1/*	$KAME: ipsec_doi.h,v 1.34 2001/08/16 06:20:35 itojun Exp $	*/
2
3/*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 *    notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 *    notice, this list of conditions and the following disclaimer in the
14 *    documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 *    may be used to endorse or promote products derived from this software
17 *    without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32/* refered to RFC2407 */
33
34#define IPSEC_DOI 1
35
36/* 4.2 IPSEC Situation Definition */
37#define IPSECDOI_SIT_IDENTITY_ONLY           0x00000001
38#define IPSECDOI_SIT_SECRECY                 0x00000002
39#define IPSECDOI_SIT_INTEGRITY               0x00000004
40
41/* 4.4.1 IPSEC Security Protocol Identifiers */
42  /* 4.4.2 IPSEC ISAKMP Transform Values */
43#define IPSECDOI_PROTO_ISAKMP                        1
44#define   IPSECDOI_KEY_IKE                             1
45
46/* 4.4.1 IPSEC Security Protocol Identifiers */
47#define IPSECDOI_PROTO_IPSEC_AH                      2
48  /* 4.4.3 IPSEC AH Transform Values */
49#define   IPSECDOI_AH_MD5                              2
50#define   IPSECDOI_AH_SHA                              3
51#define   IPSECDOI_AH_DES                              4
52#define   IPSECDOI_AH_SHA2_256                         5
53#define   IPSECDOI_AH_SHA2_384                         6
54#define   IPSECDOI_AH_SHA2_512                         7
55
56/* 4.4.1 IPSEC Security Protocol Identifiers */
57#define IPSECDOI_PROTO_IPSEC_ESP                     3
58  /* 4.4.4 IPSEC ESP Transform Identifiers */
59#define   IPSECDOI_ESP_DES_IV64                        1
60#define   IPSECDOI_ESP_DES                             2
61#define   IPSECDOI_ESP_3DES                            3
62#define   IPSECDOI_ESP_RC5                             4
63#define   IPSECDOI_ESP_IDEA                            5
64#define   IPSECDOI_ESP_CAST                            6
65#define   IPSECDOI_ESP_BLOWFISH				7
66#define   IPSECDOI_ESP_3IDEA                           8
67#define   IPSECDOI_ESP_DES_IV32                        9
68#define   IPSECDOI_ESP_RC4                            10
69#define   IPSECDOI_ESP_NULL                           11
70#define   IPSECDOI_ESP_RIJNDAEL				12
71#define   IPSECDOI_ESP_AES				12
72  /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */
73#define   IPSECDOI_ESP_TWOFISH				253
74
75/* 4.4.1 IPSEC Security Protocol Identifiers */
76#define IPSECDOI_PROTO_IPCOMP                        4
77  /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
78#define   IPSECDOI_IPCOMP_OUI                          1
79#define   IPSECDOI_IPCOMP_DEFLATE                      2
80#define   IPSECDOI_IPCOMP_LZS                          3
81
82/* 4.5 IPSEC Security Association Attributes */
83/* NOTE: default value is not included in a packet. */
84#define IPSECDOI_ATTR_SA_LD_TYPE              1 /* B */
85#define   IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT      1
86#define   IPSECDOI_ATTR_SA_LD_TYPE_SEC          1
87#define   IPSECDOI_ATTR_SA_LD_TYPE_KB           2
88#define   IPSECDOI_ATTR_SA_LD_TYPE_MAX          3
89#define IPSECDOI_ATTR_SA_LD                   2 /* V */
90#define   IPSECDOI_ATTR_SA_LD_SEC_DEFAULT      28800 /* 8 hours */
91#define   IPSECDOI_ATTR_SA_LD_KB_MAX  (~(1 << ((sizeof(int) << 3) - 1)))
92#define IPSECDOI_ATTR_GRP_DESC                3 /* B */
93#define IPSECDOI_ATTR_ENC_MODE                4 /* B */
94	/* default value: host dependent */
95#define   IPSECDOI_ATTR_ENC_MODE_ANY            0	/* NOTE:internal use */
96#define   IPSECDOI_ATTR_ENC_MODE_TUNNEL         1
97#define   IPSECDOI_ATTR_ENC_MODE_TRNS           2
98#define IPSECDOI_ATTR_AUTH                    5 /* B */
99	/* 0 means not to use authentication. */
100#define   IPSECDOI_ATTR_AUTH_HMAC_MD5           1
101#define   IPSECDOI_ATTR_AUTH_HMAC_SHA1          2
102#define   IPSECDOI_ATTR_AUTH_DES_MAC            3
103#define   IPSECDOI_ATTR_AUTH_KPDK               4 /*RFC-1826(Key/Pad/Data/Key)*/
104#define   IPSECDOI_ATTR_SHA2_256                5
105#define   IPSECDOI_ATTR_SHA2_384                6
106#define   IPSECDOI_ATTR_SHA2_512                7
107#define   IPSECDOI_ATTR_AUTH_NONE               254	/* NOTE:internal use */
108	/*
109	 * When negotiating ESP without authentication, the Auth
110	 * Algorithm attribute MUST NOT be included in the proposal.
