use crl_reason_t definition from <credentials/certificates/crl.h>
[strongswan.git] / src / pluto / constants.h
1 /* manifest constants
2 * Copyright (C) 1997 Angelos D. Keromytis.
3 * Copyright (C) 1998-2002 D. Hugh Redelmeier.
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #ifndef _CONSTANTS_H
17 #define _CONSTANTS_H
18
19 #include <utils.h>
20 #include <utils/identification.h>
21 #include <crypto/hashers/hasher.h>
22
23 extern const char compile_time_interop_options[];
24
25 extern void init_constants(void);
26
27 /*
28 * NOTE:For debugging purposes, constants.c has tables to map numbers back to names.
29 * Any changes here should be reflected there.
30 */
31
32 /* Many routines return only success or failure, but wish to describe
33 * the failure in a message. We use the convention that they return
34 * a NULL on success and a pointer to constant string on failure.
35 * The fact that the string is a constant is limiting, but it
36 * avoids storage management issues: the recipient is allowed to assume
37 * that the string will live "long enough" (usually forever).
38 * <freeswan.h> defines err_t for this return type.
39 */
40
41 #define NULL_FD (-1) /* NULL file descriptor */
42 #define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd))
43 #define close_any(fd) { if ((fd) != NULL_FD) { close(fd); (fd) = NULL_FD; } }
44
45 /* set type with room for at least 64 elements for ALG opts (was 32 in stock FS) */
46
47 typedef unsigned long long lset_t;
48 #define LEMPTY 0ULL
49 #define LELEM(opt) (1ULL << (opt))
50 #define LRANGE(lwb, upb) LRANGES(LELEM(lwb), LELEM(upb))
51 #define LRANGES(first, last) (last - first + last)
52 #define LHAS(set, elem) ((LELEM(elem) & (set)) != LEMPTY)
53 #define LIN(subset, set) (((subset) & (set)) == (subset))
54 #define LDISJOINT(a, b) (((a) & (b)) == LEMPTY)
55
56 /* Control and lock pathnames */
57 #ifndef IPSEC_PIDDIR
58 # define IPSEC_PIDDIR "/var/run"
59 #endif
60 #ifndef DEFAULT_CTLBASE
61 # define DEFAULT_CTLBASE IPSEC_PIDDIR "/pluto"
62 #endif
63
64 #define CTL_SUFFIX ".ctl" /* for UNIX domain socket pathname */
65 #define LOCK_SUFFIX ".pid" /* for pluto's lock */
66 #define INFO_SUFFIX ".info" /* for UNIX domain socket for apps */
67
68 /* Routines to check and display values.
69 *
70 * An enum_names describes an enumeration.
71 * enum_name() returns the name of an enum value, or NULL if invalid.
72 * enum_show() is like enum_name, except it formats a numeric representation
73 * for any invalid value (in a static area!)
74 *
75 * bitnames() formats a display of a set of named bits (in a static area)
76 */
77
78 struct enum_names {
79 unsigned long en_first; /* first value in range */
80 unsigned long en_last; /* last value in range (inclusive) */
81 const char *const *en_names;
82 const struct enum_names *en_next_range; /* descriptor of next range */
83 };
84
85 typedef const struct enum_names enum_names;
86
87 extern const char *enum_name(enum_names *ed, unsigned long val);
88 extern const char *enum_show(enum_names *ed, unsigned long val);
89 extern int enum_search(enum_names *ed, const char *string);
90
91 extern bool testset(const char *const table[], lset_t val);
92 extern const char *bitnamesof(const char *const table[], lset_t val);
93
94 /* sparse_names is much like enum_names, except values are
95 * not known to be contiguous or ordered.
96 * The array of names is ended with one with the name sparse_end
97 * (this avoids having to reserve a value to signify the end).
98 * Often appropriate for enums defined by others.
99 */
100 struct sparse_name {
101 unsigned long val;
102 const char *const name;
103 };
104 typedef const struct sparse_name sparse_names[];
105
106 extern const char *sparse_name(sparse_names sd, unsigned long val);
107 extern const char *sparse_val_show(sparse_names sd, unsigned long val);
108 extern const char sparse_end[];
109
110 #define FULL_INET_ADDRESS_SIZE 6
111
112 /* limits on nonce sizes. See RFC2409 "The internet key exchange (IKE)" 5 */
113 #define MINIMUM_NONCE_SIZE 8 /* bytes */
114 #define DEFAULT_NONCE_SIZE 16 /* bytes */
115 #define MAXIMUM_NONCE_SIZE 256 /* bytes */
116
117 #define COOKIE_SIZE 8
118 #define MAX_ISAKMP_SPI_SIZE 16
119
120 #define DES_CBC_BLOCK_SIZE (64 / BITS_PER_BYTE)
121
122 /* Maximum is required for SHA2_512 */
123 #define MAX_DIGEST_LEN HASH_SIZE_SHA512
124
125 /* RFC 2404 "HMAC-SHA-1-96" section 3 */
126 #define HMAC_SHA1_KEY_LEN HASH_SIZE_SHA1
127
128 /* RFC 2403 "HMAC-MD5-96" section 3 */
129 #define HMAC_MD5_KEY_LEN HASH_SIZE_MD5
130
131 #define IKE_UDP_PORT 500
132
133 /* IPsec AH transform values
134 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3
