[apple/ipsec.git] / ipsec-tools / racoon / isakmp.h

/* $Id: isakmp.h,v 1.10 2005/01/29 16:34:25 vanhu Exp $ */

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef _ISAKMP_H
#define _ISAKMP_H

#include <sys/types.h>
#include "racoon_types.h"
#include "vmbuf.h"
#include "isakmp_var.h"

/* refer to RFC 2408 */

/* must include <netinet/in.h> first. */
/* must include "isakmp_var.h" first. */

#define INITIATOR	0	/* synonym sender */
#define RESPONDER	1	/* synonym receiver */

#define GENERATE	1
#define VALIDATE	0

/* 3.1 ISAKMP Header Format
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Initiator                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Responder                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Message ID                           !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                            Length                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp {
	cookie_t i_ck;		/* Initiator Cookie */
	cookie_t r_ck;		/* Responder Cookie */
	u_int8_t np;		/* Next Payload Type */
	u_int8_t v;
	u_int8_t etype;		/* Exchange Type */
	u_int8_t flags;		/* Flags */
	u_int32_t msgid;
	u_int32_t len;		/* Length */
} __attribute__((__packed__));

/* Next Payload Type */
#define ISAKMP_NPTYPE_NONE	0	/* NONE*/
#define ISAKMP_NPTYPE_SA	1	/* Security Association */
#define ISAKMP_NPTYPE_P		2	/* Proposal */
#define ISAKMP_NPTYPE_T		3	/* Transform */
#define ISAKMP_NPTYPE_KE	4	/* Key Exchange */
#define ISAKMP_NPTYPE_ID	5	/* Identification */
#define ISAKMP_NPTYPE_CERT	6	/* Certificate */
#define ISAKMP_NPTYPE_CR	7	/* Certificate Request */
#define ISAKMP_NPTYPE_HASH	8	/* Hash */
#define ISAKMP_NPTYPE_SIG	9	/* Signature */
#define ISAKMP_NPTYPE_NONCE	10	/* Nonce */
#define ISAKMP_NPTYPE_N		11	/* Notification */
#define ISAKMP_NPTYPE_D		12	/* Delete */
#define ISAKMP_NPTYPE_VID	13	/* Vendor ID */
#define ISAKMP_NPTYPE_ATTR	14	/* Attribute */


/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
/* XXX conflicts with values assigned to RFC 3547 */
#define ISAKMP_NPTYPE_NATD_BADDRAFT		15	/* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_BADDRAFT	16	/* NAT Original Address */


/* NAT-T RFC */
#define ISAKMP_NPTYPE_NATD_RFC	20	/* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_RFC	21	/* NAT Original Address */

/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
#define ISAKMP_NPTYPE_NATD_DRAFT	130	/* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_DRAFT	131	/* NAT Original Address */

/* Frag does not seems to be documented */
#define ISAKMP_NPTYPE_FRAG	132	/* IKE fragmentation payload */

#define ISAKMP_NPTYPE_MAX	17
			/*	128 - 255 Private Use */

/*
 * The following are valid when the Vendor ID is one of the
 * following:
 *
 *	MD5("A GSS-API Authentication Method for IKE")
 *	MD5("GSSAPI") (recognized by Windows 2000)
 *	MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
 *
 * See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
 */
#define ISAKMP_NPTYPE_GSS	129	/* GSS token */

#define ISAKMP_MAJOR_VERSION_IKEV1	1
#define ISAKMP_MAJOR_VERSION_IKEV2	2
#define ISAKMP_MINOR_VERSION	0
#define ISAKMP_VERSION_NUMBER_IKEV1	0x10
#define ISAKMP_VERSION_NUMBER_IKEV2	0x20
#define ISAKMP_GETMAJORV(v)	(((v) & 0xf0) >> 4)
#define ISAKMP_SETMAJORV(v, m)	((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
#define ISAKMP_GETMINORV(v)	((v) & 0x0f)
#define ISAKMP_SETMINORV(v, m)	((v) = ((v) & 0xf0) | ((m) & 0x0f))

