1 | /* $NetBSD: ipsec_doi.h,v 1.12 2009/03/12 10:57:26 tteras Exp $ */ |
---|
2 | |
---|
3 | /* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */ |
---|
4 | |
---|
5 | /* |
---|
6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
---|
7 | * All rights reserved. |
---|
8 | * |
---|
9 | * Redistribution and use in source and binary forms, with or without |
---|
10 | * modification, are permitted provided that the following conditions |
---|
11 | * are met: |
---|
12 | * 1. Redistributions of source code must retain the above copyright |
---|
13 | * notice, this list of conditions and the following disclaimer. |
---|
14 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
15 | * notice, this list of conditions and the following disclaimer in the |
---|
16 | * documentation and/or other materials provided with the distribution. |
---|
17 | * 3. Neither the name of the project nor the names of its contributors |
---|
18 | * may be used to endorse or promote products derived from this software |
---|
19 | * without specific prior written permission. |
---|
20 | * |
---|
21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
31 | * SUCH DAMAGE. |
---|
32 | */ |
---|
33 | |
---|
34 | #ifndef _IPSEC_DOI_H |
---|
35 | #define _IPSEC_DOI_H |
---|
36 | |
---|
37 | #include "isakmp.h" |
---|
38 | |
---|
39 | /* refered to RFC2407 */ |
---|
40 | |
---|
41 | #define IPSEC_DOI 1 |
---|
42 | |
---|
43 | /* 4.2 IPSEC Situation Definition */ |
---|
44 | #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 |
---|
45 | #define IPSECDOI_SIT_SECRECY 0x00000002 |
---|
46 | #define IPSECDOI_SIT_INTEGRITY 0x00000004 |
---|
47 | |
---|
48 | /* 4.4.1 IPSEC Security Protocol Identifiers */ |
---|
49 | /* 4.4.2 IPSEC ISAKMP Transform Values */ |
---|
50 | #define IPSECDOI_PROTO_ISAKMP 1 |
---|
51 | #define IPSECDOI_KEY_IKE 1 |
---|
52 | |
---|
53 | /* 4.4.1 IPSEC Security Protocol Identifiers */ |
---|
54 | #define IPSECDOI_PROTO_IPSEC_AH 2 |
---|
55 | /* 4.4.3 IPSEC AH Transform Values */ |
---|
56 | #define IPSECDOI_AH_MD5 2 |
---|
57 | #define IPSECDOI_AH_SHA 3 |
---|
58 | #define IPSECDOI_AH_DES 4 |
---|
59 | #define IPSECDOI_AH_SHA256 5 |
---|
60 | #define IPSECDOI_AH_SHA384 6 |
---|
61 | #define IPSECDOI_AH_SHA512 7 |
---|
62 | |
---|
63 | /* 4.4.1 IPSEC Security Protocol Identifiers */ |
---|
64 | #define IPSECDOI_PROTO_IPSEC_ESP 3 |
---|
65 | /* 4.4.4 IPSEC ESP Transform Identifiers */ |
---|
66 | #define IPSECDOI_ESP_DES_IV64 1 |
---|
67 | #define IPSECDOI_ESP_DES 2 |
---|
68 | #define IPSECDOI_ESP_3DES 3 |
---|
69 | #define IPSECDOI_ESP_RC5 4 |
---|
70 | #define IPSECDOI_ESP_IDEA 5 |
---|
71 | #define IPSECDOI_ESP_CAST 6 |
---|
72 | #define IPSECDOI_ESP_BLOWFISH 7 |
---|
73 | #define IPSECDOI_ESP_3IDEA 8 |
---|
74 | #define IPSECDOI_ESP_DES_IV32 9 |
---|
75 | #define IPSECDOI_ESP_RC4 10 |
---|
76 | #define IPSECDOI_ESP_NULL 11 |
---|
77 | #define IPSECDOI_ESP_AES 12 |
---|
78 | #define IPSECDOI_ESP_CAMELLIA 22 |
---|
79 | #if 1 |
---|
80 | /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */ |
---|
81 | #define IPSECDOI_ESP_TWOFISH 253 |
---|
82 | #else |
---|
83 | /* SSH uses these value for now */ |
---|
84 | #define IPSECDOI_ESP_TWOFISH 250 |
---|
85 | #endif |
---|
86 | |
---|
87 | /* 4.4.1 IPSEC Security Protocol Identifiers */ |
---|
88 | #define IPSECDOI_PROTO_IPCOMP 4 |
---|
89 | /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ |
---|
90 | #define IPSECDOI_IPCOMP_OUI 1 |
---|
91 | #define IPSECDOI_IPCOMP_DEFLATE 2 |
---|
92 | #define IPSECDOI_IPCOMP_LZS 3 |
---|
93 | |
---|
94 | /* 4.5 IPSEC Security Association Attributes */ |
---|
95 | /* NOTE: default value is not included in a packet. */ |
---|
96 | #define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */ |
---|
97 | #define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1 |
---|
98 | #define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1 |