135 * and in http://www.iana.org/assignments/isakmp-registry
136 */
137 enum ipsec_authentication_algo {
138 AH_NONE = 0,
139 AH_MD5 = 2,
140 AH_SHA = 3,
141 AH_DES = 4,
142 AH_SHA2_256 = 5,
143 AH_SHA2_384 = 6,
144 AH_SHA2_512 = 7,
145 AH_RIPEMD = 8,
146 AH_AES_XCBC_MAC = 9,
147 AH_RSA = 10
148 };
149
150 extern enum_names ah_transformid_names;
151
152 /* IPsec ESP transform values
153 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4
154 * and from http://www.iana.org/assignments/isakmp-registry
155 */
156
157 enum ipsec_cipher_algo {
158 ESP_NONE = 0,
159 ESP_DES_IV64 = 1,
160 ESP_DES = 2,
161 ESP_3DES = 3,
162 ESP_RC5 = 4,
163 ESP_IDEA = 5,
164 ESP_CAST = 6,
165 ESP_BLOWFISH = 7,
166 ESP_3IDEA = 8,
167 ESP_DES_IV32 = 9,
168 ESP_RC4 = 10,
169 ESP_NULL = 11,
170 ESP_AES = 12,
171 ESP_AES_CTR = 13,
172 ESP_AES_CCM_8 = 14,
173 ESP_AES_CCM_12 = 15,
174 ESP_AES_CCM_16 = 16,
175 ESP_UNASSIGNED_17 = 17,
176 ESP_AES_GCM_8 = 18,
177 ESP_AES_GCM_12 = 19,
178 ESP_AES_GCM_16 = 20,
179 ESP_SEED_CBC = 21,
180 ESP_CAMELLIA = 22,
181 ESP_SERPENT = 252,
182 ESP_TWOFISH = 253
183 };
184
185 extern enum_names esp_transformid_names;
186
187 /* IPCOMP transform values
188 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5
189 */
190
191 enum ipsec_comp_algo {
192 IPSCOMP_NONE = 0,
193 IPCOMP_OUI = 1,
194 IPCOMP_DEFLATE = 2,
195 IPCOMP_LZS = 3,
196 IPCOMP_LZJH = 4
197 };
198
199 extern enum_names ipcomp_transformid_names;
200
201 /* Certificate type values
202 * RFC 2408 ISAKMP, chapter 3.9
203 */
204 enum ipsec_cert_type {
205 CERT_NONE= 0,
206 CERT_PKCS7_WRAPPED_X509= 1,
207 CERT_PGP= 2,
208 CERT_DNS_SIGNED_KEY= 3,
209 CERT_X509_SIGNATURE= 4,
210 CERT_X509_KEY_EXCHANGE= 5,
211 CERT_KERBEROS_TOKENS= 6,
212 CERT_CRL= 7,
213 CERT_ARL= 8,
214 CERT_SPKI= 9,
215 CERT_X509_ATTRIBUTE= 10,
216 CERT_RAW_RSA_KEY= 11
217 };
218
219 /* RFC 2560 OCSP - certificate status */
220
221 typedef enum {
222 CERT_GOOD = 0,
223 CERT_REVOKED = 1,
224 CERT_UNKNOWN = 2,
225 CERT_UNDEFINED = 3
226 } cert_status_t;
227
228 /* RFC 3706 Dead Peer Detection */
229
230 extern enum_name_t *dpd_action_names;
231
232 typedef enum {
233 DPD_ACTION_NONE = 0,
234 DPD_ACTION_CLEAR = 1,
235 DPD_ACTION_HOLD = 2,
236 DPD_ACTION_RESTART = 3,
237 DPD_ACTION_UNKNOWN = 4
238 } dpd_action_t;
239
240 /* Timer events */
241
242 extern enum_name_t *timer_event_names;
243
244 enum event_type {
245 EVENT_NULL, /* non-event */
246 EVENT_REINIT_SECRET, /* Refresh cookie secret */
247 #ifdef KLIPS
248 EVENT_SHUNT_SCAN, /* scan shunt eroutes known to kernel */
249 #endif
250 EVENT_SO_DISCARD, /* discard unfinished state object */
251 EVENT_RETRANSMIT, /* Retransmit packet */
252 EVENT_SA_REPLACE, /* SA replacement event */
253 EVENT_SA_REPLACE_IF_USED, /* SA replacement event */
254 EVENT_SA_EXPIRE, /* SA expiration event */
255 EVENT_NAT_T_KEEPALIVE, /* NAT Traversal Keepalive */
256 EVENT_DPD, /* dead peer detection */
257 EVENT_DPD_TIMEOUT, /* dead peer detection timeout */
258 EVENT_LOG_DAILY /* reset certain log events/stats */
259 };
260
261 #define EVENT_REINIT_SECRET_DELAY 3600 /* 1 hour */
262 #define EVENT_RETRANSMIT_DELAY_0 10 /* 10 seconds */
263
264 /* Misc. stuff */
265
266 #define MAXIMUM_RETRANSMISSIONS 2
267 #define MAXIMUM_RETRANSMISSIONS_INITIAL 20
268
269 #define MAX_INPUT_UDP_SIZE 65536
270 #define MAX_OUTPUT_UDP_SIZE 65536
271
272 /* Version numbers */
273
274 #define ISAKMP_MAJOR_VERSION 0x1
275 #define ISAKMP_MINOR_VERSION 0x0
276
277 extern enum_names version_names;
278
279 /* Domain of Interpretation */
280
281 extern enum_names doi_names;
282
283 #define ISAKMP_DOI_ISAKMP 0
284 #define ISAKMP_DOI_IPSEC 1
285
286 /* IPsec DOI things */
287
288 #define IPSEC_DOI_SITUATION_LENGTH 4
289 #define IPSEC_DOI_LDI_LENGTH 4
290 #define IPSEC_DOI_SPI_SIZE 4
291
292 /* SPI value 0 is invalid and values 1-255 are reserved to IANA.
293 * ESP: RFC 2402 2.4; AH: RFC 2406 2.1
294 * IPComp RFC 2393 substitutes a CPI in the place of an SPI.
295 * see also draft-shacham-ippcp-rfc2393bis-05.txt.
296 * We (FreeS/WAN) reserve 0x100 to 0xFFF for manual keying, so
297 * Pluto won't generate these values.
298 */
299 #define IPSEC_DOI_SPI_MIN 0x100
300 #define IPSEC_DOI_SPI_OUR_MIN 0x1000
301
302 /* debugging settings: a set of selections for reporting
303 * These would be more naturally situated in log.h,
304 * but they are shared with whack.
305 * IMPAIR_* actually change behaviour, usually badly,
306 * to aid in testing. Naturally, these are not included in ALL.
307 *
308 * NOTE: changes here must be done in concert with changes to DBGOPT_*
309 * in whack.c. A change to WHACK_MAGIC in whack.h will be required too.