/* Exchange Type */
#define ISAKMP_ETYPE_NONE	0	/* NONE */
#define ISAKMP_ETYPE_BASE	1	/* Base */
#define ISAKMP_ETYPE_IDENT	2	/* Identity Proteciton */
#define ISAKMP_ETYPE_AUTH	3	/* Authentication Only */
#define ISAKMP_ETYPE_AGG	4	/* Aggressive */
#define ISAKMP_ETYPE_INFO	5	/* Informational */
#define ISAKMP_ETYPE_CFG	6	/* Mode config */
/* Additional Exchange Type */
#define ISAKMP_ETYPE_QUICK	32	/* Quick Mode */
#define ISAKMP_ETYPE_NEWGRP	33	/* New group Mode */
#define ISAKMP_ETYPE_ACKINFO	34	/* Acknowledged Informational */

/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */

/* 3.2 Payload Generic Header
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        ! Next Payload  !   RESERVED    !         Payload Length        !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_gen {
	u_int8_t np;		/* Next Payload */
	u_int8_t reserved;	/* RESERVED, unused, must set to 0 */
	u_int16_t len;		/* Payload Length */
} __attribute__((__packed__));

/* 3.3 Data Attributes
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !A!       Attribute Type        !    AF=0  Attribute Length     !
        !F!                             !    AF=1  Attribute Value      !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        .                   AF=0  Attribute Value                       .
        .                   AF=1  Not Transmitted                       .
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_data {
	u_int16_t type;		/* defined by DOI-spec, and Attribute Format */
	u_int16_t lorv;		/* if f equal 1, Attribute Length */
				/* if f equal 0, Attribute Value */
	/* if f equal 1, Attribute Value */
} __attribute__((__packed__));
#define ISAKMP_GEN_TLV 0x0000
#define ISAKMP_GEN_TV  0x8000
	/* mask for type of attribute format */
#define ISAKMP_GEN_MASK 0x8000

#if 0
/* MAY NOT be used, because of being defined in ipsec-doi. */
/* 3.4 Security Association Payload */
struct isakmp_pl_sa {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int32_t sit;		/* Situation */
} __attribute__((__packed__));
#endif

/* 3.5 Proposal Payload */
	/*
	The value of the next payload field MUST only contain the value "2"
	or "0".  If there are additional Proposal payloads in the message,
	then this field will be 2.  If the current Proposal payload is the
	last within the security association proposal, then this field will
	be 0.
	*/
struct isakmp_pl_p {
	struct isakmp_gen h;
	u_int8_t p_no;		/* Proposal # */
	u_int8_t proto_id;	/* Protocol */
	u_int8_t spi_size;	/* SPI Size */
	u_int8_t num_t;		/* Number of Transforms */
	/* SPI */
} __attribute__((__packed__));

/* 3.6 Transform Payload */
	/*
	The value of the next payload field MUST only contain the value "3"
	or "0".  If there are additional Transform payloads in the proposal,
	then this field will be 3.  If the current Transform payload is the
	last within the proposal, then this field will be 0.
	*/
struct isakmp_pl_t {
	struct isakmp_gen h;
	u_int8_t t_no;		/* Transform # */
	u_int8_t t_id;		/* Transform-Id */
	u_int16_t reserved;	/* RESERVED2 */
	/* SA Attributes */
} __attribute__((__packed__));

/* 3.7 Key Exchange Payload */
struct isakmp_pl_ke {
	struct isakmp_gen h;
	/* Key Exchange Data */
} __attribute__((__packed__));

#if 0
/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
/* 3.8 Identification Payload */
struct isakmp_pl_id {
	struct isakmp_gen h;
	union {
		u_int8_t id_type;	/* ID Type */
		u_int32_t doi_data;	/* DOI Specific ID Data */
	} d;
	/* Identification Data */
} __attribute__((__packed__));
/* A.4 ISAKMP Identification Type Values */
#define ISAKMP_ID_IPV4_ADDR		0
#define ISAKMP_ID_IPV4_ADDR_SUBNET	1
#define ISAKMP_ID_IPV6_ADDR		2
#define ISAKMP_ID_IPV6_ADDR_SUBNET	3
#endif