---|
99 | #define IPSECDOI_ATTR_SA_LD_TYPE_KB 2 |
---|
100 | #define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3 |
---|
101 | #define IPSECDOI_ATTR_SA_LD 2 /* V */ |
---|
102 | #define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */ |
---|
103 | #define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1))) |
---|
104 | #define IPSECDOI_ATTR_GRP_DESC 3 /* B */ |
---|
105 | #define IPSECDOI_ATTR_ENC_MODE 4 /* B */ |
---|
106 | /* default value: host dependent */ |
---|
107 | #define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */ |
---|
108 | #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 |
---|
109 | #define IPSECDOI_ATTR_ENC_MODE_TRNS 2 |
---|
110 | |
---|
111 | /* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */ |
---|
112 | #define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC 3 |
---|
113 | #define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC 4 |
---|
114 | |
---|
115 | /* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */ |
---|
116 | #define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT 61443 |
---|
117 | #define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT 61444 |
---|
118 | |
---|
119 | #define IPSECDOI_ATTR_AUTH 5 /* B */ |
---|
120 | /* 0 means not to use authentication. */ |
---|
121 | #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 |
---|
122 | #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 |
---|
123 | #define IPSECDOI_ATTR_AUTH_DES_MAC 3 |
---|
124 | #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ |
---|
125 | #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_256 5 |
---|
126 | #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_384 6 |
---|
127 | #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_512 7 |
---|
128 | #define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */ |
---|
129 | /* |
---|
130 | * When negotiating ESP without authentication, the Auth |
---|
131 | * Algorithm attribute MUST NOT be included in the proposal. |
---|
132 | * When negotiating ESP without confidentiality, the Auth |
---|
133 | * Algorithm attribute MUST be included in the proposal and |
---|
134 | * the ESP transform ID must be ESP_NULL. |
---|
135 | */ |
---|
136 | #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ |
---|
137 | #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ |
---|
138 | #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ |
---|
139 | #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ |
---|
140 | |
---|
141 | #ifdef HAVE_SECCTX |
---|
142 | #define IPSECDOI_ATTR_SECCTX 10 /* V */ |
---|
143 | #endif |
---|
144 | |
---|
145 | /* 4.6.1 Security Association Payload */ |
---|
146 | struct ipsecdoi_pl_sa { |
---|
147 | struct isakmp_gen h; |
---|
148 | struct ipsecdoi_sa_b { |
---|
149 | u_int32_t doi; /* Domain of Interpretation */ |
---|
150 | u_int32_t sit; /* Situation */ |
---|
151 | } b; |
---|
152 | /* followed by Leveled Domain Identifier and so on. */ |
---|
153 | } __attribute__((__packed__)); |
---|
154 | |
---|
155 | struct ipsecdoi_secrecy_h { |
---|
156 | u_int16_t len; |
---|
157 | u_int16_t reserved; |
---|
158 | /* followed by the value */ |
---|
159 | } __attribute__((__packed__)); |
---|
160 | |
---|
161 | /* 4.6.2 Identification Payload Content */ |
---|
162 | struct ipsecdoi_pl_id { |
---|
163 | struct isakmp_gen h; |
---|
164 | struct ipsecdoi_id_b { |
---|
165 | u_int8_t type; /* ID Type */ |
---|
166 | u_int8_t proto_id; /* Protocol ID */ |
---|
167 | u_int16_t port; /* Port */ |
---|
168 | } b; |
---|
169 | /* followed by Identification Data */ |
---|
170 | } __attribute__((__packed__)); |
---|
171 | |
---|
172 | #define IPSECDOI_ID_IPV4_ADDR 1 |
---|
173 | #define IPSECDOI_ID_FQDN 2 |
---|
174 | #define IPSECDOI_ID_USER_FQDN 3 |
---|
175 | #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 |
---|
176 | #define IPSECDOI_ID_IPV6_ADDR 5 |