310 */
311 #ifdef DEBUG
312 extern const char *const debug_bit_names[];
313 #endif
314
315 #define DBG_RAW LELEM(0) /* raw packet I/O */
316 #define DBG_CRYPT LELEM(1) /* encryption/decryption of messages */
317 #define DBG_PARSING LELEM(2) /* show decoding of messages */
318 #define DBG_EMITTING LELEM(3) /* show encoding of messages */
319 #define DBG_CONTROL LELEM(4) /* control flow within Pluto */
320 #define DBG_LIFECYCLE LELEM(5) /* SA lifecycle */
321 #define DBG_KLIPS LELEM(6) /* messages to KLIPS */
322 #define DBG_DNS LELEM(7) /* DNS activity */
323 #define DBG_NATT LELEM(8) /* NAT-T */
324 #define DBG_OPPO LELEM(9) /* opportunism */
325 #define DBG_CONTROLMORE LELEM(10) /* more detailed debugging */
326
327 #define DBG_PRIVATE LELEM(11) /* private information: DANGER! */
328
329 #define IMPAIR0 12 /* first bit for IMPAIR_* */
330
331 #define IMPAIR_DELAY_ADNS_KEY_ANSWER LELEM(IMPAIR0+0) /* sleep before answering */
332 #define IMPAIR_DELAY_ADNS_TXT_ANSWER LELEM(IMPAIR0+1) /* sleep before answering */
333 #define IMPAIR_BUST_MI2 LELEM(IMPAIR0+2) /* make MI2 really large */
334 #define IMPAIR_BUST_MR2 LELEM(IMPAIR0+3) /* make MI2 really large */
335
336 #define DBG_NONE 0 /* no options on, including impairments */
337 #define DBG_ALL LRANGES(DBG_RAW, DBG_CONTROLMORE) /* all logging options on EXCEPT DBG_PRIVATE */
338
339 /* State of exchanges
340 *
341 * The name of the state describes the last message sent, not the
342 * message currently being input or output (except during retry).
343 * In effect, the state represents the last completed action.
344 *
345 * Messages are named [MQ][IR]n where
346 * - M stands for Main Mode (Phase 1);
347 * Q stands for Quick Mode (Phase 2)
348 * - I stands for Initiator;
349 * R stands for Responder
350 * - n, a digit, stands for the number of the message
351 *
352 * It would be more convenient if each state accepted a message
353 * and produced one. This is the case for states at the start
354 * or end of an exchange. To fix this, we pretend that there are
355 * MR0 and QR0 messages before the MI1 and QR1 messages. Similarly,
356 * we pretend that there are MR4 and QR2 messages.
357 *
358 * STATE_MAIN_R0 and STATE_QUICK_R0 are intermediate states (not
359 * retained between messages) representing the state that accepts the
360 * first message of an exchange has been read but not processed.
361 *
362 * state_microcode state_microcode_table in demux.c describes
363 * other important details.
364 */
365
366 extern enum_names state_names;
367 extern const char *const state_story[];
368
369 enum state_kind {
370 STATE_UNDEFINED, /* 0 -- most likely accident */
371
372 /* Opportunism states: see "Opportunistic Encryption" 2.2 */
373
374 OPPO_ACQUIRE, /* got an ACQUIRE message for this pair */
375 OPPO_GW_DISCOVERED, /* got TXT specifying gateway */
376
377 /* IKE states */
378
379 STATE_MAIN_R0,
380 STATE_MAIN_I1,
381 STATE_MAIN_R1,
382 STATE_MAIN_I2,
383 STATE_MAIN_R2,
384 STATE_MAIN_I3,
385 STATE_MAIN_R3,
386 STATE_MAIN_I4,
387
388 STATE_QUICK_R0,
389 STATE_QUICK_I1,
390 STATE_QUICK_R1,
391 STATE_QUICK_I2,
392 STATE_QUICK_R2,
393
394 STATE_INFO,
395 STATE_INFO_PROTECTED,
396
397 /* XAUTH states */
398
399 STATE_XAUTH_I0, /* initiator state (client) */
400 STATE_XAUTH_R1, /* responder state (server) */
401 STATE_XAUTH_I1,
402 STATE_XAUTH_R2,
403 STATE_XAUTH_I2,
404 STATE_XAUTH_R3,
405
406 /* Mode Config pull states */
407
408 STATE_MODE_CFG_R0, /* responder state (server) */
409 STATE_MODE_CFG_I1, /* initiator state (client) */
410 STATE_MODE_CFG_R1,
411 STATE_MODE_CFG_I2,
412
413 /* Mode Config push states */
414
415 STATE_MODE_CFG_I0, /* initiator state (client) */
416 STATE_MODE_CFG_R3, /* responder state (server) */
417 STATE_MODE_CFG_I3,
418 STATE_MODE_CFG_R4,
419
420 STATE_IKE_ROOF
421 };
422
423 #define STATE_IKE_FLOOR STATE_MAIN_R0
424
425 #define PHASE1_INITIATOR_STATES (LELEM(STATE_MAIN_I1) | LELEM(STATE_MAIN_I2) \
426 | LELEM(STATE_MAIN_I3) | LELEM(STATE_MAIN_I4))
427 #define ISAKMP_SA_ESTABLISHED_STATES ( \
428 LELEM(STATE_MAIN_R3) | LELEM(STATE_MAIN_I4) \
429 | LELEM(STATE_XAUTH_R1) | LELEM(STATE_XAUTH_R2) | LELEM(STATE_XAUTH_R3) \
430 | LELEM(STATE_XAUTH_I1) | LELEM(STATE_XAUTH_I2) \
431 | LELEM(STATE_MODE_CFG_I1) | LELEM(STATE_MODE_CFG_R1) | LELEM(STATE_MODE_CFG_I2) \
432 | LELEM(STATE_MODE_CFG_R3) | LELEM(STATE_MODE_CFG_I3) | LELEM(STATE_MODE_CFG_R4))
433
434 #define IS_PHASE1(s) ((STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) \
435 || (STATE_XAUTH_I0 <= (s) && (s) <= STATE_XAUTH_R3) \
436 || (STATE_MODE_CFG_R0 <= (s) && (s) <= STATE_MODE_CFG_R4))
437
438 #define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2)
439 #define IS_ISAKMP_ENCRYPTED(s) (STATE_MAIN_I2 <= (s))
440
441 #define IS_ISAKMP_SA_ESTABLISHED(s) ( \
442 (s) == STATE_MAIN_R3 \
443 || (s) == STATE_MAIN_I4 \
444 || (s) == STATE_XAUTH_I2 \
445 || (s) == STATE_XAUTH_R3 \
446 || (s) == STATE_MODE_CFG_R1 \
447 || (s) == STATE_MODE_CFG_I2 \
448 || (s) == STATE_MODE_CFG_I3 \
449 || (s) == STATE_MODE_CFG_R4)
450
451 #define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2)
452 #define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1)
453
454 /* kind of struct connection
455 * Ordered (mostly) by concreteness. Order is exploited.
456 */
457
458 extern enum_names connection_kind_names;
459
460 enum connection_kind {
461 CK_GROUP, /* policy group: instantiates to template */
462 CK_TEMPLATE, /* abstract connection, with wildcard */
463 CK_PERMANENT, /* normal connection */
464 CK_INSTANCE, /* instance of template, created for a particular attempt */
465 CK_GOING_AWAY /* instance being deleted -- don't delete again */
466 };
467
468
469 /* routing status.
