/* manifest constants * Copyright (C) 1997 Angelos D. Keromytis. * Copyright (C) 1998, 1999 D. Hugh Redelmeier. * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * * RCSID $Id: constants.h,v 1.51 2000/06/20 20:09:45 dhr Exp $ */ /* * NOTE:For debugging purposes, constants.c has tables to map numbers back to names. * Any changes here should be reflected there. */ #define elemsof(array) (sizeof(array) / sizeof(*(array))) /* number of elements in an array */ /* Many routines return only success or failure, but wish to describe * the failure in a message. We use the convention that they return * a NULL on success and a pointer to constant string on failure. * The fact that the string is a constant is limiting, but it * avoids storage management issues: the recipient is allowed to assume * that the string will live "long enough" (usually forever). */ typedef const char *complaint_t; /* NULL iff happy */ typedef int bool; #define FALSE 0 #define TRUE 1 #define NULL_FD (-1) /* NULL file descriptor */ #define dup_any(fd) ((fd) == NULL_FD? NULL_FD : dup(fd)) #define BITS_PER_BYTE 8 /* set type with room for at least 32 elements */ typedef unsigned long lset_t; #define LEMPTY 0UL #define LELEM(opt) (1UL << (opt)) #define LRANGE(lwb, upb) (LELEM(upb) + LELEM(upb) - LELEM(lwb)) #define LALLIN(set, probe) (((set) & (probe)) == (probe)) /* Control and lock pathnames */ #ifndef DEFAULT_CTLBASE # define DEFAULT_CTLBASE "/var/run/pluto" #endif #define CTL_SUFFIX ".ctl" /* for UNIX domain socket pathname */ #define LOCK_SUFFIX ".pid" /* for pluto's lock */ /* Routines to check and display values. * * An enum_names describes an enumeration. * enum_name() returns the name of an enum value, or NULL if invalid. * enum_show() is like enum_name, except it formats a numeric representation * for any invalid value (in a static area!) * * bitnames() formats a display of a set of named bits (in a static area) */ typedef const struct enum_names enum_names; extern const char *enum_name(enum_names *ed, unsigned long val); extern const char *enum_show(enum_names *ed, unsigned long val); extern bool testset(const char *const table[], lset_t val); extern const char *bitnamesof(const char *const table[], lset_t val); #define FULL_INET_ADDRESS_SIZE 6 /* Group parameters from draft-ietf-ike-01.txt section 6 */ #define MODP_GENERATOR "2" #define MODP768_MODULUS \ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \ "E485B576 625E7EC6 F44C42E9 A63A3620 FFFFFFFF FFFFFFFF" #define MODP1024_MODULUS \ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE65381 " \ "FFFFFFFF FFFFFFFF" #define MODP1536_MODULUS \ "FFFFFFFF FFFFFFFF C90FDAA2 2168C234 C4C6628B 80DC1CD1 " \ "29024E08 8A67CC74 020BBEA6 3B139B22 514A0879 8E3404DD " \ "EF9519B3 CD3A431B 302B0A6D F25F1437 4FE1356D 6D51C245 " \ "E485B576 625E7EC6 F44C42E9 A637ED6B 0BFF5CB6 F406B7ED " \ "EE386BFB 5A899FA5 AE9F2411 7C4B1FE6 49286651 ECE45B3D " \ "C2007CB8 A163BF05 98DA4836 1C55D39A 69163FA8 FD24CF5F " \ "83655D23 DCA3AD96 1C62F356 208552BB 9ED52907 7096966D " \ "670C354E 4ABC9804 F1746C08 CA237327 FFFFFFFF FFFFFFFF " #define LOCALSECRETSIZE (256 / BITS_PER_BYTE) /* limits on nonce sizes. See RFC2409 "The internet key exchange (IKE)" 5 */ #define MINIMUM_NONCE_SIZE 8 /* bytes */ #define DEFAULT_NONCE_SIZE 16 /* bytes */ #define MAXIMUM_NONCE_SIZE 256 /* bytes */ #define COOKIE_SIZE 8 #define MAX_ISAKMP_SPI_SIZE 16 #define MD5_DIGEST_SIZE (128 / BITS_PER_BYTE) /* ought to be supplied by md5.h */ #define SHA1_DIGEST_SIZE (160 / BITS_PER_BYTE) /* ought to be supplied by sha1.h */ #define DES_CBC_BLOCK_SIZE (64 / BITS_PER_BYTE) #define DSS_QBITS 160 /* bits in DSS's "q" (FIPS 186-1) */ /* to statically allocate IV, we need max of * MD5_DIGEST_SIZE, SHA1_DIGEST_SIZE, and DES_CBC_BLOCK_SIZE. * To avoid combinatorial explosion, we leave out DES_CBC_BLOCK_SIZE. */ #define MAX_DIGEST_LEN (MD5_DIGEST_SIZE > SHA1_DIGEST_SIZE? MD5_DIGEST_SIZE : SHA1_DIGEST_SIZE) /* draft-ietf-ipsec-auth-hmac-sha196-01.txt section 3 */ #define HMAC_SHA1_KEY_LEN SHA1_DIGEST_SIZE /* draft-ietf-ipsec-auth-hmac-md5-96-01.txt section 3 */ #define HMAC_MD5_KEY_LEN MD5_DIGEST_SIZE #define IKE_UDP_PORT 500 #ifndef PORT # define PORT IKE_UDP_PORT #endif /* Timer events */ extern enum_names timer_event_names; #define EVENT_NULL 0 /* non-event */ #define EVENT_REINIT_SECRET 1 /* Refresh cookie secret */ #define EVENT_SO_DISCARD 2 /* discard unfinished state object */ #define EVENT_RETRANSMIT 3 /* Retransmit packet */ #define EVENT_SA_REPLACE 4 /* SA replacement event */ #define EVENT_SA_EXPIRE 5 /* SA expiration event */ #define EVENT_REINIT_SECRET_DELAY 3600 /* 1 hour */ #define EVENT_RETRANSMIT_DELAY_0 10 /* 10 seconds */ /* Misc. stuff */ #define ISAKMP_RESPONDER 0 #define ISAKMP_INITIATOR 1 #define MAXIMUM_RETRANSMISSIONS 2 #define MAXIMUM_RETRANSMISSIONS_INITIAL 20 #define UDP_SIZE 65536 /* Version numbers */ #define ISAKMP_MAJOR_VERSION 0x1 #define ISAKMP_MINOR_VERSION 0x0 extern enum_names version_names; /* Domain of Interpretation */ extern enum_names doi_names; #define ISAKMP_DOI_ISAKMP 0 #define ISAKMP_DOI_IPSEC 1 /* IPsec DOI things */ #define IPSEC_DOI_SITUATION_LENGTH 4 #define IPSEC_DOI_LDI_LENGTH 4 #define IPSEC_DOI_SPI_SIZE 4 /* SPI value 0 is invalid and values 1-255 are reserved to IANA. * RFC 2402 (ESP) 2.4, RFC 2406 (AH) 2.1 * IPCOMP??? * We (FreeS/WAN) reserve 0x100 to 0xFFF for manual keying, so * Pluto won't generate these values. */ #define IPSEC_DOI_SPI_MIN 0x100 #define IPSEC_DOI_SPI_OUR_MIN 0x1000 /* debugging settings: a set selections for reporting * These would be more naturally situated in log.h, * but they are shared with whack. */ #ifdef DEBUG extern const char *const debug_bit_names[]; #define DBG_RAW 0x01 /* raw packet I/O */ #define DBG_CRYPT 0x02 /* encryption/decryption of messages */ #define DBG_PARSING 0x04 /* show decoding of messages */ #define DBG_EMITTING 0x08 /* show encoding of messages */ #define DBG_CONTROL 0x10 /* control flow within Pluto */ #define DBG_KLIPS 0x20 /* messages to KLIPS */ #define DBG_PRIVATE 0x40 /* private information: DANGER! */ #define DBG_NONE 0 /* no options on */ #define DBG_ALL 0x3f /* all options on EXCEPT DBG_PRIVATE */ #endif /* State of exchanges * * The name of the state describes the last message sent, not the * message currently being input or output (except during retry). * * STATE_MAIN_R0 and STATE_QUICK_R0 are intermediate state (not * retained between