source: rtems-libbsd/ipsec-tools/src/racoon/isakmp.h @ b376ae1

55-freebsd-126-freebsd-12
Last change on this file since b376ae1 was ff36f5e, checked in by Christian Mauderer <christian.mauderer@…>, on 05/30/18 at 12:27:35

Import ipsec-tools 0.8.2.

Import unchanged ipsec-tools sources in the release version 0.8.2. The
homepage of ipsec-tools is http://ipsec-tools.sourceforge.net/. The
sources can be obtained from there.

  • Property mode set to 100644
File size: 14.4 KB
Line 
1/*      $NetBSD: isakmp.h,v 1.7 2009/05/20 07:54:50 vanhu Exp $ */
2
3/* Id: isakmp.h,v 1.11 2005/04/25 22:19:39 manubsd Exp */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifndef _ISAKMP_H
35#define _ISAKMP_H
36
37/* refer to RFC 2408 */
38
39#include <netinet/in.h>
40#include "isakmp_var.h"
41
42#define INITIATOR       0       /* synonym sender */
43#define RESPONDER       1       /* synonym receiver */
44
45#define GENERATE        1
46#define VALIDATE        0
47
48/* 3.1 ISAKMP Header Format
49         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
50        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
51        !                          Initiator                            !
52        !                            Cookie                             !
53        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
54        !                          Responder                            !
55        !                            Cookie                             !
56        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
57        !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
58        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59        !                          Message ID                           !
60        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
61        !                            Length                             !
62        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
63*/
64struct isakmp {
65        cookie_t i_ck;          /* Initiator Cookie */
66        cookie_t r_ck;          /* Responder Cookie */
67        u_int8_t np;            /* Next Payload Type */
68        u_int8_t v;
69        u_int8_t etype;         /* Exchange Type */
70        u_int8_t flags;         /* Flags */
71        u_int32_t msgid;
72        u_int32_t len;          /* Length */
73} __attribute__((__packed__));
74
75/* Next Payload Type */
76#define ISAKMP_NPTYPE_NONE      0       /* NONE*/
77#define ISAKMP_NPTYPE_SA        1       /* Security Association */
78#define ISAKMP_NPTYPE_P         2       /* Proposal */
79#define ISAKMP_NPTYPE_T         3       /* Transform */
80#define ISAKMP_NPTYPE_KE        4       /* Key Exchange */
81#define ISAKMP_NPTYPE_ID        5       /* Identification */
82#define ISAKMP_NPTYPE_CERT      6       /* Certificate */
83#define ISAKMP_NPTYPE_CR        7       /* Certificate Request */
84#define ISAKMP_NPTYPE_HASH      8       /* Hash */
85#define ISAKMP_NPTYPE_SIG       9       /* Signature */
86#define ISAKMP_NPTYPE_NONCE     10      /* Nonce */
87#define ISAKMP_NPTYPE_N         11      /* Notification */
88#define ISAKMP_NPTYPE_D         12      /* Delete */
89#define ISAKMP_NPTYPE_VID       13      /* Vendor ID */
90#define ISAKMP_NPTYPE_ATTR      14      /* Attribute */
91
92
93/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
94/* XXX conflicts with values assigned to RFC 3547 */
95#define ISAKMP_NPTYPE_NATD_BADDRAFT             15      /* NAT Discovery */
96#define ISAKMP_NPTYPE_NATOA_BADDRAFT    16      /* NAT Original Address */
97
98
99/* NAT-T RFC */
100#define ISAKMP_NPTYPE_NATD_RFC  20      /* NAT Discovery */
101#define ISAKMP_NPTYPE_NATOA_RFC 21      /* NAT Original Address */
102
103/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
104#define ISAKMP_NPTYPE_NATD_DRAFT        130     /* NAT Discovery */
105#define ISAKMP_NPTYPE_NATOA_DRAFT       131     /* NAT Original Address */
106
107/* Frag does not seems to be documented */
108#define ISAKMP_NPTYPE_FRAG      132     /* IKE fragmentation payload */
109
110#define ISAKMP_NPTYPE_MAX       17
111                        /*      128 - 255 Private Use */
112
113/*
114 * The following are valid when the Vendor ID is one of the
115 * following:
116 *
117 *      MD5("A GSS-API Authentication Method for IKE")
118 *      MD5("GSSAPI") (recognized by Windows 2000)
119 *      MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
120 *