470 * Note: routing ignores source address, but erouting does not!
471 * Note: a connection can only be routed if it is NEVER_NEGOTIATE
472 * or HAS_IPSEC_POLICY.
473 */
474
475 extern enum_names routing_story;
476
477 /* note that this is assumed to be ordered! */
478 enum routing_t {
479 RT_UNROUTED, /* unrouted */
480 RT_UNROUTED_HOLD, /* unrouted, but HOLD shunt installed */
481 RT_ROUTED_ECLIPSED, /* RT_ROUTED_PROSPECTIVE except bare HOLD or instance has eroute */
482 RT_ROUTED_PROSPECTIVE, /* routed, and prospective shunt installed */
483 RT_ROUTED_HOLD, /* routed, and HOLD shunt installed */
484 RT_ROUTED_FAILURE, /* routed, and failure-context shunt installed */
485 RT_ROUTED_TUNNEL, /* routed, and erouted to an IPSEC SA group */
486 RT_UNROUTED_KEYED /* keyed, but not routed, on purpose */
487 };
488
489 #define routed(rs) ((rs) > RT_UNROUTED_HOLD)
490 #define erouted(rs) ((rs) != RT_UNROUTED)
491 #define shunt_erouted(rs) (erouted(rs) && (rs) != RT_ROUTED_TUNNEL)
492
493 /* Payload types
494 * RFC2408 Internet Security Association and Key Management Protocol (ISAKMP)
495 * section 3.1
496 *
497 * RESERVED 14-127
498 * Private USE 128-255
499 */
500
501 extern enum_names payload_names;
502 extern const char *const payload_name[];
503
504 #define ISAKMP_NEXT_NONE 0 /* No other payload following */
505 #define ISAKMP_NEXT_SA 1 /* Security Association */
506 #define ISAKMP_NEXT_P 2 /* Proposal */
507 #define ISAKMP_NEXT_T 3 /* Transform */
508 #define ISAKMP_NEXT_KE 4 /* Key Exchange */
509 #define ISAKMP_NEXT_ID 5 /* Identification */
510 #define ISAKMP_NEXT_CERT 6 /* Certificate */
511 #define ISAKMP_NEXT_CR 7 /* Certificate Request */
512 #define ISAKMP_NEXT_HASH 8 /* Hash */
513 #define ISAKMP_NEXT_SIG 9 /* Signature */
514 #define ISAKMP_NEXT_NONCE 10 /* Nonce */
515 #define ISAKMP_NEXT_N 11 /* Notification */
516 #define ISAKMP_NEXT_D 12 /* Delete */
517 #define ISAKMP_NEXT_VID 13 /* Vendor ID */
518 #define ISAKMP_NEXT_ATTR 14 /* Mode config Attribute */
519
520 #define ISAKMP_NEXT_NATD_RFC 20 /* NAT-Traversal: NAT-D (rfc) */
521 #define ISAKMP_NEXT_NATOA_RFC 21 /* NAT-Traversal: NAT-OA (rfc) */
522 #define ISAKMP_NEXT_ROOF 22 /* roof on payload types */
523
524 #define ISAKMP_NEXT_NATD_DRAFTS 130 /* NAT-Traversal: NAT-D (drafts) */
525 #define ISAKMP_NEXT_NATOA_DRAFTS 131 /* NAT-Traversal: NAT-OA (drafts) */
526
527 /* These values are to be used within the Type field of an Attribute (14)
528 * ISAKMP payload.
529 */
530 #define ISAKMP_CFG_REQUEST 1
531 #define ISAKMP_CFG_REPLY 2
532 #define ISAKMP_CFG_SET 3
533 #define ISAKMP_CFG_ACK 4
534
535 extern enum_names attr_msg_type_names;
536
537 /* Mode Config attribute values */
538 #define INTERNAL_IP4_ADDRESS 1
539 #define INTERNAL_IP4_NETMASK 2
540 #define INTERNAL_IP4_DNS 3
541 #define INTERNAL_IP4_NBNS 4
542 #define INTERNAL_ADDRESS_EXPIRY 5
543 #define INTERNAL_IP4_DHCP 6
544 #define APPLICATION_VERSION 7
545 #define INTERNAL_IP6_ADDRESS 8
546 #define INTERNAL_IP6_NETMASK 9
547 #define INTERNAL_IP6_DNS 10
548 #define INTERNAL_IP6_NBNS 11
549 #define INTERNAL_IP6_DHCP 12
550 #define INTERNAL_IP4_SUBNET 13
551 #define SUPPORTED_ATTRIBUTES 14
552 #define INTERNAL_IP6_SUBNET 15
553
554
555 extern enum_names modecfg_attr_names;
556
557 /* XAUTH attribute values */
558 #define XAUTH_TYPE 16520
559 #define XAUTH_USER_NAME 16521
560 #define XAUTH_USER_PASSWORD 16522
561 #define XAUTH_PASSCODE 16523
562 #define XAUTH_MESSAGE 16524
563 #define XAUTH_CHALLENGE 16525
564 #define XAUTH_DOMAIN 16526
565 #define XAUTH_STATUS 16527
566 #define XAUTH_NEXT_PIN 16528
567 #define XAUTH_ANSWER 16529
568
569 #define XAUTH_BASE XAUTH_TYPE
570
571 extern enum_names xauth_attr_names;
572
573 /* ISAKMP mode config attributes specific to Microsoft */
574 #define INTERNAL_IP4_SERVER 23456
575 #define INTERNAL_IP6_SERVER 23457
576
577 extern enum_names microsoft_attr_names;
578
579 /* ISAKMP mode config attributes specific to the Unity vendor ID */
580 #define UNITY_BANNER 28672
581 #define UNITY_SAVE_PASSWD 28673
582 #define UNITY_DEF_DOMAIN 28674
583 #define UNITY_SPLITDNS_NAME 28675
584 #define UNITY_SPLIT_INCLUDE 28676
585 #define UNITY_NATT_PORT 28677
586 #define UNITY_LOCAL_LAN 28678
587 #define UNITY_PFS 28679
588 #define UNITY_FW_TYPE 28680
589 #define UNITY_BACKUP_SERVERS 28681
590 #define UNITY_DDNS_HOSTNAME 28682
591
592 #define UNITY_BASE UNITY_BANNER
593
594 extern enum_names unity_attr_names;
595
596 /* XAUTH authentication types */
597 #define XAUTH_TYPE_GENERIC 0
598 #define XAUTH_TYPE_CHAP 1
599 #define XAUTH_TYPE_OTP 2
600 #define XAUTH_TYPE_SKEY 3
601
602 /* Values for XAUTH_STATUS */
603 #define XAUTH_STATUS_FAIL 0
604 #define XAUTH_STATUS_OK 1
605
606 extern enum_names xauth_type_names;
607
608 /* Exchange types
609 * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)"
610 * section 3.1
611 *
612 * ISAKMP Future Use 6 - 31
613 * DOI Specific Use 32 - 239
614 * Private Use 240 - 255
615 *
616 * Note: draft-ietf-ipsec-dhless-enc-mode-00.txt Appendix A
617 * defines "DHless RSA Encryption" as 6.