messages) representing the state when the first * message of an exchange has been read but not processed. The name * reflects the fiction that a zeroth responder message has been sent. * * STATE_MAIN_I4 is an exception because there is no such message. * It is best to think of this as a notional empty message following * the receipt of STATE_MAIN_R3 message. * * Similarly, there is no STATE_QUICK_R2 message, but the state * represents having received the STATE_QUICK_I2 message. * * state routine that sets it * ===== ==================== * STATE_MAIN_R0 comm_handle: Main Mode packet but no state * STATE_MAIN_I1 main_outI1 * STATE_MAIN_R1 main_inI1_outR1 * STATE_MAIN_I2 main_inR1_outI2 * STATE_MAIN_R2 main_inI2_outR2 * STATE_MAIN_I3 main_inR2_outI3 * STATE_MAIN_R3 main_inI3_outR3 * STATE_MAIN_I4 main_inR3 * * STATE_QUICK_R0 comm_handle: Quick Mode packet no Quick Mode state * STATE_QUICK_I1 quick_outI1 * STATE_QUICK_R1 quick_inI1_outR1 * STATE_QUICK_I2 quick_inR1_outI2 * STATE_QUICK_R2 quick_inI2 */ extern enum_names state_names; extern const char *const state_story[]; #define STATE_MAIN_R0 1 #define STATE_MAIN_I1 2 #define STATE_MAIN_R1 3 #define STATE_MAIN_I2 4 #define STATE_MAIN_R2 5 #define STATE_MAIN_I3 6 #define STATE_MAIN_R3 7 #define STATE_MAIN_I4 8 #define STATE_QUICK_R0 9 #define STATE_QUICK_I1 10 #define STATE_QUICK_R1 11 #define STATE_QUICK_I2 12 #define STATE_QUICK_R2 13 #define STATE_INFO 14 #define STATE_INFO_PROTECTED 15 #define STATE_ROOF 16 #define IS_PHASE1(s) (STATE_MAIN_R0 <= (s) && (s) <= STATE_MAIN_I4) #define IS_QUICK(s) (STATE_QUICK_R0 <= (s) && (s) <= STATE_QUICK_R2) #define IS_ISAKMP_SA_ESTABLISHED(s) ((s) == STATE_MAIN_R3 || (s) == STATE_MAIN_I4) #define IS_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_I2 || (s) == STATE_QUICK_R2) #define IS_ONLY_INBOUND_IPSEC_SA_ESTABLISHED(s) ((s) == STATE_QUICK_R1) /* Payload types * RFC2408 Internet Security Association and Key Management Protocol (ISAKMP) * section 3.1 * * RESERVED 14-127 * Private USE 128-255 */ extern enum_names payload_names; extern const char *const payload_name[]; #define ISAKMP_NEXT_NONE 0 /* No other payload following */ #define ISAKMP_NEXT_SA 1 /* Security Association */ #define ISAKMP_NEXT_P 2 /* Proposal */ #define ISAKMP_NEXT_T 3 /* Transform */ #define ISAKMP_NEXT_KE 4 /* Key Exchange */ #define ISAKMP_NEXT_ID 5 /* Identification */ #define ISAKMP_NEXT_CERT 6 /* Certificate */ #define ISAKMP_NEXT_CR 7 /* Certificate Request */ #define ISAKMP_NEXT_HASH 8 /* Hash */ #define ISAKMP_NEXT_SIG 9 /* Signature */ #define ISAKMP_NEXT_NONCE 10 /* Nonce */ #define ISAKMP_NEXT_N 11 /* Notification */ #define ISAKMP_NEXT_D 12 /* Delete */ #define ISAKMP_NEXT_VID 13 /* Vendor ID */ #define ISAKMP_NEXT_ROOF 14 /* roof on payload types */ /* Exchange types * RFC2408 "Internet Security Association and Key Management Protocol (ISAKMP)" * section 3.1 * * ISAKMP Future Use 6 - 31 * DOI Specific Use 32 - 239 * Private Use 240 - 255 * * Note: draft-ietf-ipsec-dhless-enc-mode-00.txt Appendix A * defines "DHless RSA Encryption" as 6. */ extern enum_names exchange_names; #define ISAKMP_XCHG_NONE 0 #define ISAKMP_XCHG_BASE 1 #define ISAKMP_XCHG_IDPROT 2 /* ID Protection */ #define