1/* $KAME: ipsec_doi.h,v 1.34 2001/08/16 06:20:35 itojun Exp $ */ 2 3/* 4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 5 * All rights reserved. 6 * 7 * Redistribution and use in source and binary forms, with or without 8 * modification, are permitted provided that the following conditions 9 * are met: 10 * 1. Redistributions of source code must retain the above copyright 11 * notice, this list of conditions and the following disclaimer. 12 * 2. Redistributions in binary form must reproduce the above copyright 13 * notice, this list of conditions and the following disclaimer in the 14 * documentation and/or other materials provided with the distribution. 15 * 3. Neither the name of the project nor the names of its contributors 16 * may be used to endorse or promote products derived from this software 17 * without specific prior written permission. 18 * 19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 29 * SUCH DAMAGE. 30 */ 31 32/* refered to RFC2407 */ 33 34#define IPSEC_DOI 1 35 36/* 4.2 IPSEC Situation Definition */ 37#define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001 38#define IPSECDOI_SIT_SECRECY 0x00000002 39#define IPSECDOI_SIT_INTEGRITY 0x00000004 40 41/* 4.4.1 IPSEC Security Protocol Identifiers */ 42 /* 4.4.2 IPSEC ISAKMP Transform Values */ 43#define IPSECDOI_PROTO_ISAKMP 1 44#define IPSECDOI_KEY_IKE 1 45 46/* 4.4.1 IPSEC Security Protocol Identifiers */ 47#define IPSECDOI_PROTO_IPSEC_AH 2 48 /* 4.4.3 IPSEC AH Transform Values */ 49#define IPSECDOI_AH_MD5 2 50#define IPSECDOI_AH_SHA 3 51#define IPSECDOI_AH_DES 4 52#define IPSECDOI_AH_SHA2_256 5 53#define IPSECDOI_AH_SHA2_384 6 54#define IPSECDOI_AH_SHA2_512 7 55 56/* 4.4.1 IPSEC Security Protocol Identifiers */ 57#define IPSECDOI_PROTO_IPSEC_ESP 3 58 /* 4.4.4 IPSEC ESP Transform Identifiers */ 59#define IPSECDOI_ESP_DES_IV64 1 60#define IPSECDOI_ESP_DES 2 61#define IPSECDOI_ESP_3DES 3 62#define IPSECDOI_ESP_RC5 4 63#define IPSECDOI_ESP_IDEA 5 64#define IPSECDOI_ESP_CAST 6 65#define IPSECDOI_ESP_BLOWFISH 7 66#define IPSECDOI_ESP_3IDEA 8 67#define IPSECDOI_ESP_DES_IV32 9 68#define IPSECDOI_ESP_RC4 10 69#define IPSECDOI_ESP_NULL 11 70#define IPSECDOI_ESP_RIJNDAEL 12 71#define IPSECDOI_ESP_AES 12 72 /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */ 73#define IPSECDOI_ESP_TWOFISH 253 74 75/* 4.4.1 IPSEC Security Protocol Identifiers */ 76#define IPSECDOI_PROTO_IPCOMP 4 77 /* 4.4.5 IPSEC IPCOMP Transform Identifiers */ 78#define IPSECDOI_IPCOMP_OUI 1 79#define IPSECDOI_IPCOMP_DEFLATE 2 80#define IPSECDOI_IPCOMP_LZS 3 81 82/* 4.5 IPSEC Security Association Attributes */ 83/* NOTE: default value is not included in a packet. */ 84#define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */ 85#define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1 86#define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1 87#define IPSECDOI_ATTR_SA_LD_TYPE_KB 2 88#define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3 89#define IPSECDOI_ATTR_SA_LD 2 /* V */ 90#define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */ 91#define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1))) 92#define IPSECDOI_ATTR_GRP_DESC 3 /* B */ 93#define IPSECDOI_ATTR_ENC_MODE 4 /* B */ 94 /* default value: host dependent */ 95#define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */ 96#define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1 97#define IPSECDOI_ATTR_ENC_MODE_TRNS 2 98#define IPSECDOI_ATTR_AUTH 5 /* B */ 99 /* 0 means not to use authentication. */ 100#define IPSECDOI_ATTR_AUTH_HMAC_MD5 1 101#define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2 102#define IPSECDOI_ATTR_AUTH_DES_MAC 3 103#define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/ 104#define IPSECDOI_ATTR_SHA2_256 5 105#define IPSECDOI_ATTR_SHA2_384 6 106#define IPSECDOI_ATTR_SHA2_512 7 107#define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */ 108 /* 109 * When negotiating ESP without authentication, the Auth 110 * Algorithm attribute MUST NOT be included in the proposal. 