/* 3.9 Certificate Payload */
struct isakmp_pl_cert {
	struct isakmp_gen h;
	/*
	 * Encoding type of 1 octet follows immediately,
	 * variable length CERT data follows encoding type.
	 */
} __attribute__((__packed__));

/* Certificate Type */
#define ISAKMP_CERT_NONE	0
#define ISAKMP_CERT_PKCS7	1
#define ISAKMP_CERT_PGP		2
#define ISAKMP_CERT_DNS		3
#define ISAKMP_CERT_X509SIGN	4
#define ISAKMP_CERT_X509KE	5
#define ISAKMP_CERT_KERBEROS	6
#define ISAKMP_CERT_CRL		7
#define ISAKMP_CERT_ARL		8
#define ISAKMP_CERT_SPKI	9
#define ISAKMP_CERT_X509ATTR	10
#define ISAKMP_CERT_PLAINRSA	11

/* the method to get peers certificate */
#define ISAKMP_GETCERT_PAYLOAD		1
#define ISAKMP_GETCERT_LOCALFILE	2
#define ISAKMP_GETCERT_DNS		3

/* 3.10 Certificate Request Payload */
struct isakmp_pl_cr {
	struct isakmp_gen h;
	u_int8_t num_cert; /* # Cert. Types */
	/*
	Certificate Types (variable length)
	  -- Contains a list of the types of certificates requested,
	  sorted in order of preference.  Each individual certificate
	  type is 1 octet.  This field is NOT required.
	*/
	/* # Certificate Authorities (1 octet) */
	/* Certificate Authorities (variable length) */
} __attribute__((__packed__));

/* 3.11 Hash Payload */
struct isakmp_pl_hash {
	struct isakmp_gen h;
	/* Hash Data */
} __attribute__((__packed__));

/* 3.12 Signature Payload */
struct isakmp_pl_sig {
	struct isakmp_gen h;
	/* Signature Data */
} __attribute__((__packed__));

/* 3.13 Nonce Payload */
struct isakmp_pl_nonce {
	struct isakmp_gen h;
	/* Nonce Data */
} __attribute__((__packed__));

/* 3.14 Notification Payload */
struct isakmp_pl_n {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-ID */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t type;		/* Notify Message Type */
	/* SPI */
	/* Notification Data */
} __attribute__((__packed__));

/* 3.14.1 Notify Message Types */
/* NOTIFY MESSAGES - ERROR TYPES */
#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE	1
#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED		2
#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED	3
#define ISAKMP_NTYPE_INVALID_COOKIE		4
#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION	5
#define ISAKMP_NTYPE_INVALID_MINOR_VERSION	6
#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE	7
#define ISAKMP_NTYPE_INVALID_FLAGS		8
#define ISAKMP_NTYPE_INVALID_MESSAGE_ID		9
#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID	10
#define ISAKMP_NTYPE_INVALID_SPI		11
#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID	12
#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED	13
#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN		14
#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX	15
#define ISAKMP_NTYPE_PAYLOAD_MALFORMED		16
#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION	17
#define ISAKMP_NTYPE_INVALID_ID_INFORMATION	18
#define ISAKMP_NTYPE_INVALID_CERT_ENCODING	19
#define ISAKMP_NTYPE_INVALID_CERTIFICATE	20
#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX	21
#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY	22
#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION	23
#define ISAKMP_NTYPE_AUTHENTICATION_FAILED	24
#define ISAKMP_NTYPE_INVALID_SIGNATURE		25
#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION	26
#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME		27
#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE	28
#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE	29
#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS	30
#define ISAKMP_NTYPE_MINERROR			1
#define ISAKMP_NTYPE_MAXERROR			16383
/* NOTIFY MESSAGES - STATUS TYPES */
#define ISAKMP_NTYPE_CONNECTED			16384
/* 4.6.3 IPSEC DOI Notify Message Types */
#define ISAKMP_NTYPE_RESPONDER_LIFETIME		24576
#define ISAKMP_NTYPE_REPLAY_STATUS		24577
#define ISAKMP_NTYPE_INITIAL_CONTACT		24578

/* DPD */
#define ISAKMP_NTYPE_R_U_THERE			36136
#define ISAKMP_NTYPE_R_U_THERE_ACK		36137