ISAKMP_XCHG_AO 3 /* Authentication Only */ #define ISAKMP_XCHG_AGGR 4 /* Aggressive */ #define ISAKMP_XCHG_INFO 5 /* Informational */ /* Extra exchange types, defined by Oakley * RFC2409 "The Internet Key Exchange (IKE)", near end of Appendix A */ #define ISAKMP_XCHG_QUICK 32 /* Oakley Quick Mode */ #define ISAKMP_XCHG_NGRP 33 /* Oakley New Group Mode */ /* added in draft-ietf-ipsec-ike-01.txt, near end of Appendix A */ #define ISAKMP_XCHG_ACK_INFO 34 /* Oakley Acknowledged Informational */ /* Flag bits */ extern const char *const flag_bit_names[]; #define ISAKMP_FLAG_ENCRYPTION 0x1 #define ISAKMP_FLAG_COMMIT 0x2 /* Situation definition for IPsec DOI */ extern const char *const sit_bit_names[]; #define SIT_IDENTITY_ONLY 0x01 #define SIT_SECRECY 0x02 #define SIT_INTEGRITY 0x04 /* Protocol IDs * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.1 */ extern enum_names protocol_names; #define PROTO_ISAKMP 1 #define PROTO_IPSEC_AH 2 #define PROTO_IPSEC_ESP 3 #define PROTO_IPCOMP 4 /* warning: trans_show uses enum_show, so same static buffer is used */ #define trans_show(p, t) \ ((p)==PROTO_IPSEC_AH ? enum_show(&ah_transformid_names, (t)) \ : (p)==PROTO_IPSEC_ESP ? enum_show(&esp_transformid_names, (t)) \ : "??") /* IPsec ISAKMP transform values * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.2 */ extern enum_names isakmp_transformid_names; #define KEY_IKE 1 /* IPsec AH transform values * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.3 */ extern enum_names ah_transformid_names; #define AH_MD5 2 #define AH_SHA 3 #define AH_DES 4 /* IPsec ESP transform values * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.4 */ extern enum_names esp_transformid_names; #define ESP_reserved 0 #define ESP_DES_IV64 1 #define ESP_DES 2 #define ESP_3DES 3 #define ESP_RC5 4 #define ESP_IDEA 5 #define ESP_CAST 6 #define ESP_BLOWFISH 7 #define ESP_3IDEA 8 #define ESP_DES_IV32 9 #define ESP_RC4 10 #define ESP_NULL 11 /* IPCOMP transform values * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.4.5 */ extern enum_names ipcomp_names; #define IPCOMP_OUI 1 #define IPCOMP_DEFLAT 2 #define IPCOMP_LZS 3 #define IPCOMP_V42BIS 4 /* Identification type values * RFC 2407 The Internet IP security Domain of Interpretation for ISAKMP 4.6.2.1 */ extern enum_names ident_names; #define ID_NONE 0 /* private to Pluto */ #define ID_IPV4_ADDR 1 #define ID_FQDN 2 #define ID_USER_FQDN 3 #define ID_IPV4_ADDR_SUBNET 4 #define ID_IPV6_ADDR 5 #define ID_IPV6_ADDR_SUBNET 6 #define ID_IPV4_ADDR_RANGE 7 #define ID_IPV6_ADDR_RANGE 8 #define ID_DER_ASN1_DN 9 #define ID_DER_ASN1_GN 10 #define ID_KEY_ID 11 /* Policies for establishing an SA * * These are used to specify attributes (eg. encryption) and techniques for * (eg PFS) required of an SA. POLICY_PSK and POLICY_RSASIG are for * ISAKMP SAs; the rest are about IPsec SAs */ extern const char *const sa_policy_bit_names[]; #define POLICY_PSK LELEM(0) #define POLICY_RSASIG LELEM(1) #define POLICY_ENCRYPT LELEM(2) #define POLICY_AUTHENTICATE LELEM(3) #define POLICY_TUNNEL LELEM(4) #define POLICY_PFS LELEM(5) #define POLICY_ISAKMP_SHIFT 0 /* log2(POLICY_PSK) */ #define POLICY_ISAKMP_MASK (POLICY_PSK | POLICY_RSASIG) #define POLICY_IPSEC_SHIFT 2 /* log2(POLICY_ENCRYPT) */ /* Oakley transform attributes * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_attr_names; extern const char *const oakley_attr_bit_names[]; #define OAKLEY_ENCRYPTION_ALGORITHM 1 #define OAKLEY_HASH_ALGORITHM 2 #define OAKLEY_AUTHENTICATION_METHOD 3 #define OAKLEY_GROUP_DESCRIPTION 4 #define OAKLEY_GROUP_TYPE 5 #define OAKLEY_GROUP_PRIME 6 /* B/V */ #define OAKLEY_GROUP_GENERATOR_ONE 7 /* B/V */ #define OAKLEY_GROUP_GENERATOR_TWO 8 /* B/V */ #define OAKLEY_GROUP_CURVE_A 9 /* B/V */ #define OAKLEY_GROUP_CURVE_B 10 /* B/V */ #define OAKLEY_LIFE_TYPE 11 #define OAKLEY_LIFE_DURATION 12 /* B/V */ #define OAKLEY_PRF 13 #define OAKLEY_KEY_LENGTH 14 #define OAKLEY_FIELD_SIZE 15 #define OAKLEY_GROUP_ORDER 16 /* B/V */ #define OAKLEY_BLOCK_SIZE 17 /* for each Oakley attribute, which enum_names describes its values? */ extern enum_names *oakley_attr_val_descs[]; /* IPsec DOI attributes * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5 */ extern enum_names ipsec_attr_names; #define SA_LIFE_TYPE 1 #define SA_LIFE_DURATION 2 /* B/V */ #define GROUP_DESCRIPTION 3 #define ENCAPSULATION_MODE 4 #define AUTH_ALGORITHM 5 #define KEY_LENGTH 6 #define KEY_ROUNDS 7 #define COMPRESS_DICT_SIZE 8 #define COMPRESS_PRIVATE_ALG 9 /* B/V */ /* for each IPsec attribute, which enum_names describes its values? */ extern enum_names *ipsec_attr_val_descs[]; /* SA Lifetime Type attribute * RFC2407 The Internet IP security Domain of Interpretation for ISAKMP 4.5 * Default time specified in 4.5 */ extern enum_names sa_lifetime_names; #define SA_LIFE_TYPE_SECONDS 1 #define SA_LIFE_TYPE_KBYTES 2 #define SA_LIFE_DURATION_DEFAULT 28800 /* Eight hours */ #define SA_LIFE_DURATION_MAXIMUM 86400 /* One day */ #define SA_REPLACEMENT_MARGIN_DEFAULT 540 /* (IPSEC & IKE) nine minutes */ #define SA_REPLACEMENT_FUZZ_DEFAULT 100 /* (IPSEC & IKE) 100% of MARGIN */ #define SA_REPLACEMENT_RETRIES_DEFAULT 3 /* (IPSEC & IKE) */ #define SA_LIFE_DURATION_K_DEFAULT 0xFFFFFFFFlu /* Encapsulation Mode attribute */ extern enum_names enc_mode_names; #define ENCAPSULATION_MODE_UNSPECIFIED 0 /* not legal -- used internally */ #define ENCAPSULATION_MODE_TUNNEL 1 #define ENCAPSULATION_MODE_TRANSPORT 2 /* Auth Algorithm attribute */ extern enum_names auth_alg_names, extended_auth_alg_names; #define AUTH_ALGORITHM_NONE 0 /* our private designation */ #define AUTH_ALGORITHM_HMAC_MD5 1 #define AUTH_ALGORITHM_HMAC_SHA1 2 #define AUTH_ALGORITHM_DES_MAC 3 #define AUTH_ALGORITHM_KPDK 4 /* Oakley Lifetime Type attribute * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_lifetime_names; #define OAKLEY_LIFE_SECONDS 1 #define OAKLEY_LIFE_KILOBYTES 2 #define OAKLEY_ISAKMP_SA_LIFETIME_DEFAULT 3600 /* One hour */ #define OAKLEY_ISAKMP_SA_LIFETIME_MAXIMUM 28800 /* 8 hours */ /* Oakley PRF attribute (none defined) * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_prf_names; /* HMAC (see rfc2104.txt) */ #define HMAC_IPAD 0x36 #define HMAC_OPAD 0x5C #define HMAC_BUFSIZE 64 /* Oakley Encryption Algorithm attribute * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_enc_names; #define OAKLEY_DES_CBC 1 #define OAKLEY_IDEA_CBC 2 #define OAKLEY_BLOWFISH_CBC 3 #define OAKLEY_RC5_R16_B64_CBC 4 #define