618 */
619
620 extern enum_names exchange_names;
621
622 #define ISAKMP_XCHG_NONE 0
623 #define ISAKMP_XCHG_BASE 1
624 #define ISAKMP_XCHG_IDPROT 2 /* ID Protection */
625 #define ISAKMP_XCHG_AO 3 /* Authentication Only */
626 #define ISAKMP_XCHG_AGGR 4 /* Aggressive */
627 #define ISAKMP_XCHG_INFO 5 /* Informational */
628 #define ISAKMP_XCHG_MODE_CFG 6 /* Mode Config */
629
630 /* Extra exchange types, defined by Oakley
631 * RFC2409 "The Internet Key Exchange (IKE)", near end of Appendix A
632 */
633 #define ISAKMP_XCHG_QUICK 32 /* Oakley Quick Mode */
634 #define ISAKMP_XCHG_NGRP 33 /* Oakley New Group Mode */
635 /* added in draft-ietf-ipsec-ike-01.txt, near end of Appendix A */
636 #define ISAKMP_XCHG_ACK_INFO 34 /* Oakley Acknowledged Informational */
637
638 /* Flag bits */
639
640 extern const char *const flag_bit_names[];
641
642 #define ISAKMP_FLAG_ENCRYPTION 0x1
643 #define ISAKMP_FLAG_COMMIT 0x2
644
645 /* Situation definition for IPsec DOI */
646
647 extern const char *const sit_bit_names[];
648
649 #define SIT_IDENTITY_ONLY 0x01
650 #define SIT_SECRECY 0x02
651 #define SIT_INTEGRITY 0x04
652
653 /* Protocol IDs
654 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.1
655 */
656
657 extern enum_names protocol_names;
658
659 #define PROTO_ISAKMP 1
660 #define PROTO_IPSEC_AH 2
661 #define PROTO_IPSEC_ESP 3
662 #define PROTO_IPCOMP 4
663
664 /* warning: trans_show uses enum_show, so same static buffer is used */
665 #define trans_show(p, t) \
666 ((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \
667 : (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \
668 : (p)==PROTO_IPCOMP ? enum_show(&ipcomp_transformid_names, (t)) \
669 : "??")
670
671 #define KEY_IKE 1
672
673 extern enum_names isakmp_transformid_names;
674
675 /* the following are from RFC 2393/draft-shacham-ippcp-rfc2393bis-05.txt 3.3 */
676 typedef u_int16_t cpi_t;
677 #define IPCOMP_CPI_SIZE 2
678 #define IPCOMP_FIRST_NEGOTIATED 256
679 #define IPCOMP_LAST_NEGOTIATED 61439
680
681 /* Identification type values
682 * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1
683 */
684
685 extern enum_names ident_names;
686 extern enum_names cert_type_names;
687
688 extern enum_name_t *cert_policy_names;
689
690 typedef enum certpolicy {
691 CERT_ALWAYS_SEND = 0,
692 CERT_SEND_IF_ASKED = 1,
693 CERT_NEVER_SEND = 2,
694
695 CERT_YES_SEND = 3, /* synonym for CERT_ALWAYS_SEND */
696 CERT_NO_SEND = 4 /* synonym for CERT_NEVER_SEND */
697 } certpolicy_t;
698
699 /* Policies for establishing an SA
700 *
701 * These are used to specify attributes (eg. encryption) and techniques
702 * (eg PFS) for an SA.
703 * Note: certain CD_ definitions in whack.c parallel these -- keep them
704 * in sync!
705 */
706
707 extern const char *const sa_policy_bit_names[];
708 extern const char *prettypolicy(lset_t policy);
709
710 /* ISAKMP auth techniques (none means never negotiate) */
711 #define POLICY_PSK LELEM(0)
712 #define POLICY_PUBKEY LELEM(1)
713
714 #define POLICY_ISAKMP_SHIFT 0 /* log2(POLICY_PSK) */
715 #define POLICY_ID_AUTH_MASK (POLICY_PSK | POLICY_PUBKEY | POLICY_XAUTH_PSK | POLICY_XAUTH_RSASIG)
716 #define POLICY_ISAKMP_MASK POLICY_ID_AUTH_MASK /* all so far */
717
718 /* Quick Mode (IPSEC) attributes */
719 #define POLICY_ENCRYPT LELEM(2) /* must be first of IPSEC policies */
720 #define POLICY_AUTHENTICATE LELEM(3) /* must be second */
721 #define POLICY_COMPRESS LELEM(4) /* must be third */
722 #define POLICY_TUNNEL LELEM(5)
723 #define POLICY_PFS LELEM(6)
724 #define POLICY_DISABLEARRIVALCHECK LELEM(7) /* supress tunnel egress address checking */
725
726 #define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */
727 #define POLICY_IPSEC_MASK LRANGES(POLICY_ENCRYPT, POLICY_DISABLEARRIVALCHECK)
728
729 /* shunt attributes: what to do when routed without tunnel (2 bits) */
730 #define POLICY_SHUNT_SHIFT 8 /* log2(POLICY_SHUNT_PASS) */
731 #define POLICY_SHUNT_MASK (03ul << POLICY_SHUNT_SHIFT)
732
733 #define POLICY_SHUNT_TRAP (0ul << POLICY_SHUNT_SHIFT) /* default: negotiate */
734 #define POLICY_SHUNT_PASS (1ul << POLICY_SHUNT_SHIFT)
735 #define POLICY_SHUNT_DROP (2ul << POLICY_SHUNT_SHIFT)
736 #define POLICY_SHUNT_REJECT (3ul << POLICY_SHUNT_SHIFT)
737
738 /* fail attributes: what to do with failed negotiation (2 bits) */
739
740 #define POLICY_FAIL_SHIFT 10 /* log2(POLICY_FAIL_PASS) */
741 #define POLICY_FAIL_MASK (03ul << POLICY_FAIL_SHIFT)
742
743 #define POLICY_FAIL_NONE (0ul << POLICY_FAIL_SHIFT) /* default */
744 #define POLICY_FAIL_PASS (1ul << POLICY_FAIL_SHIFT)
745 #define POLICY_FAIL_DROP (2ul << POLICY_FAIL_SHIFT)
746 #define POLICY_FAIL_REJECT (3ul << POLICY_FAIL_SHIFT)
747
748 /* connection policy
749 * Other policies could vary per state object. These live in connection.