#define ISAKMP_NTYPE_LOAD_BALANCE		40501
#define ISAKMP_NTYPE_HEARTBEAT			40503


/* using only to log */
#define ISAKMP_LOG_RETRY_LIMIT_REACHED		65530

/* XXX means internal error but it's not reserved by any drafts... */
#define ISAKMP_INTERNAL_ERROR			-1

/* 3.15 Delete Payload */
struct isakmp_pl_d {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-Id */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t num_spi;	/* # of SPIs */
	/* SPI(es) */
} __attribute__((__packed__));

/* natoa payload */
struct isakmp_pl_natoa {
	struct isakmp_gen h;
	u_int8_t id_type;		/* address type */
	u_int8_t reserved1;		/* reserved */
	u_int16_t reserved2;	/* reserved */
	/* IP address */
} __attribute__((__packed__));

typedef struct payload_list {
	struct payload_list	*next, *prev;
	vchar_t			*payload;
	int			payload_type;
} payload_list_t;

typedef struct payload_list_head {
  int             num_payloads;
  payload_list_t *payloads;
} payload_list_head_t;

/* See draft-ietf-ipsec-isakmp-mode-cfg-04.txt, 3.2 */
struct isakmp_pl_attr {
	struct isakmp_gen h;
	u_int8_t type;		/* Exchange type */
	u_int8_t res2;
	u_int16_t id;		/* Per transaction id */
} __attribute__((__packed__));
            
/* Exchange type */
#define ISAKMP_CFG_REQUEST	1
#define ISAKMP_CFG_REPLY	2
#define ISAKMP_CFG_SET		3
#define ISAKMP_CFG_ACK		4

/* IKE fragmentation payload */
struct isakmp_frag {
	u_int16_t unknown0; /* Next Payload (1st u_int8_t) and RESERVED (2nd u_int8_t), both must set to 0 */
	u_int16_t len;
	u_int16_t unknown1;	/* fragid */
	u_int8_t index;
	u_int8_t flags;
} __attribute__((__packed__)); 

/* flags */
#define ISAKMP_FRAG_LAST	1

/* DPD R-U-THERE / R-U-THERE-ACK Payload */
struct isakmp_pl_ru {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-Id */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t type;		/* Notify type */
	cookie_t  i_ck;	/* Initiator Cookie */
	cookie_t r_ck;	/* Responder cookie*/
	u_int32_t data;		/* Notification data */
} __attribute__((__packed__));

/* Load Balance Notification */
struct isakmp_pl_lb {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-Id */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t type;		/* Notify type */
	cookie_t  i_ck;		/* Initiator Cookie */
	cookie_t r_ck;		/* Responder cookie*/
	u_int32_t address;	/* redirect address */
} __attribute__((__packed__));

/* Responder-Lifetime Notification */
struct isakmp_pl_resp_lifetime {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-Id */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t type;		/* Notify type */
    /* spi follows next */
    /* data follows next */
} __attribute__((__packed__));

extern u_char i_ck0[];
extern u_char r_ck0[];

