source: rtems-libbsd/ipsec-tools/src/racoon/ipsec_doi.h @ ff36f5e

55-freebsd-126-freebsd-12
Last change on this file since ff36f5e was ff36f5e, checked in by Christian Mauderer <christian.mauderer@…>, on 05/30/18 at 12:27:35

Import ipsec-tools 0.8.2.

Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.
  • Property mode set to 100644
File size: 9.8 KB
Line 
1/*      $NetBSD: ipsec_doi.h,v 1.12 2009/03/12 10:57:26 tteras Exp $    */
2
3/* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifndef _IPSEC_DOI_H
35#define _IPSEC_DOI_H
36
37#include "isakmp.h"
38
39/* refered to RFC2407 */
40
41#define IPSEC_DOI 1
42
43/* 4.2 IPSEC Situation Definition */
44#define IPSECDOI_SIT_IDENTITY_ONLY           0x00000001
45#define IPSECDOI_SIT_SECRECY                 0x00000002
46#define IPSECDOI_SIT_INTEGRITY               0x00000004
47
48/* 4.4.1 IPSEC Security Protocol Identifiers */
49  /* 4.4.2 IPSEC ISAKMP Transform Values */
50#define IPSECDOI_PROTO_ISAKMP                        1
51#define   IPSECDOI_KEY_IKE                             1
52
53/* 4.4.1 IPSEC Security Protocol Identifiers */
54#define IPSECDOI_PROTO_IPSEC_AH                      2
55  /* 4.4.3 IPSEC AH Transform Values */
56#define   IPSECDOI_AH_MD5                              2
57#define   IPSECDOI_AH_SHA                              3
58#define   IPSECDOI_AH_DES                              4
59#define   IPSECDOI_AH_SHA256                           5
60#define   IPSECDOI_AH_SHA384                           6
61#define   IPSECDOI_AH_SHA512                           7
62
63/* 4.4.1 IPSEC Security Protocol Identifiers */
64#define IPSECDOI_PROTO_IPSEC_ESP                     3
65  /* 4.4.4 IPSEC ESP Transform Identifiers */
66#define   IPSECDOI_ESP_DES_IV64                         1
67#define   IPSECDOI_ESP_DES                              2
68#define   IPSECDOI_ESP_3DES                             3
69#define   IPSECDOI_ESP_RC5                              4
70#define   IPSECDOI_ESP_IDEA                             5
71#define   IPSECDOI_ESP_CAST                             6
72#define   IPSECDOI_ESP_BLOWFISH                         7
73#define   IPSECDOI_ESP_3IDEA                            8
74#define   IPSECDOI_ESP_DES_IV32                         9
75#define   IPSECDOI_ESP_RC4                              10
76#define   IPSECDOI_ESP_NULL                             11
77#define   IPSECDOI_ESP_AES                              12
78#define   IPSECDOI_ESP_CAMELLIA                         22
79#if 1
80  /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */
81#define   IPSECDOI_ESP_TWOFISH                          253
82#else
83  /* SSH uses these value for now */
84#define   IPSECDOI_ESP_TWOFISH                          250
85#endif
86
87/* 4.4.1 IPSEC Security Protocol Identifiers */
88#define IPSECDOI_PROTO_IPCOMP                        4
89  /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
90#define   IPSECDOI_IPCOMP_OUI                           1
91#define   IPSECDOI_IPCOMP_DEFLATE                       2
92#define   IPSECDOI_IPCOMP_LZS                           3
93
94/* 4.5 IPSEC Security Association Attributes */
95/* NOTE: default value is not included in a packet. */
96#define IPSECDOI_ATTR_SA_LD_TYPE              1 /* B */
97#define   IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT      1
98#define   IPSECDOI_ATTR_SA_LD_TYPE_SEC          1
99#define   IPSECDOI_ATTR_SA_LD_TYPE_KB           2
100#define   IPSECDOI_ATTR_SA_LD_TYPE_MAX          3
101#define IPSECDOI_ATTR_SA_LD                   2 /* V */
102#define   IPSECDOI_ATTR_SA_LD_SEC_DEFAULT      28800 /* 8 hours */
103#define   IPSECDOI_ATTR_SA_LD_KB_MAX  (~(1 << ((sizeof(int) << 3) - 1)))
104#define IPSECDOI_ATTR_GRP_DESC                3 /* B */
105#define IPSECDOI_ATTR_ENC_MODE                4 /* B */
106        /* default value: host dependent */
107#define   IPSECDOI_ATTR_ENC_MODE_ANY            0       /* NOTE:internal use */
108#define   IPSECDOI_ATTR_ENC_MODE_TUNNEL         1
109#define   IPSECDOI_ATTR_ENC_MODE_TRNS           2
110
111/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
112#define   IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC  3
113#define   IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC    4
114
115/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
116#define   IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT        61443
117#define   IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT          61444
118
119#define IPSECDOI_ATTR_AUTH                    5 /* B */
120        /* 0 means not to use authentication. */
121#define   IPSECDOI_ATTR_AUTH_HMAC_MD5           1
122#define   IPSECDOI_ATTR_AUTH_HMAC_SHA1          2
123#define   IPSECDOI_ATTR_AUTH_DES_MAC            3
124#define   IPSECDOI_ATTR_AUTH_KPDK               4 /*RFC-1826(Key/Pad/Data/Key)*/
125#define   IPSECDOI_ATTR_AUTH_HMAC_SHA2_256      5
126#define   IPSECDOI_ATTR_AUTH_HMAC_SHA2_384      6
127#define   IPSECDOI_ATTR_AUTH_HMAC_SHA2_512      7
128#define   IPSECDOI_ATTR_AUTH_NONE               254     /* NOTE:internal use */
129        /*
130         * When negotiating ESP without authentication, the Auth
131         * Algorithm attribute MUST NOT be included in the proposal.