750 */
751 #define POLICY_DONT_REKEY LELEM(12) /* don't rekey state either Phase */
752 #define POLICY_OPPO LELEM(13) /* is this opportunistic? */
753 #define POLICY_GROUP LELEM(14) /* is this a group template? */
754 #define POLICY_GROUTED LELEM(15) /* do we want this group routed? */
755 #define POLICY_UP LELEM(16) /* do we want this up? */
756 #define POLICY_MODECFG_PUSH LELEM(17) /* is modecfg pushed by server? */
757 #define POLICY_XAUTH_PSK LELEM(18) /* do we support XAUTH????PreShared? */
758 #define POLICY_XAUTH_RSASIG LELEM(19) /* do we support XAUTH????RSA? */
759 #define POLICY_XAUTH_SERVER LELEM(20) /* are we an XAUTH server? */
760 #define POLICY_DONT_REAUTH LELEM(21) /* don't reauthenticate on rekeying, IKEv2 only */
761 #define POLICY_BEET LELEM(22) /* bound end2end tunnel, IKEv2 */
762 #define POLICY_MOBIKE LELEM(23) /* enable MOBIKE for IKEv2 */
763 #define POLICY_FORCE_ENCAP LELEM(24) /* force UDP encapsulation (IKEv2) */
764 #define POLICY_PROXY LELEM(25) /* proxy transport mode (MIPv6) */
765
766 /* Any IPsec policy? If not, a connection description
767 * is only for ISAKMP SA, not IPSEC SA. (A pun, I admit.)
768 * Note: a connection can only be routed if it is NEVER_NEGOTIATE
769 * or HAS_IPSEC_POLICY.
770 */
771 #define HAS_IPSEC_POLICY(p) (((p) & POLICY_IPSEC_MASK) != 0)
772
773 /* Don't allow negotiation? */
774 #define NEVER_NEGOTIATE(p) (LDISJOINT((p), POLICY_ID_AUTH_MASK))
775
776
777 /* Oakley transform attributes
778 * draft-ietf-ipsec-ike-01.txt appendix A
779 */
780
781 extern enum_names oakley_attr_names;
782 extern const char *const oakley_attr_bit_names[];
783
784 #define OAKLEY_ENCRYPTION_ALGORITHM 1
785 #define OAKLEY_HASH_ALGORITHM 2
786 #define OAKLEY_AUTHENTICATION_METHOD 3
787 #define OAKLEY_GROUP_DESCRIPTION 4
788 #define OAKLEY_GROUP_TYPE 5
789 #define OAKLEY_GROUP_PRIME 6 /* B/V */
790 #define OAKLEY_GROUP_GENERATOR_ONE 7 /* B/V */
791 #define OAKLEY_GROUP_GENERATOR_TWO 8 /* B/V */
792 #define OAKLEY_GROUP_CURVE_A 9 /* B/V */
793 #define OAKLEY_GROUP_CURVE_B 10 /* B/V */
794 #define OAKLEY_LIFE_TYPE 11
795 #define OAKLEY_LIFE_DURATION 12 /* B/V */
796 #define OAKLEY_PRF 13
797 #define OAKLEY_KEY_LENGTH 14
798 #define OAKLEY_FIELD_SIZE 15
799 #define OAKLEY_GROUP_ORDER 16 /* B/V */
800 #define OAKLEY_BLOCK_SIZE 17
801
802 /* for each Oakley attribute, which enum_names describes its values? */
803 extern enum_names *oakley_attr_val_descs[];
804
805 /* IPsec DOI attributes
806 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
807 */
808
809 extern enum_names ipsec_attr_names;
810
811 #define SA_LIFE_TYPE 1
812 #define SA_LIFE_DURATION 2 /* B/V */
813 #define GROUP_DESCRIPTION 3
814 #define ENCAPSULATION_MODE 4
815 #define AUTH_ALGORITHM 5
816 #define KEY_LENGTH 6
817 #define KEY_ROUNDS 7
818 #define COMPRESS_DICT_SIZE 8
819 #define COMPRESS_PRIVATE_ALG 9 /* B/V */
820
821 /* for each IPsec attribute, which enum_names describes its values? */
822 extern enum_names *ipsec_attr_val_descs[];
823
824 /* SA Lifetime Type attribute
825 * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5
826 * Default time specified in 4.5
827 *
828 * There are two defaults for IPSEC SA lifetime, SA_LIFE_DURATION_DEFAULT,
829 * and PLUTO_SA_LIFE_DURATION_DEFAULT.
830 * SA_LIFE_DURATION_DEFAULT is specified in RFC2407 "The Internet IP
831 * Security Domain of Interpretation for ISAKMP" 4.5. It applies when
832 * an ISAKMP negotiation does not explicitly specify a life duration.
833 * PLUTO_SA_LIFE_DURATION_DEFAULT is specified in pluto(8). It applies
834 * when a connection description does not specify --ipseclifetime.
835 * The value of SA_LIFE_DURATION_MAXIMUM is our local policy.