121 * See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
122 */
123#define ISAKMP_NPTYPE_GSS       129     /* GSS token */
124
125#define ISAKMP_MAJOR_VERSION    1
126#define ISAKMP_MINOR_VERSION    0
127#define ISAKMP_VERSION_NUMBER   0x10
128#define ISAKMP_GETMAJORV(v)     (((v) & 0xf0) >> 4)
129#define ISAKMP_SETMAJORV(v, m)  ((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
130#define ISAKMP_GETMINORV(v)     ((v) & 0x0f)
131#define ISAKMP_SETMINORV(v, m)  ((v) = ((v) & 0xf0) | ((m) & 0x0f))
132
133/* Exchange Type */
134#define ISAKMP_ETYPE_NONE       0       /* NONE */
135#define ISAKMP_ETYPE_BASE       1       /* Base */
136#define ISAKMP_ETYPE_IDENT      2       /* Identity Protection */
137#define ISAKMP_ETYPE_AUTH       3       /* Authentication Only */
138#define ISAKMP_ETYPE_AGG        4       /* Aggressive */
139#define ISAKMP_ETYPE_INFO       5       /* Informational */
140#define ISAKMP_ETYPE_CFG        6       /* Mode config */
141/* Additional Exchange Type */
142#define ISAKMP_ETYPE_QUICK      32      /* Quick Mode */
143#define ISAKMP_ETYPE_NEWGRP     33      /* New group Mode */
144#define ISAKMP_ETYPE_ACKINFO    34      /* Acknowledged Informational */
145
146/* Flags */
147#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
148#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
149#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
150
151/* 3.2 Payload Generic Header
152         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
153        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
154        ! Next Payload  !   RESERVED    !         Payload Length        !
155        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
156*/
157struct isakmp_gen {
158        u_int8_t np;            /* Next Payload */
159        u_int8_t reserved;      /* RESERVED, unused, must set to 0 */
160        u_int16_t len;          /* Payload Length */
161} __attribute__((__packed__));
162
163/* 3.3 Data Attributes
164         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
165        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
166        !A!       Attribute Type        !    AF=0  Attribute Length     !
167        !F!                             !    AF=1  Attribute Value      !
168        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
169        .                   AF=0  Attribute Value                       .
170        .                   AF=1  Not Transmitted                       .
171        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
172*/
173struct isakmp_data {
174        u_int16_t type;         /* defined by DOI-spec, and Attribute Format */
175        u_int16_t lorv;         /* if f equal 1, Attribute Length */
176                                /* if f equal 0, Attribute Value */
177        /* if f equal 1, Attribute Value */
178} __attribute__((__packed__));
179#define ISAKMP_GEN_TLV 0x0000
180#define ISAKMP_GEN_TV  0x8000
181        /* mask for type of attribute format */
182#define ISAKMP_GEN_MASK 0x8000
183
184#if 0
185/* MAY NOT be used, because of being defined in ipsec-doi. */
186/* 3.4 Security Association Payload */
187struct isakmp_pl_sa {
188        struct isakmp_gen h;
189        u_int32_t doi;          /* Domain of Interpretation */
190        u_int32_t sit;          /* Situation */
191} __attribute__((__packed__));
192#endif
193
194/* 3.5 Proposal Payload */
195        /*
196        The value of the next payload field MUST only contain the value "2"
197        or "0".  If there are additional Proposal payloads in the message,
198        then this field will be 2.  If the current Proposal payload is the
199        last within the security association proposal, then this field will
200        be 0.
201        */
202struct isakmp_pl_p {
203        struct isakmp_gen h;
204        u_int8_t p_no;          /* Proposal # */
205        u_int8_t proto_id;      /* Protocol */
206        u_int8_t spi_size;      /* SPI Size */
207        u_int8_t num_t;         /* Number of Transforms */
208        /* SPI */
209} __attribute__((__packed__));
210
211/* 3.6 Transform Payload */
212        /*
213        The value of the next payload field MUST only contain the value "3"
214        or "0".  If there are additional Transform payloads in the proposal,
215        then this field will be 3.  If the current Transform payload is the
216        last within the proposal, then this field will be 0.