132         * When negotiating ESP without confidentiality, the Auth
133         * Algorithm attribute MUST be included in the proposal and
134         * the ESP transform ID must be ESP_NULL.
135        */
136#define IPSECDOI_ATTR_KEY_LENGTH              6 /* B */
137#define IPSECDOI_ATTR_KEY_ROUNDS              7 /* B */
138#define IPSECDOI_ATTR_COMP_DICT_SIZE          8 /* B */
139#define IPSECDOI_ATTR_COMP_PRIVALG            9 /* V */
140
141#ifdef HAVE_SECCTX
142#define IPSECDOI_ATTR_SECCTX                 10 /* V */
143#endif
144
145/* 4.6.1 Security Association Payload */
146struct ipsecdoi_pl_sa {
147        struct isakmp_gen h;
148        struct ipsecdoi_sa_b {
149                u_int32_t doi; /* Domain of Interpretation */
150                u_int32_t sit; /* Situation */
151        } b;
152        /* followed by Leveled Domain Identifier and so on. */
153} __attribute__((__packed__));
154
155struct ipsecdoi_secrecy_h {
156        u_int16_t len;
157        u_int16_t reserved;
158        /* followed by the value */
159} __attribute__((__packed__));
160
161/* 4.6.2 Identification Payload Content */
162struct ipsecdoi_pl_id {
163        struct isakmp_gen h;
164        struct ipsecdoi_id_b {
165                u_int8_t type;          /* ID Type */
166                u_int8_t proto_id;      /* Protocol ID */
167                u_int16_t port;         /* Port */
168        } b;
169        /* followed by Identification Data */
170} __attribute__((__packed__));
171
172#define IPSECDOI_ID_IPV4_ADDR                        1
173#define IPSECDOI_ID_FQDN                             2
174#define IPSECDOI_ID_USER_FQDN                        3
175#define IPSECDOI_ID_IPV4_ADDR_SUBNET                 4
176#define IPSECDOI_ID_IPV6_ADDR                        5
177#define IPSECDOI_ID_IPV6_ADDR_SUBNET                 6
178#define IPSECDOI_ID_IPV4_ADDR_RANGE                  7
179#define IPSECDOI_ID_IPV6_ADDR_RANGE                  8
180#define IPSECDOI_ID_DER_ASN1_DN                      9
181#define IPSECDOI_ID_DER_ASN1_GN                      10
182#define IPSECDOI_ID_KEY_ID                           11
183
184/* compressing doi type, it's internal use. */
185#define IDTYPE_UNDEFINED        0
186#define IDTYPE_FQDN             1
187#define IDTYPE_USERFQDN         2
188#define IDTYPE_KEYID            3
189#define IDTYPE_ADDRESS          4
190#define IDTYPE_ASN1DN           5
191#define IDTYPE_SUBNET           6
192
193/* qualifiers for KEYID (and maybe others) */
194#define IDQUAL_UNSPEC           0
195#define IDQUAL_FILE             1
196#define IDQUAL_TAG              2
197
198/* The use for checking proposal payload. This is not exchange type. */
199#define IPSECDOI_TYPE_PH1       0
200#define IPSECDOI_TYPE_PH2       1
201
202/*
203 * Prefix that will make ipsecdoi_sockaddr2id() generate address type
204 * identities without knowning the exact length of address.
205 */
206#define IPSECDOI_PREFIX_HOST    0xff
207
208struct isakmpsa;
209struct ipsecdoi_pl_sa;
210struct saprop;
211struct saproto;
212struct satrns;
213struct prop_pair;
214
215extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *));
216extern int ipsecdoi_selectph2proposal __P((struct ph2handle *));
217extern int ipsecdoi_checkph2proposal __P((struct ph2handle *));
218
219extern struct prop_pair **get_proppair __P((vchar_t *, int));
220extern vchar_t *get_sabyproppair __P((u_int32_t, u_int32_t, struct prop_pair *));
221extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
222extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
223extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int );
224extern int ipsecdoi_checkid1 __P((struct ph1handle *));
225extern int ipsecdoi_setid1 __P((struct ph1handle *));
226extern int set_identifier __P((vchar_t **, int, vchar_t *));
227extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
228extern int ipsecdoi_setid2 __P((struct ph2handle *));
229extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
230extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
231        u_int8_t *, u_int16_t *));
232extern char *ipsecdoi_id2str __P((const vchar_t *));
233extern vchar_t *ipsecdoi_sockrange2id __P((     struct sockaddr *,
234        struct sockaddr *, u_int));
235
236extern vchar_t *ipsecdoi_setph1proposal __P((struct remoteconf *,
237                                             struct isakmpsa *));
238extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
239extern int ipsecdoi_transportmode __P((struct saprop *));
240extern int ipsecdoi_get_defaultlifetime __P((void));
241extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
242extern int ipproto2doi __P((int));
243extern int doi2ipproto __P((int));
244
245extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *,
246        struct saprop *, struct saproto *, struct satrns *));
247extern int ipsecdoi_authalg2trnsid __P((int));
248extern int idtype2doi __P((int));
249extern int doi2idtype __P((int));
250
251extern int ipsecdoi_parse_responder_lifetime __P((struct isakmp_pl_n *notify,
252        u_int32_t *lifetime_sec, u_int32_t *liftime_kb));
253
254
255#endif /* _IPSEC_DOI_H */
Note: See TracBrowser for help on using the repository browser.