836 */
837
838 extern enum_names sa_lifetime_names;
839
840 #define SA_LIFE_TYPE_SECONDS 1
841 #define SA_LIFE_TYPE_KBYTES 2
842
843 #define SA_LIFE_DURATION_DEFAULT 28800 /* eight hours (RFC2407 4.5) */
844 #define PLUTO_SA_LIFE_DURATION_DEFAULT 3600 /* one hour (pluto(8)) */
845 #define SA_LIFE_DURATION_MAXIMUM 86400 /* one day */
846
847 #define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* (IPSEC & IKE) nine minutes */
848 #define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* (IPSEC & IKE) 100% of MARGIN */
849 #define SA_REPLACEMENT_RETRIES_DEFAULT 3 /* (IPSEC & IKE) */
850
851 #define SA_LIFE_DURATION_K_DEFAULT 0xFFFFFFFFlu
852
853 /* Encapsulation Mode attribute */
854
855 extern enum_names enc_mode_names;
856
857 #define ENCAPSULATION_MODE_UNSPECIFIED 0 /* not legal -- used internally */
858 #define ENCAPSULATION_MODE_TUNNEL 1
859 #define ENCAPSULATION_MODE_TRANSPORT 2
860
861 #define ENCAPSULATION_MODE_UDP_TUNNEL_RFC 3
862 #define ENCAPSULATION_MODE_UDP_TRANSPORT_RFC 4
863
864 #define ENCAPSULATION_MODE_UDP_TUNNEL_DRAFTS 61443
865 #define ENCAPSULATION_MODE_UDP_TRANSPORT_DRAFTS 61444
866
867 /* Auth Algorithm attribute */
868
869 extern enum_names auth_alg_names, extended_auth_alg_names;
870
871 #define AUTH_ALGORITHM_NONE 0 /* our private designation */
872 #define AUTH_ALGORITHM_HMAC_MD5 1
873 #define AUTH_ALGORITHM_HMAC_SHA1 2
874 #define AUTH_ALGORITHM_DES_MAC 3
875 #define AUTH_ALGORITHM_KPDK 4
876 #define AUTH_ALGORITHM_HMAC_SHA2_256 5
877 #define AUTH_ALGORITHM_HMAC_SHA2_384 6
878 #define AUTH_ALGORITHM_HMAC_SHA2_512 7
879 #define AUTH_ALGORITHM_HMAC_RIPEMD 8
880 #define AUTH_ALGORITHM_AES_XCBC_MAC 9
881 #define AUTH_ALGORITHM_SIG_RSA 10
882 #define AUTH_ALGORITHM_NULL 251
883
884 /* Oakley Lifetime Type attribute
885 * draft-ietf-ipsec-ike-01.txt appendix A
886 * As far as I can see, there is not specification for
887 * OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT. This could lead to interop problems!
888 * For no particular reason, we chose three hours.
889 * The value of OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM is our local policy.
890 */
891 extern enum_names oakley_lifetime_names;
892
893 #define OAKLEY_LIFE_SECONDS 1
894 #define OAKLEY_LIFE_KILOBYTES 2
895
896 #define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 10800 /* three hours */
897 #define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 86400 /* one day */
898
899 /* Oakley PRF attribute (none defined)
900 * draft-ietf-ipsec-ike-01.txt appendix A
901 */
902 extern enum_names oakley_prf_names;
903
904 /* HMAC (see rfc2104.txt) */
905
906 #define HMAC_IPAD 0x36
907 #define HMAC_OPAD 0x5C
908
909 /* Oakley Encryption Algorithm attribute
910 * draft-ietf-ipsec-ike-01.txt appendix A
911 * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
912 */
913
914 extern enum_names oakley_enc_names;
915
916 #define OAKLEY_DES_CBC 1
917 #define OAKLEY_IDEA_CBC 2
918 #define OAKLEY_BLOWFISH_CBC 3
919 #define OAKLEY_RC5_R16_B64_CBC 4
920 #define OAKLEY_3DES_CBC 5
921 #define OAKLEY_CAST_CBC 6
922 #define OAKLEY_AES_CBC 7
923 #define OAKLEY_CAMELLIA_CBC 8
924
925 #define OAKLEY_MARS_CBC 65001
926 #define OAKLEY_RC6_CBC 65002
927 #define OAKLEY_ID_65003 65003
928 #define OAKLEY_SERPENT_CBC 65004
929 #define OAKLEY_TWOFISH_CBC 65005
930
931 #define OAKLEY_TWOFISH_CBC_SSH 65289
932
933 #define OAKLEY_ENCRYPT_MAX 65535 /* pretty useless :) */
934
935 /* Oakley Hash Algorithm attribute
936 * draft-ietf-ipsec-ike-01.txt appendix A
937 * and from http://www.isi.edu/in-notes/iana/assignments/ipsec-registry
938 */
939
940 extern enum_names oakley_hash_names;
941
942 #define OAKLEY_MD5 1
943 #define OAKLEY_SHA 2
944 #define OAKLEY_TIGER 3
945 #define OAKLEY_SHA2_256 4
946 #define OAKLEY_SHA2_384 5
947 #define OAKLEY_SHA2_512 6
948
949 #define OAKLEY_HASH_MAX 7
950
951 /* Oakley Authentication Method attribute
952 * draft-ietf-ipsec-ike-01.txt appendix A
953 * Goofy Hybrid extensions from draft-ietf-ipsec-isakmp-hybrid-auth-05.txt
954 * Goofy XAUTH extensions from draft-ietf-ipsec-isakmp-xauth-06.txt
955 */
956
957 extern enum_names oakley_auth_names;
958
959 #define OAKLEY_PRESHARED_KEY 1
960 #define OAKLEY_DSS_SIG 2
961 #define OAKLEY_RSA_SIG 3
962 #define OAKLEY_RSA_ENC 4
963 #define OAKLEY_RSA_ENC_REV 5
964 #define OAKLEY_ELGAMAL_ENC 6
965 #define OAKLEY_ELGAMAL_ENC_REV 7
966 #define OAKLEY_ECDSA_SIG 8
967 #define OAKLEY_ECDSA_256 9
968 #define OAKLEY_ECDSA_384 10
969 #define OAKLEY_ECDSA_521 11
970
971 #define OAKLEY_AUTH_ROOF 12 /* roof on auth values THAT WE SUPPORT */
972
973 #define HybridInitRSA 64221
974 #define HybridRespRSA 64222
975 #define HybridInitDSS 64223
976 #define HybridRespDSS 64224
977
978 #define XAUTHInitPreShared 65001
979 #define XAUTHRespPreShared 65002
980 #define XAUTHInitDSS 65003
981 #define XAUTHRespDSS 65004
982 #define XAUTHInitRSA 65005
983 #define XAUTHRespRSA 65006
984 #define XAUTHInitRSAEncryption 65007
985 #define XAUTHRespRSAEncryption 65008