#endif /* _ISAKMP_H */
Commit	Line	Data
52b7d2ce A	1	/* $Id: isakmp.h,v 1.10 2005/01/29 16:34:25 vanhu Exp $ */
	2
	3	/*
	4	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	5	* All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of the project nor the names of its contributors
	16	* may be used to endorse or promote products derived from this software
	17	* without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	29	* SUCH DAMAGE.
	30	*/
	31
	32	#ifndef _ISAKMP_H
	33	#define _ISAKMP_H
	34
65c25746 A	35	#include <sys/types.h>
	36	#include "racoon_types.h"
	37	#include "vmbuf.h"
	38	#include "isakmp_var.h"
	39
52b7d2ce A	40	/* refer to RFC 2408 */
	41
	42	/* must include <netinet/in.h> first. */
	43	/* must include "isakmp_var.h" first. */
	44
	45	#define INITIATOR 0 /* synonym sender */
	46	#define RESPONDER 1 /* synonym receiver */
	47
	48	#define GENERATE 1
	49	#define VALIDATE 0
	50
	51	/* 3.1 ISAKMP Header Format
	52	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	53	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	54	! Initiator !
	55	! Cookie !
	56	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	57	! Responder !
	58	! Cookie !
	59	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	60	! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
	61	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	62	! Message ID !
	63	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	64	! Length !
	65	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	66	*/
	67	struct isakmp {
	68	cookie_t i_ck; /* Initiator Cookie */
	69	cookie_t r_ck; /* Responder Cookie */
	70	u_int8_t np; /* Next Payload Type */
	71	u_int8_t v;
	72	u_int8_t etype; /* Exchange Type */
	73	u_int8_t flags; /* Flags */
	74	u_int32_t msgid;
	75	u_int32_t len; /* Length */
	76	} __attribute__((__packed__));
	77
	78	/* Next Payload Type */
	79	#define ISAKMP_NPTYPE_NONE 0 /* NONE*/
	80	#define ISAKMP_NPTYPE_SA 1 /* Security Association */
	81	#define ISAKMP_NPTYPE_P 2 /* Proposal */
	82	#define ISAKMP_NPTYPE_T 3 /* Transform */
	83	#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
	84	#define ISAKMP_NPTYPE_ID 5 /* Identification */
	85	#define ISAKMP_NPTYPE_CERT 6 /* Certificate */
	86	#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
	87	#define ISAKMP_NPTYPE_HASH 8 /* Hash */
	88	#define ISAKMP_NPTYPE_SIG 9 /* Signature */
	89	#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
	90	#define ISAKMP_NPTYPE_N 11 /* Notification */
	91	#define ISAKMP_NPTYPE_D 12 /* Delete */
	92	#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
	93	#define ISAKMP_NPTYPE_ATTR 14 /* Attribute */
	94
	95
	96	/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
	97	/* XXX conflicts with values assigned to RFC 3547 */
	98	#define ISAKMP_NPTYPE_NATD_BADDRAFT 15 /* NAT Discovery */
	99	#define ISAKMP_NPTYPE_NATOA_BADDRAFT 16 /* NAT Original Address */
	100
	101
	102	/* NAT-T RFC */
	103	#define ISAKMP_NPTYPE_NATD_RFC 20 /* NAT Discovery */
104	#define ISAKMP_NPTYPE_NATOA_RFC 21 /* NAT Original Address */
105
106	/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
107	#define ISAKMP_NPTYPE_NATD_DRAFT 130 /* NAT Discovery */
108	#define ISAKMP_NPTYPE_NATOA_DRAFT 131 /* NAT Original Address */
109
110	/* Frag does not seems to be documented */
111	#define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */
112
113	#define ISAKMP_NPTYPE_MAX 17
114	/* 128 - 255 Private Use */
115
116	/*
117	* The following are valid when the Vendor ID is one of the
118	* following:
119	*
120	* MD5("A GSS-API Authentication Method for IKE")
121	* MD5("GSSAPI") (recognized by Windows 2000)
122	* MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
123	*
124	* See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
125	*/
126	#define ISAKMP_NPTYPE_GSS 129 /* GSS token */
127
65c25746 A	128	#define ISAKMP_MAJOR_VERSION_IKEV1 1
65c25746 A	129	#define ISAKMP_MAJOR_VERSION_IKEV2 2
52b7d2ce	130	#define ISAKMP_MINOR_VERSION 0
65c25746 A	131	#define ISAKMP_VERSION_NUMBER_IKEV1 0x10
65c25746 A	132	#define ISAKMP_VERSION_NUMBER_IKEV2 0x20
52b7d2ce A	133	#define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4)
	134	#define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) \| (((m) << 4) & 0xf0))
	135	#define ISAKMP_GETMINORV(v) ((v) & 0x0f)
	136	#define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) \| ((m) & 0x0f))