OAKLEY_3DES_CBC 5 #define OAKLEY_CAST_CBC 6 /* Oakley Hash Algorithm attribute * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_hash_names; #define OAKLEY_MD5 1 #define OAKLEY_SHA 2 #define OAKLEY_TIGER 3 /* Oakley Authentication Method attribute * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_auth_names; #define OAKLEY_PRESHARED_KEY 1 #define OAKLEY_DSS_SIG 2 #define OAKLEY_RSA_SIG 3 #define OAKLEY_RSA_ENC 4 #define OAKLEY_RSA_ENC_REV 5 #define OAKLEY_ELGAMAL_ENC 6 #define OAKLEY_ELGAMAL_ENC_REV 7 #define OAKLEY_AUTH_ROOF 8 /* roof on auth values */ /* Oakley Group Description attribute * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_group_names; #define OAKLEY_GROUP_MODP768 1 #define OAKLEY_GROUP_MODP1024 2 #define OAKLEY_GROUP_GP155 3 #define OAKLEY_GROUP_GP185 4 #define OAKLEY_GROUP_MODP1536 5 /* Oakley Group Type attribute * draft-ietf-ipsec-ike-01.txt appendix A */ extern enum_names oakley_group_type_names; #define OAKLEY_GROUP_TYPE_MODP 1 #define OAKLEY_GROUP_TYPE_ECP 2 #define OAKLEY_GROUP_TYPE_EC2N 3 /* Notify messages -- error types * See RFC2408 ISAKMP 3.14.1 */ extern enum_names notification_names; extern enum_names ipsec_notification_names; typedef enum { NOTHING_WRONG = 0, /* unofficial! */ INVALID_PAYLOAD_TYPE = 1, DOI_NOT_SUPPORTED = 2, SITUATION_NOT_SUPPORTED = 3, INVALID_COOKIE = 4, INVALID_MAJOR_VERSION = 5, INVALID_MINOR_VERSION = 6, INVALID_EXCHANGE_TYPE = 7, INVALID_FLAGS = 8, INVALID_MESSAGE_ID = 9, INVALID_PROTOCOL_ID = 10, INVALID_SPI = 11, INVALID_TRANSFORM_ID = 12, ATTRIBUTES_NOT_SUPPORTED = 13, NO_PROPOSAL_CHOSEN = 14, BAD_PROPOSAL_SYNTAX = 15, PAYLOAD_MALFORMED = 16, INVALID_KEY_INFORMATION = 17, INVALID_ID_INFORMATION = 18, INVALID_CERT_ENCODING = 19, INVALID_CERTIFICATE = 20, CERT_TYPE_UNSUPPORTED = 21, INVALID_CERT_AUTHORITY = 22, INVALID_HASH_INFORMATION = 23, AUTHENTICATION_FAILED = 24, INVALID_SIGNATURE = 25, ADDRESS_NOTIFICATION = 26, NOTIFY_SA_LIFETIME = 27, CERTIFICATE_UNAVAILABLE = 28, UNSUPPORTED_EXCHANGE_TYPE = 29, UNEQUAL_PAYLOAD_LENGTHS = 30, /* ISAKMP status type */ CONNECTED = 16384, /* IPSEC DOI additions; status types (RFC2407 IPSEC DOI 4.6.3) * These must be sent under the protection of an ISAKMP SA. */ IPSEC_RESPONDER_LIFETIME = 24576, IPSEC_REPLAY_STATUS = 24577, IPSEC_INITIAL_CONTACT = 24578 } notification_t; /* Public key algorithm number * Same numbering as used in DNSsec * See RFC 2535 DNSsec 3.2 The KEY Algorithm Number Specification. * Also found in BIND 8.2.2 include/isc/dst.h as DST algorithm codes. */ enum pubkey_alg { PUBKEY_ALG_RSA = 1, PUBKEY_ALG_DSA = 3, }; /* Limits on size of RSA moduli. * The upper bound matches that of DNSsec (see RFC 2537). * The lower bound must be more than 11 octets for certain * the encoding to work, but it must be much larger for any * real security. For now, we require 512 bits. */ #define RSA_MIN_OCTETS_RFC 12 #define RSA_MIN_OCTETS (512 / BITS_PER_BYTE) #define RSA_MIN_OCTETS_UGH "RSA modulus too small for security: less than 512 bits" #define RSA_MAX_OCTETS (4096 / BITS_PER_BYTE) #define RSA_MAX_OCTETS_UGH "RSA modulus too large: more than 4096 bits" /* BIND enumerated types */ extern enum_names rr_qtype_names, rr_type_names, rr_class_names;