986 #define XAUTHInitRSARevisedEncryption 65009
987 #define XAUTHRespRSARevisedEncryption 65010
988
989 /* Oakley Group Description attribute
990 * draft-ietf-ipsec-ike-01.txt appendix A
991 */
992 extern enum_names oakley_group_names;
993
994 /* you must also touch: constants.c, crypto.c */
995
996 /* Oakley Group Type attribute
997 * draft-ietf-ipsec-ike-01.txt appendix A
998 */
999 extern enum_names oakley_group_type_names;
1000
1001 #define OAKLEY_GROUP_TYPE_MODP 1
1002 #define OAKLEY_GROUP_TYPE_ECP 2
1003 #define OAKLEY_GROUP_TYPE_EC2N 3
1004
1005
1006 /* Notify messages -- error types
1007 * See RFC2408 ISAKMP 3.14.1
1008 */
1009
1010 extern enum_names notification_names;
1011 extern enum_names ipsec_notification_names;
1012
1013 typedef enum {
1014 NOTHING_WRONG = 0, /* unofficial! */
1015
1016 INVALID_PAYLOAD_TYPE = 1,
1017 DOI_NOT_SUPPORTED = 2,
1018 SITUATION_NOT_SUPPORTED = 3,
1019 INVALID_COOKIE = 4,
1020 INVALID_MAJOR_VERSION = 5,
1021 INVALID_MINOR_VERSION = 6,
1022 INVALID_EXCHANGE_TYPE = 7,
1023 INVALID_FLAGS = 8,
1024 INVALID_MESSAGE_ID = 9,
1025 INVALID_PROTOCOL_ID = 10,
1026 INVALID_SPI = 11,
1027 INVALID_TRANSFORM_ID = 12,
1028 ATTRIBUTES_NOT_SUPPORTED = 13,
1029 NO_PROPOSAL_CHOSEN = 14,
1030 BAD_PROPOSAL_SYNTAX = 15,
1031 PAYLOAD_MALFORMED = 16,
1032 INVALID_KEY_INFORMATION = 17,
1033 INVALID_ID_INFORMATION = 18,
1034 INVALID_CERT_ENCODING = 19,
1035 INVALID_CERTIFICATE = 20,
1036 CERT_TYPE_UNSUPPORTED = 21,
1037 INVALID_CERT_AUTHORITY = 22,
1038 INVALID_HASH_INFORMATION = 23,
1039 AUTHENTICATION_FAILED = 24,
1040 INVALID_SIGNATURE = 25,
1041 ADDRESS_NOTIFICATION = 26,
1042 NOTIFY_SA_LIFETIME = 27,
1043 CERTIFICATE_UNAVAILABLE = 28,
1044 UNSUPPORTED_EXCHANGE_TYPE = 29,
1045 UNEQUAL_PAYLOAD_LENGTHS = 30,
1046
1047 /* ISAKMP status type */
1048 CONNECTED = 16384,
1049
1050 /* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3)
1051 * These must be sent under the protection of an ISAKMP SA.
1052 */
1053 IPSEC_RESPONDER_LIFETIME = 24576,
1054 IPSEC_REPLAY_STATUS = 24577,
1055 IPSEC_INITIAL_CONTACT = 24578,
1056
1057 /* RFC 3706 DPD */
1058 R_U_THERE = 36136,
1059 R_U_THERE_ACK = 36137
1060
1061 } notification_t;
1062
1063
1064 /* Public key algorithm number
1065 * Same numbering as used in DNSsec
1066 * See RFC 2535 DNSsec 3.2 The KEY Algorithm Number Specification.
1067 * Also found in BIND 8.2.2 include/isc/dst.h as DST algorithm codes.
1068 */
1069
1070 enum pubkey_alg
1071 {
1072 PUBKEY_ALG_RSA = 1,
1073 PUBKEY_ALG_DSA = 3,
1074 };
1075
1076 /* Limits on size of RSA moduli.
1077 * The upper bound matches that of DNSsec (see RFC 2537).
1078 * The lower bound must be more than 11 octets for certain
1079 * the encoding to work, but it must be much larger for any
1080 * real security. For now, we require 512 bits.
1081 */
1082
1083 #define RSA_MIN_OCTETS_RFC 12
1084
1085 #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE)
1086 #define RSA_MIN_OCTETS_UGH "RSA modulus too small for security: less than 512 bits"
1087
1088 #define RSA_MAX_OCTETS (8192 / BITS_PER_BYTE)
1089 #define RSA_MAX_OCTETS_UGH "RSA modulus too large: more than 8192 bits"
1090
1091 /* Note: RFC 2537 encoding adds a few bytes. If you use a small
1092 * modulus like 3, the overhead is only 2 bytes
1093 */
1094 #define RSA_MAX_ENCODING_BYTES (RSA_MAX_OCTETS + 2)
1095
1096 /* socket address family info */
1097
1098 struct af_info
1099 {
1100 int af;
1101 const char *name;
1102 size_t ia_sz;
1103 size_t sa_sz;
1104 int mask_cnt;
1105 u_int8_t id_addr, id_subnet, id_range;
1106 const ip_address *any;
1107 const ip_subnet *none; /* 0.0.0.0/32 or IPv6 equivalent */
1108 const ip_subnet *all; /* 0.0.0.0/0 or IPv6 equivalent */
1109 };
1110
1111 extern const struct af_info
1112 af_inet4_info,
1113 af_inet6_info;
1114
1115 extern const struct af_info *aftoinfo(int af);
1116
1117 extern enum_names af_names;
1118
1119 #define subnetisaddr(sn, a) (subnetishost(sn) && addrinsubnet((a), (sn)))
1120 extern bool subnetisnone(const ip_subnet *sn);
1121
1122 /* BIND enumerated types */
1123
1124 extern enum_names
1125 rr_qtype_names,
1126 rr_type_names,
1127 rr_class_names;
1128
1129 /* How authenticated is info that might have come from DNS?
1130 * In order of increasing confidence.
1131 */
1132 enum dns_auth_level {
1133 DAL_UNSIGNED, /* AD in response, but no signature: no authentication */
1134 DAL_NOTSEC, /* no AD in response: authentication impossible */
1135 DAL_SIGNED, /* AD and signature in response: authentic */
1136 DAL_LOCAL /* locally provided (pretty good) */
1137 };
1138
1139 /*
1140 * define a macro for use in error messages
1141 */
1142
1143 #ifdef USE_KEYRR
1144 #define RRNAME "TXT or KEY"
1145 #else
1146 #define RRNAME "TXT"
1147 #endif
1148
1149 /* natt traversal types */
1150 extern const char *const natt_type_bitnames[];
1151
1152 /* secret value for responder cookies */
1153 extern u_char secret_of_the_day[HASH_SIZE_SHA1];
1154
1155 #endif /* _CONSTANTS_H */