217        */
218struct isakmp_pl_t {
219        struct isakmp_gen h;
220        u_int8_t t_no;          /* Transform # */
221        u_int8_t t_id;          /* Transform-Id */
222        u_int16_t reserved;     /* RESERVED2 */
223        /* SA Attributes */
224} __attribute__((__packed__));
225
226/* 3.7 Key Exchange Payload */
227struct isakmp_pl_ke {
228        struct isakmp_gen h;
229        /* Key Exchange Data */
230} __attribute__((__packed__));
231
232#if 0
233/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
234/* 3.8 Identification Payload */
235struct isakmp_pl_id {
236        struct isakmp_gen h;
237        union {
238                u_int8_t id_type;       /* ID Type */
239                u_int32_t doi_data;     /* DOI Specific ID Data */
240        } d;
241        /* Identification Data */
242} __attribute__((__packed__));
243/* A.4 ISAKMP Identification Type Values */
244#define ISAKMP_ID_IPV4_ADDR             0
245#define ISAKMP_ID_IPV4_ADDR_SUBNET      1
246#define ISAKMP_ID_IPV6_ADDR             2
247#define ISAKMP_ID_IPV6_ADDR_SUBNET      3
248#endif
249
250/* 3.9 Certificate Payload */
251struct isakmp_pl_cert {
252        struct isakmp_gen h;
253        /*
254         * Encoding type of 1 octet follows immediately,
255         * variable length CERT data follows encoding type.
256         */
257} __attribute__((__packed__));
258
259/* Certificate Type */
260#define ISAKMP_CERT_NONE        0
261#define ISAKMP_CERT_PKCS7       1
262#define ISAKMP_CERT_PGP         2
263#define ISAKMP_CERT_DNS         3
264#define ISAKMP_CERT_X509SIGN    4
265#define ISAKMP_CERT_X509KE      5
266#define ISAKMP_CERT_KERBEROS    6
267#define ISAKMP_CERT_CRL         7
268#define ISAKMP_CERT_ARL         8
269#define ISAKMP_CERT_SPKI        9
270#define ISAKMP_CERT_X509ATTR    10
271#define ISAKMP_CERT_PLAINRSA    11
272
273/* 3.10 Certificate Request Payload */
274struct isakmp_pl_cr {
275        struct isakmp_gen h;
276        u_int8_t num_cert; /* # Cert. Types */
277        /*
278        Certificate Types (variable length)
279          -- Contains a list of the types of certificates requested,
280          sorted in order of preference.  Each individual certificate
281          type is 1 octet.  This field is NOT required.
282        */
283        /* # Certificate Authorities (1 octet) */
284        /* Certificate Authorities (variable length) */
285} __attribute__((__packed__));
286
287/* 3.11 Hash Payload */
288struct isakmp_pl_hash {
289        struct isakmp_gen h;
290        /* Hash Data */
291} __attribute__((__packed__));
292
293/* 3.12 Signature Payload */
294struct isakmp_pl_sig {
295        struct isakmp_gen h;
296        /* Signature Data */
297} __attribute__((__packed__));
298
299/* 3.13 Nonce Payload */
300struct isakmp_pl_nonce {
301        struct isakmp_gen h;
302        /* Nonce Data */
303} __attribute__((__packed__));
304
305/* 3.14 Notification Payload */
306struct isakmp_pl_n {
307        struct isakmp_gen h;
308        u_int32_t doi;          /* Domain of Interpretation */
309        u_int8_t proto_id;      /* Protocol-ID */
310        u_int8_t spi_size;      /* SPI Size */
311        u_int16_t type;         /* Notify Message Type */
312        /* SPI */
313        /* Notification Data */
314} __attribute__((__packed__));
315
316/* 3.14.1 Notify Message Types */
317/* NOTIFY MESSAGES - ERROR TYPES */
318#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE       1
319#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED          2
320#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED    3
321#define ISAKMP_NTYPE_INVALID_COOKIE             4
322#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION      5
323#define ISAKMP_NTYPE_INVALID_MINOR_VERSION      6
324#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE      7
325#define ISAKMP_NTYPE_INVALID_FLAGS              8
326#define ISAKMP_NTYPE_INVALID_MESSAGE_ID         9
327#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID        10
328#define ISAKMP_NTYPE_INVALID_SPI                11
