1/* $Id: ipsec_doi.h,v 1.9.2.2 2005/10/17 16:23:50 monas Exp $ */ 2 3/* 4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32#ifndef _IPSEC_DOI_H 33#define _IPSEC_DOI_H 34 35#include "isakmp.h" 36 37/* refered to RFC2407 */ 38 39#define IPSEC_DOI 1 40 41/* 4.2 IPSEC Situation Definition */ 42#define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 43#define IPSECDOI_SIT_SECRECY 0x00000002 44#define IPSECDOI_SIT_INTEGRITY 0x00000004 45 46/* 4.4.1 IPSEC Security Protocol Identifiers */ 47 /* 4.4.2 IPSEC ISAKMP Transform Values */ 48#define IPSECDOI_PROTO_ISAKMP 1 49#define IPSECDOI_KEY_IKE 1 50 51/* 4.4.1 IPSEC Security Protocol Identifiers */ 52#define IPSECDOI_PROTO_IPSEC_AH 2 53 /* 4.4.3 IPSEC AH Transform Values */ 54#define IPSECDOI_AH_MD5 2 55#define IPSECDOI_AH_SHA 3 56#define IPSECDOI_AH_DES 4 57#define IPSECDOI_AH_SHA256 5 58#define IPSECDOI_AH_SHA384 6 59#define IPSECDOI_AH_SHA512 7 60 61/* 4.4.1 IPSEC Security Protocol Identifiers */ 62#define IPSECDOI_PROTO_IPSEC_ESP 3 63 /* 4.4.4 IPSEC ESP Transform Identifiers */ 64#define IPSECDOI_ESP_DES_IV64 1 65#define IPSECDOI_ESP_DES 2 66#define IPSECDOI_ESP_3DES 3 67#define IPSECDOI_ESP_RC5 4 68#define IPSECDOI_ESP_IDEA 5 69#define IPSECDOI_ESP_CAST 6 70#define IPSECDOI_ESP_BLOWFISH 7 71#define IPSECDOI_ESP_3IDEA 8 72#define IPSECDOI_ESP_DES_IV32 9 73#define IPSECDOI_ESP_RC4 10 74#define IPSECDOI_ESP_NULL 11 75#define IPSECDOI_ESP_AES 12 76#if 1 77 /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */ 78#define IPSECDOI_ESP_TWOFISH 253 79#else 80 /* SSH uses these value for now */ 81#define IPSECDOI_ESP_TWOFISH 250 82#endif 83 84/* 4.4.1 IPSEC Security Protocol Identifiers */ 85#define IPSECDOI_PROTO_IPCOMP 4 86 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 87#define IPSECDOI_IPCOMP_OUI 1 88#define IPSECDOI_IPCOMP_DEFLATE 2 89#define IPSECDOI_IPCOMP_LZS 3 90 91/* 4.5 IPSEC Security Association Attributes */ 92/* NOTE: default value is not included in a packet. */ 93#define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */ 94#define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1 95#define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1 96#define IPSECDOI_ATTR_SA_LD_TYPE_KB 2 97#define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3 98#define IPSECDOI_ATTR_SA_LD 2 /* V */ 99#define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */ 100#define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1))) 101#define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 102#define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 103 /* default value: host dependent */ 104#define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */ 105#define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 106#define IPSECDOI_ATTR_ENC_MODE_TRNS 2 107 108/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */ 109#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC 3 110#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC 4 111 112/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */ 113#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT 61443 114#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT 61444 115 116#define IPSECDOI_ATTR_AUTH 5 /* B */ 117 /* 0 means not to use authentication. */ 118#define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 119#define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 120#define IPSECDOI_ATTR_AUTH_DES_MAC 3 121#define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 122#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_256 5 123#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_384 6 124#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_512 7 125#define IPSECDOI_ATTR_AUTH_HMAC_MD5_96 252 /* NOTE:internal use */ 126#define IPSECDOI_ATTR_AUTH_HMAC_SHA1_96 253 /* NOTE:internal use */ 127#define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */ 128 /* 129 * When negotiating ESP without authentication, the Auth 130 * Algorithm attribute MUST NOT be included in the proposal. 