---|
177 | #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 |
---|
178 | #define IPSECDOI_ID_IPV4_ADDR_RANGE 7 |
---|
179 | #define IPSECDOI_ID_IPV6_ADDR_RANGE 8 |
---|
180 | #define IPSECDOI_ID_DER_ASN1_DN 9 |
---|
181 | #define IPSECDOI_ID_DER_ASN1_GN 10 |
---|
182 | #define IPSECDOI_ID_KEY_ID 11 |
---|
183 | |
---|
184 | /* compressing doi type, it's internal use. */ |
---|
185 | #define IDTYPE_UNDEFINED 0 |
---|
186 | #define IDTYPE_FQDN 1 |
---|
187 | #define IDTYPE_USERFQDN 2 |
---|
188 | #define IDTYPE_KEYID 3 |
---|
189 | #define IDTYPE_ADDRESS 4 |
---|
190 | #define IDTYPE_ASN1DN 5 |
---|
191 | #define IDTYPE_SUBNET 6 |
---|
192 | |
---|
193 | /* qualifiers for KEYID (and maybe others) */ |
---|
194 | #define IDQUAL_UNSPEC 0 |
---|
195 | #define IDQUAL_FILE 1 |
---|
196 | #define IDQUAL_TAG 2 |
---|
197 | |
---|
198 | /* The use for checking proposal payload. This is not exchange type. */ |
---|
199 | #define IPSECDOI_TYPE_PH1 0 |
---|
200 | #define IPSECDOI_TYPE_PH2 1 |
---|
201 | |
---|
202 | /* |
---|
203 | * Prefix that will make ipsecdoi_sockaddr2id() generate address type |
---|
204 | * identities without knowning the exact length of address. |
---|
205 | */ |
---|
206 | #define IPSECDOI_PREFIX_HOST 0xff |
---|
207 | |
---|
208 | struct isakmpsa; |
---|
209 | struct ipsecdoi_pl_sa; |
---|
210 | struct saprop; |
---|
211 | struct saproto; |
---|
212 | struct satrns; |
---|
213 | struct prop_pair; |
---|
214 | |
---|
215 | extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *)); |
---|
216 | extern int ipsecdoi_selectph2proposal __P((struct ph2handle *)); |
---|
217 | extern int ipsecdoi_checkph2proposal __P((struct ph2handle *)); |
---|
218 | |
---|
219 | extern struct prop_pair **get_proppair __P((vchar_t *, int)); |
---|
220 | extern vchar_t *get_sabyproppair __P((u_int32_t, u_int32_t, struct prop_pair *)); |
---|
221 | extern int ipsecdoi_updatespi __P((struct ph2handle *iph2)); |
---|
222 | extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *)); |
---|
223 | extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int ); |
---|
224 | extern int ipsecdoi_checkid1 __P((struct ph1handle *)); |
---|
225 | extern int ipsecdoi_setid1 __P((struct ph1handle *)); |
---|
226 | extern int set_identifier __P((vchar_t **, int, vchar_t *)); |
---|
227 | extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int)); |
---|
228 | extern int ipsecdoi_setid2 __P((struct ph2handle *)); |
---|
229 | extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int)); |
---|
230 | extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *, |
---|
231 | u_int8_t *, u_int16_t *)); |
---|
232 | extern char *ipsecdoi_id2str __P((const vchar_t *)); |
---|
233 | extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *, |
---|
234 | struct sockaddr *, u_int)); |
---|
235 | |
---|
236 | extern vchar_t *ipsecdoi_setph1proposal __P((struct remoteconf *, |
---|
237 | struct isakmpsa *)); |
---|
238 | extern int ipsecdoi_setph2proposal __P((struct ph2handle *)); |
---|
239 | extern int ipsecdoi_transportmode __P((struct saprop *)); |
---|
240 | extern int ipsecdoi_get_defaultlifetime __P((void)); |
---|
241 | extern int ipsecdoi_checkalgtypes __P((int, int, int, int)); |
---|
242 | extern int ipproto2doi __P((int)); |
---|
243 | extern int doi2ipproto __P((int)); |
---|
244 | |
---|
245 | extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *, |
---|
246 | struct saprop *, struct saproto *, struct satrns *)); |
---|
247 | extern int ipsecdoi_authalg2trnsid __P((int)); |
---|
248 | extern int idtype2doi __P((int)); |
---|
249 | extern int doi2idtype __P((int)); |
---|
250 | |
---|
251 | extern int ipsecdoi_parse_responder_lifetime __P((struct isakmp_pl_n *notify, |
---|
252 | u_int32_t *lifetime_sec, u_int32_t *liftime_kb)); |
---|
253 | |
---|
254 | |
---|
255 | #endif /* _IPSEC_DOI_H */ |
---|