	137
	138	/* Exchange Type */
	139	#define ISAKMP_ETYPE_NONE 0 /* NONE */
	140	#define ISAKMP_ETYPE_BASE 1 /* Base */
	141	#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */
	142	#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */
	143	#define ISAKMP_ETYPE_AGG 4 /* Aggressive */
	144	#define ISAKMP_ETYPE_INFO 5 /* Informational */
	145	#define ISAKMP_ETYPE_CFG 6 /* Mode config */
	146	/* Additional Exchange Type */
	147	#define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */
	148	#define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */
	149	#define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */
	150
	151	/* Flags */
	152	#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
	153	#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
	154	#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
	155
	156	/* 3.2 Payload Generic Header
	157	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	158	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	159	! Next Payload ! RESERVED ! Payload Length !
	160	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	161	*/
	162	struct isakmp_gen {
	163	u_int8_t np; /* Next Payload */
	164	u_int8_t reserved; /* RESERVED, unused, must set to 0 */
	165	u_int16_t len; /* Payload Length */
	166	} __attribute__((__packed__));
	167
	168	/* 3.3 Data Attributes
	169	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	170	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	171	!A! Attribute Type ! AF=0 Attribute Length !
	172	!F! ! AF=1 Attribute Value !
	173	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	174	. AF=0 Attribute Value .
	175	. AF=1 Not Transmitted .
	176	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	177	*/
	178	struct isakmp_data {
	179	u_int16_t type; /* defined by DOI-spec, and Attribute Format */
	180	u_int16_t lorv; /* if f equal 1, Attribute Length */
	181	/* if f equal 0, Attribute Value */
	182	/* if f equal 1, Attribute Value */
	183	} __attribute__((__packed__));
	184	#define ISAKMP_GEN_TLV 0x0000
	185	#define ISAKMP_GEN_TV 0x8000
	186	/* mask for type of attribute format */
	187	#define ISAKMP_GEN_MASK 0x8000
	188
	189	#if 0
	190	/* MAY NOT be used, because of being defined in ipsec-doi. */
	191	/* 3.4 Security Association Payload */
	192	struct isakmp_pl_sa {
	193	struct isakmp_gen h;
	194	u_int32_t doi; /* Domain of Interpretation */
	195	u_int32_t sit; /* Situation */
	196	} __attribute__((__packed__));
197	#endif
198
199	/* 3.5 Proposal Payload */
200	/*
201	The value of the next payload field MUST only contain the value "2"
202	or "0". If there are additional Proposal payloads in the message,
203	then this field will be 2. If the current Proposal payload is the
204	last within the security association proposal, then this field will
205	be 0.
206	*/
207	struct isakmp_pl_p {
208	struct isakmp_gen h;
209	u_int8_t p_no; /* Proposal # */
210	u_int8_t proto_id; /* Protocol */
211	u_int8_t spi_size; /* SPI Size */
212	u_int8_t num_t; /* Number of Transforms */
213	/* SPI */
214	} __attribute__((__packed__));
215
216	/* 3.6 Transform Payload */
217	/*
218	The value of the next payload field MUST only contain the value "3"
219	or "0". If there are additional Transform payloads in the proposal,
220	then this field will be 3. If the current Transform payload is the
221	last within the proposal, then this field will be 0.
222	*/
223	struct isakmp_pl_t {
224	struct isakmp_gen h;
225	u_int8_t t_no; /* Transform # */
226	u_int8_t t_id; /* Transform-Id */
227	u_int16_t reserved; /* RESERVED2 */
228	/* SA Attributes */
229	} __attribute__((__packed__));
230
231	/* 3.7 Key Exchange Payload */
232	struct isakmp_pl_ke {
233	struct isakmp_gen h;
234	/* Key Exchange Data */
235	} __attribute__((__packed__));
236
237	#if 0
238	/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
239	/* 3.8 Identification Payload */
240	struct isakmp_pl_id {
241	struct isakmp_gen h;
242	union {
243	u_int8_t id_type; /* ID Type */
244	u_int32_t doi_data; /* DOI Specific ID Data */
245	} d;
246	/* Identification Data */
247	} __attribute__((__packed__));
248	/* A.4 ISAKMP Identification Type Values */
249	#define ISAKMP_ID_IPV4_ADDR 0
250	#define ISAKMP_ID_IPV4_ADDR_SUBNET 1
251	#define ISAKMP_ID_IPV6_ADDR 2
252	#define ISAKMP_ID_IPV6_ADDR_SUBNET 3
253	#endif
254
255	/* 3.9 Certificate Payload */