111	 * When negotiating ESP without confidentiality, the Auth
112	 * Algorithm attribute MUST be included in the proposal and
113	 * the ESP transform ID must be ESP_NULL.
114	*/
115#define IPSECDOI_ATTR_KEY_LENGTH              6 /* B */
116#define IPSECDOI_ATTR_KEY_ROUNDS              7 /* B */
117#define IPSECDOI_ATTR_COMP_DICT_SIZE          8 /* B */
118#define IPSECDOI_ATTR_COMP_PRIVALG            9 /* V */
119
120/* 4.6.1 Security Association Payload */
121struct ipsecdoi_pl_sa {
122	struct isakmp_gen h;
123	struct ipsecdoi_sa_b {
124		u_int32_t doi; /* Domain of Interpretation */
125		u_int32_t sit; /* Situation */
126	} b;
127	/* followed by Leveled Domain Identifier and so on. */
128} __attribute__((__packed__));
129
130struct ipsecdoi_secrecy_h {
131	u_int16_t len;
132	u_int16_t reserved;
133	/* followed by the value */
134} __attribute__((__packed__));
135
136/* 4.6.2 Identification Payload Content */
137struct ipsecdoi_pl_id {
138	struct isakmp_gen h;
139	struct ipsecdoi_id_b {
140		u_int8_t type;		/* ID Type */
141		u_int8_t proto_id;	/* Protocol ID */
142		u_int16_t port;		/* Port */
143	} b;
144	/* followed by Identification Data */
145} __attribute__((__packed__));
146
147#define IPSECDOI_ID_IPV4_ADDR                        1
148#define IPSECDOI_ID_FQDN                             2
149#define IPSECDOI_ID_USER_FQDN                        3
150#define IPSECDOI_ID_IPV4_ADDR_SUBNET                 4
151#define IPSECDOI_ID_IPV6_ADDR                        5
152#define IPSECDOI_ID_IPV6_ADDR_SUBNET                 6
153#define IPSECDOI_ID_IPV4_ADDR_RANGE                  7
154#define IPSECDOI_ID_IPV6_ADDR_RANGE                  8
155#define IPSECDOI_ID_DER_ASN1_DN                      9
156#define IPSECDOI_ID_DER_ASN1_GN                      10
157#define IPSECDOI_ID_KEY_ID                           11
158
159/* compressing doi type, it's internal use. */
160#define IDTYPE_FQDN		0
161#define IDTYPE_USERFQDN		1
162#define IDTYPE_KEYID		2
163#define IDTYPE_ADDRESS		3
164#define IDTYPE_ASN1DN		4
165
166/* The use for checking proposal payload. This is not exchange type. */
167#define IPSECDOI_TYPE_PH1	0
168#define IPSECDOI_TYPE_PH2	1
169
170struct isakmpsa;
171struct ipsecdoi_pl_sa;
172struct saprop;
173struct saproto;
174struct satrns;
175struct prop_pair;
176
177extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *));
178extern int ipsecdoi_selectph2proposal __P((struct ph2handle *));
179extern int ipsecdoi_checkph2proposal __P((struct ph2handle *));
180
181extern struct prop_pair **get_proppair __P((vchar_t *, int));
182extern vchar_t *get_sabyproppair __P((struct prop_pair *, struct ph1handle *));
183extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
184extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
185extern int ipsecdoi_checkid1 __P((struct ph1handle *));
186extern int ipsecdoi_setid1 __P((struct ph1handle *));
187extern int set_identifier __P((vchar_t **, int, vchar_t *));
188extern int ipsecdoi_setid2 __P((struct ph2handle *));
189extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
190extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
191	u_int8_t *, u_int16_t *));
192extern const char *ipsecdoi_id2str __P((const vchar_t *));
193
194extern vchar_t *ipsecdoi_setph1proposal __P((struct isakmpsa *));
195extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
196extern int ipsecdoi_transportmode __P((struct ph2handle *));
197extern int ipsecdoi_get_defaultlifetime __P((void));
198extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
199extern int ipproto2doi __P((int));
200extern int doi2ipproto __P((int));
201
202extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *,
203	struct saprop *, struct saproto *, struct satrns *));
204extern int ipsecdoi_authalg2trnsid __P((int));
205extern int idtype2doi __P((int));
206extern int doi2idtype __P((int));
207