329#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID       12
330#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED   13
331#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN         14
332#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX        15
333#define ISAKMP_NTYPE_PAYLOAD_MALFORMED          16
334#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION    17
335#define ISAKMP_NTYPE_INVALID_ID_INFORMATION     18
336#define ISAKMP_NTYPE_INVALID_CERT_ENCODING      19
337#define ISAKMP_NTYPE_INVALID_CERTIFICATE        20
338#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX    21
339#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY     22
340#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION   23
341#define ISAKMP_NTYPE_AUTHENTICATION_FAILED      24
342#define ISAKMP_NTYPE_INVALID_SIGNATURE          25
343#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION       26
344#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME         27
345#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE    28
346#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE  29
347#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS    30
348#define ISAKMP_NTYPE_MINERROR                   1
349#define ISAKMP_NTYPE_MAXERROR                   16383
350/* NOTIFY MESSAGES - STATUS TYPES */
351#define ISAKMP_NTYPE_CONNECTED                  16384
352/* 4.6.3 IPSEC DOI Notify Message Types */
353#define ISAKMP_NTYPE_RESPONDER_LIFETIME         24576
354#define ISAKMP_NTYPE_REPLAY_STATUS              24577
355#define ISAKMP_NTYPE_INITIAL_CONTACT            24578
356
357/* DPD */
358#define ISAKMP_NTYPE_R_U_THERE                  36136
359#define ISAKMP_NTYPE_R_U_THERE_ACK              36137
360
361#define ISAKMP_NTYPE_HEARTBEAT                  40503
362
363/* using only to log */
364#define ISAKMP_LOG_RETRY_LIMIT_REACHED          65530
365
366/* XXX means internal error but it's not reserved by any drafts... */
367#define ISAKMP_INTERNAL_ERROR                   -1
368
369/* 3.15 Delete Payload */
370struct isakmp_pl_d {
371        struct isakmp_gen h;
372        u_int32_t doi;          /* Domain of Interpretation */
373        u_int8_t proto_id;      /* Protocol-Id */
374        u_int8_t spi_size;      /* SPI Size */
375        u_int16_t num_spi;      /* # of SPIs */
376        /* SPI(es) */
377} __attribute__((__packed__));
378
379struct payload_list {
380        struct payload_list     *next, *prev;
381        vchar_t                 *payload;
382        u_int8_t                payload_type;
383        u_int8_t                free_payload;
384};
385
386
387/* See draft-ietf-ipsec-isakmp-mode-cfg-04.txt, 3.2 */
388struct isakmp_pl_attr {
389        struct isakmp_gen h;
390        u_int8_t type;          /* Exchange type */
391        u_int8_t res2;
392        u_int16_t id;           /* Per transaction id */
393} __attribute__((__packed__));
394           
395/* Exchange type */
396#define ISAKMP_CFG_REQUEST      1
397#define ISAKMP_CFG_REPLY        2
398#define ISAKMP_CFG_SET          3
399#define ISAKMP_CFG_ACK          4
400
401/* IKE fragmentation payload */
402struct isakmp_frag {
403        u_int16_t unknown0;     /* always set to zero? */
404        u_int16_t len;
405        u_int16_t unknown1;     /* always set to 1? */
406        u_int8_t index;
407        u_int8_t flags;
408} __attribute__((__packed__));
409
410/* flags */
411#define ISAKMP_FRAG_LAST        1
412
413/* DPD R-U-THERE / R-U-THERE-ACK Payload */
414struct isakmp_pl_ru {
415        struct isakmp_gen h;
416        u_int32_t doi;          /* Domain of Interpretation */
417        u_int8_t proto_id;      /* Protocol-Id */
418        u_int8_t spi_size;      /* SPI Size */
419        u_int16_t type;         /* Notify type */
420        cookie_t  i_ck; /* Initiator Cookie */
421        cookie_t r_ck;  /* Responder cookie*/
422        u_int32_t data;         /* Notification data */
423} __attribute__((__packed__));
424
425#endif /* _ISAKMP_H */
Note: See TracBrowser for help on using the repository browser.