131 * When negotiating ESP without confidentiality, the Auth 132 * Algorithm attribute MUST be included in the proposal and 133 * the ESP transform ID must be ESP_NULL. 134 */ 135#define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 136#define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 137#define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 138#define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 139 140/* 4.6.1 Security Association Payload */ 141struct ipsecdoi_pl_sa { 142 struct isakmp_gen h; 143 struct ipsecdoi_sa_b { 144 u_int32_t doi; /* Domain of Interpretation */ 145 u_int32_t sit; /* Situation */ 146 } b; 147 /* followed by Leveled Domain Identifier and so on. */ 148} __attribute__((__packed__)); 149 150struct ipsecdoi_secrecy_h { 151 u_int16_t len; 152 u_int16_t reserved; 153 /* followed by the value */ 154} __attribute__((__packed__)); 155 156/* 4.6.2 Identification Payload Content */ 157struct ipsecdoi_pl_id { 158 struct isakmp_gen h; 159 struct ipsecdoi_id_b { 160 u_int8_t type; /* ID Type */ 161 u_int8_t proto_id; /* Protocol ID */ 162 u_int16_t port; /* Port */ 163 } b; 164 /* followed by Identification Data */ 165} __attribute__((__packed__)); 166 167#define IPSECDOI_ID_IPV4_ADDR 1 168#define IPSECDOI_ID_FQDN 2 169#define IPSECDOI_ID_USER_FQDN 3 170#define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 171#define IPSECDOI_ID_IPV6_ADDR 5 172#define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 173#define IPSECDOI_ID_IPV4_ADDR_RANGE 7 174#define IPSECDOI_ID_IPV6_ADDR_RANGE 8 175#define IPSECDOI_ID_DER_ASN1_DN 9 176#define IPSECDOI_ID_DER_ASN1_GN 10 177#define IPSECDOI_ID_KEY_ID 11 178 179/* compressing doi type, it's internal use. */ 180#define IDTYPE_UNDEFINED 0 181#define IDTYPE_FQDN 1 182#define IDTYPE_USERFQDN 2 183#define IDTYPE_KEYID 3 184#define IDTYPE_ADDRESS 4 185#define IDTYPE_ASN1DN 5 186#define IDTYPE_LOGIN 6 187#define IDTYPE_SUBNET 7 188#define IDTYPE_KEYIDUSE 8 189#define IDTYPE_MAX IDTYPE_KEYIDUSE 190 191/* shared secret type, it's internal use. */ 192#define SECRETTYPE_USE 0 193#define SECRETTYPE_KEY 1 194#define SECRETTYPE_KEYCHAIN 2 195#define SECRETTYPE_KEYCHAIN_BY_ID 3 196 197/* verification modules */ 198#define VERIFICATION_MODULE_OPENSSL 0 199#define VERIFICATION_MODULE_SEC_FRAMEWORK 1 200 201/* verification options */ 202#define VERIFICATION_OPTION_NONE 0 203#define VERIFICATION_OPTION_PEERS_IDENTIFIER 1 204#define VERIFICATION_OPTION_OPEN_DIR 2 205 206/* qualifiers for KEYID (and maybe others) */ 207#define IDQUAL_UNSPEC 0 208#define IDQUAL_FILE 1 209#define IDQUAL_TAG 2 210 211 212/* The use for checking proposal payload. This is not exchange type. */ 213#define IPSECDOI_TYPE_PH1 0 214#define IPSECDOI_TYPE_PH2 1 215 216struct isakmpsa; 217struct ipsecdoi_pl_sa; 218struct saprop; 219struct saproto; 220struct satrns; 221struct prop_pair; 222 223extern struct isakmpsa *get_ph1approvalx (struct prop_pair *, 224 struct isakmpsa *, struct isakmpsa *, int); 225extern int ipsecdoi_checkph1proposal (vchar_t *, phase1_handle_t *); 226extern int ipsecdoi_selectph2proposal (phase2_handle_t *); 227extern int ipsecdoi_checkph2proposal (phase2_handle_t *); 228 229extern struct prop_pair **get_proppair (vchar_t *, int); 230extern vchar_t *get_sabyproppair (struct prop_pair *, phase1_handle_t *); 231extern int ipsecdoi_updatespi (phase2_handle_t *iph2); 232extern vchar_t *get_sabysaprop (struct saprop *, vchar_t *); 233extern int ipsecdoi_chkcmpids (const vchar_t *, const vchar_t *, int ); 234extern int ipsecdoi_checkid1 (phase1_handle_t *); 235extern int ipsecdoi_setid1 (phase1_handle_t *); 236extern int set_identifier (vchar_t **, int, vchar_t *); 237extern int set_identifier_qual (vchar_t **, int, vchar_t *, int); 238extern int ipsecdoi_setid2 (phase2_handle_t *); 239extern vchar_t *ipsecdoi_sockaddr2id (struct sockaddr_storage *, u_int, u_int); 240extern int ipsecdoi_id2sockaddr (vchar_t *, struct sockaddr_storage *, 241 u_int8_t *, u_int16_t *, int); 242extern char *ipsecdoi_id2str (const vchar_t *); 243extern vchar_t *ipsecdoi_sockrange2id (struct sockaddr_storage *, 244 struct sockaddr_storage *, u_int); 245 246extern vchar_t *ipsecdoi_setph1proposal (phase1_handle_t *); 247extern int ipsecdoi_setph2proposal (phase2_handle_t *, int); 248extern int ipsecdoi_transportmode (struct saprop *); 249extern int ipsecdoi_tunnelmode (phase2_handle_t *); 250extern int ipsecdoi_any_transportmode (struct saprop *); 251extern int ipsecdoi_get_defaultlifetime (void); 252extern int ipsecdoi_checkalgtypes (int, int, int, int); 253extern int ipproto2doi (int); 254extern int doi2ipproto (int); 255 256extern int ipsecdoi_t2satrns (struct isakmp_pl_t *, 257 struct saprop *, struct saproto *, struct satrns *); 258extern int ipsecdoi_authalg2trnsid (int); 259extern int idtype2doi (int); 260extern int doi2idtype (int); 261extern int check_spi_size (int, int); 262extern void print_ph1mismatched (struct prop_pair *, struct isakmpsa *); 263 264 265#endif /* _IPSEC_DOI_H */ 266