111 * When negotiating ESP without confidentiality, the Auth 112 * Algorithm attribute MUST be included in the proposal and 113 * the ESP transform ID must be ESP_NULL. 114 */ 115#define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */ 116#define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */ 117#define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */ 118#define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */ 119 120/* 4.6.1 Security Association Payload */ 121struct ipsecdoi_pl_sa { 122 struct isakmp_gen h; 123 struct ipsecdoi_sa_b { 124 u_int32_t doi; /* Domain of Interpretation */ 125 u_int32_t sit; /* Situation */ 126 } b; 127 /* followed by Leveled Domain Identifier and so on. */ 128} __attribute__((__packed__)); 129 130struct ipsecdoi_secrecy_h { 131 u_int16_t len; 132 u_int16_t reserved; 133 /* followed by the value */ 134} __attribute__((__packed__)); 135 136/* 4.6.2 Identification Payload Content */ 137struct ipsecdoi_pl_id { 138 struct isakmp_gen h; 139 struct ipsecdoi_id_b { 140 u_int8_t type; /* ID Type */ 141 u_int8_t proto_id; /* Protocol ID */ 142 u_int16_t port; /* Port */ 143 } b; 144 /* followed by Identification Data */ 145} __attribute__((__packed__)); 146 147#define IPSECDOI_ID_IPV4_ADDR 1 148#define IPSECDOI_ID_FQDN 2 149#define IPSECDOI_ID_USER_FQDN 3 150#define IPSECDOI_ID_IPV4_ADDR_SUBNET 4 151#define IPSECDOI_ID_IPV6_ADDR 5 152#define IPSECDOI_ID_IPV6_ADDR_SUBNET 6 153#define IPSECDOI_ID_IPV4_ADDR_RANGE 7 154#define IPSECDOI_ID_IPV6_ADDR_RANGE 8 155#define IPSECDOI_ID_DER_ASN1_DN 9 156#define IPSECDOI_ID_DER_ASN1_GN 10 157#define IPSECDOI_ID_KEY_ID 11 158 159/* compressing doi type, it's internal use. */ 160#define IDTYPE_FQDN 0 161#define IDTYPE_USERFQDN 1 162#define IDTYPE_KEYID 2 163#define IDTYPE_ADDRESS 3 164#define IDTYPE_ASN1DN 4 165 166/* The use for checking proposal payload. This is not exchange type. */ 167#define IPSECDOI_TYPE_PH1 0 168#define IPSECDOI_TYPE_PH2 1 169 170struct isakmpsa; 171struct ipsecdoi_pl_sa; 172struct saprop; 173struct saproto; 174struct satrns; 175struct prop_pair; 176 177extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *)); 178extern int ipsecdoi_selectph2proposal __P((struct ph2handle *)); 179extern int ipsecdoi_checkph2proposal __P((struct ph2handle *)); 180 181extern struct prop_pair **get_proppair __P((vchar_t *, int)); 182extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *)); 183extern int ipsecdoi_updatespi __P((struct ph2handle *iph2)); 184extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *)); 185extern int ipsecdoi_checkid1 __P((struct ph1handle *)); 186extern int ipsecdoi_setid1 __P((struct ph1handle *)); 187extern int set_identifier __P((vchar_t **, int, vchar_t *)); 188extern int ipsecdoi_setid2 __P((struct ph2handle *)); 189extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int)); 190extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *, 191 u_int8_t *, u_int16_t *)); 192extern const char *ipsecdoi_id2str __P((const vchar_t *)); 193 194extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *)); 195extern int ipsecdoi_setph2proposal __P((struct ph2handle *)); 196extern int ipsecdoi_transportmode __P((struct ph2handle *)); 197extern int ipsecdoi_get_defaultlifetime __P((void)); 198extern int ipsecdoi_checkalgtypes __P((int, int, int, int)); 199extern int ipproto2doi __P((int)); 200extern int doi2ipproto __P((int)); 201 202extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *, 203 struct saprop *, struct saproto *, struct satrns *)); 204extern int ipsecdoi_authalg2trnsid __P((int)); 205extern int idtype2doi __P((int)); 206extern int doi2idtype __P((int)); 207