum {
1132 NOTHING_WRONG = 0, /* unofficial! */
1133
1134 INVALID_PAYLOAD_TYPE = 1,
1135 DOI_NOT_SUPPORTED = 2,
1136 SITUATION_NOT_SUPPORTED = 3,
1137 INVALID_COOKIE = 4,
1138 INVALID_MAJOR_VERSION = 5,
1139 INVALID_MINOR_VERSION = 6,
1140 INVALID_EXCHANGE_TYPE = 7,
1141 INVALID_FLAGS = 8,
1142 INVALID_MESSAGE_ID = 9,
1143 INVALID_PROTOCOL_ID = 10,
1144 INVALID_SPI = 11,
1145 INVALID_TRANSFORM_ID = 12,
1146 ATTRIBUTES_NOT_SUPPORTED = 13,
1147 NO_PROPOSAL_CHOSEN = 14,
1148 BAD_PROPOSAL_SYNTAX = 15,
1149 PAYLOAD_MALFORMED = 16,
1150 INVALID_KEY_INFORMATION = 17,
1151 INVALID_ID_INFORMATION = 18,
1152 INVALID_CERT_ENCODING = 19,
1153 INVALID_CERTIFICATE = 20,
1154 CERT_TYPE_UNSUPPORTED = 21,
1155 INVALID_CERT_AUTHORITY = 22,
1156 INVALID_HASH_INFORMATION = 23,
1157 AUTHENTICATION_FAILED = 24,
1158 INVALID_SIGNATURE = 25,
1159 ADDRESS_NOTIFICATION = 26,
1160 NOTIFY_SA_LIFETIME = 27,
1161 CERTIFICATE_UNAVAILABLE = 28,
1162 UNSUPPORTED_EXCHANGE_TYPE = 29,
1163 UNEQUAL_PAYLOAD_LENGTHS = 30,
1164
1165 /* ISAKMP status type */
1166 CONNECTED = 16384,
1167
1168 /* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
1169 * These must be sent under the protection of an ISAKMP SA.
1170 */
1171 IPSEC_RESPONDER_LIFETIME = 24576,
1172 IPSEC_REPLAY_STATUS = 24577,
1173 IPSEC_INITIAL_CONTACT = 24578,
1174
1175 /* RFC 3706 DPD */
1176 R_U_THERE = 36136,
1177 R_U_THERE_ACK = 36137
1178
1179 } notification_t;
1180
1181
1182 /* Public key algorithm number
1183 * Same numbering as used in DNSsec
1184 * See RFC 2535 DNSsec 3.2 The KEY Algorithm Number Specification.
1185 * Also found in BIND 8.2.2 include/isc/dst.h as DST algorithm codes.
1186 */
1187
1188 enum pubkey_alg
1189 {
1190 PUBKEY_ALG_RSA = 1,
1191 PUBKEY_ALG_DSA = 3,
1192 };
1193
1194 /* Limits on size of RSA moduli.
1195 * The upper bound matches that of DNSsec (see RFC 2537).
1196 * The lower bound must be more than 11 octets for certain
1197 * the encoding to work, but it must be much larger for any
1198 * real security. For now, we require 512 bits.
1199 */
1200
1201 #define RSA_MIN_OCTETS_RFC 12
1202
1203 #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
1204 #define RSA_MIN_OCTETS_UGH "RSA modulus too small for security: less than 512 bits"
1205
1206 #define RSA_MAX_OCTETS (8192 / BITS_PER_BYTE)
1207 #define RSA_MAX_OCTETS_UGH "RSA modulus too large: more than 8192 bits"
1208
1209 /* Note: RFC 2537 encoding adds a few bytes. If you use a small
1210 * modulus like 3, the overhead is only 2 bytes
1211 */
1212 #define RSA_MAX_ENCODING_BYTES (RSA_MAX_OCTETS + 2)
1213
1214 /* socket address family info */
1215
1216 struct af_info
1217 {
1218 int af;
1219 const char *name;
1220 size_t ia_sz;
1221 size_t sa_sz;
1222 int mask_cnt;
1223 u_int8_t id_addr, id_subnet, id_range;
1224 const ip_address *any;
1225 const ip_subnet *none; /* 0.0.0.0/32 or IPv6 equivalent */
1226 const ip_subnet *all; /* 0.0.0.0/0 or IPv6 equivalent */
1227 };
1228
1229 extern const struct af_info
1230 af_inet4_info,
1231 af_inet6_info;
1232
1233 extern const struct af_info *aftoinfo(int af);
1234
1235 extern enum_names af_names;
1236
1237 #define subnetisaddr(sn, a) (subnetishost(sn) && addrinsubnet((a), (sn)))
1238 extern bool subnetisnone(const ip_subnet *sn);
1239
1240 /* BIND enumerated types */
1241
1242 extern enum_names
1243 rr_qtype_names,
1244 rr_type_names,
1245 rr_class_names;
1246
1247 /* How authenticated is info that might have come from DNS?
1248 * In order of increasing confidence.
1249 */
1250 enum dns_auth_level {
1251 DAL_UNSIGNED, /* AD in response, but no signature: no authentication */
1252 DAL_NOTSEC, /* no AD in response: authentication impossible */
1253 DAL_SIGNED, /* AD and signature in response: authentic */
1254 DAL_LOCAL /* locally provided (pretty good) */
1255 };
1256
1257 /*
1258 * define a macro for use in error messages
1259 */
1260
1261 #ifdef USE_KEYRR
1262 #define RRNAME "TXT or KEY"
1263 #else
1264 #define RRNAME "TXT"
1265 #endif
1266
1267 /* natt traversal types */
1268 extern const char *const natt_type_bitnames[];
1269
1270 #endif /* _CONSTANTS_H */