256	struct isakmp_pl_cert {
257	struct isakmp_gen h;
258	/*
259	* Encoding type of 1 octet follows immediately,
260	* variable length CERT data follows encoding type.
261	*/
262	} __attribute__((__packed__));
263
264	/* Certificate Type */
265	#define ISAKMP_CERT_NONE 0
266	#define ISAKMP_CERT_PKCS7 1
267	#define ISAKMP_CERT_PGP 2
268	#define ISAKMP_CERT_DNS 3
269	#define ISAKMP_CERT_X509SIGN 4
270	#define ISAKMP_CERT_X509KE 5
271	#define ISAKMP_CERT_KERBEROS 6
272	#define ISAKMP_CERT_CRL 7
273	#define ISAKMP_CERT_ARL 8
274	#define ISAKMP_CERT_SPKI 9
275	#define ISAKMP_CERT_X509ATTR 10
276	#define ISAKMP_CERT_PLAINRSA 11
277
278	/* the method to get peers certificate */
279	#define ISAKMP_GETCERT_PAYLOAD 1
280	#define ISAKMP_GETCERT_LOCALFILE 2
281	#define ISAKMP_GETCERT_DNS 3
282
283	/* 3.10 Certificate Request Payload */
284	struct isakmp_pl_cr {
285	struct isakmp_gen h;
286	u_int8_t num_cert; /* # Cert. Types */
287	/*
288	Certificate Types (variable length)
289	-- Contains a list of the types of certificates requested,
290	sorted in order of preference. Each individual certificate
291	type is 1 octet. This field is NOT required.
292	*/
293	/* # Certificate Authorities (1 octet) */
294	/* Certificate Authorities (variable length) */
295	} __attribute__((__packed__));
296
297	/* 3.11 Hash Payload */
298	struct isakmp_pl_hash {
299	struct isakmp_gen h;
300	/* Hash Data */
301	} __attribute__((__packed__));
302
303	/* 3.12 Signature Payload */
304	struct isakmp_pl_sig {
305	struct isakmp_gen h;
306	/* Signature Data */
307	} __attribute__((__packed__));
308
309	/* 3.13 Nonce Payload */
310	struct isakmp_pl_nonce {
311	struct isakmp_gen h;
312	/* Nonce Data */
313	} __attribute__((__packed__));
314
315	/* 3.14 Notification Payload */
316	struct isakmp_pl_n {
317	struct isakmp_gen h;
318	u_int32_t doi; /* Domain of Interpretation */
319	u_int8_t proto_id; /* Protocol-ID */
320	u_int8_t spi_size; /* SPI Size */
321	u_int16_t type; /* Notify Message Type */
322	/* SPI */
323	/* Notification Data */
324	} __attribute__((__packed__));
325
326	/* 3.14.1 Notify Message Types */
327	/* NOTIFY MESSAGES - ERROR TYPES */
328	#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
329	#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
330	#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
331	#define ISAKMP_NTYPE_INVALID_COOKIE 4
332	#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
333	#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
334	#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
335	#define ISAKMP_NTYPE_INVALID_FLAGS 8
336	#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
337	#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
338	#define ISAKMP_NTYPE_INVALID_SPI 11
339	#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
340	#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
341	#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
342	#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
343	#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
344	#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
345	#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
346	#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
347	#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
348	#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
349	#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
350	#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
351	#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
352	#define ISAKMP_NTYPE_INVALID_SIGNATURE 25
353	#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
354	#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27
355	#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28
356	#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
357	#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
d1e348cf A	358	#define ISAKMP_NTYPE_MINERROR 1
d1e348cf A	359	#define ISAKMP_NTYPE_MAXERROR 16383
52b7d2ce A	360	/* NOTIFY MESSAGES - STATUS TYPES */
	361	#define ISAKMP_NTYPE_CONNECTED 16384
	362	/* 4.6.3 IPSEC DOI Notify Message Types */
	363	#define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576
	364	#define ISAKMP_NTYPE_REPLAY_STATUS 24577
	365	#define ISAKMP_NTYPE_INITIAL_CONTACT 24578
	366
	367	/* DPD */
	368	#define ISAKMP_NTYPE_R_U_THERE 36136
	369	#define ISAKMP_NTYPE_R_U_THERE_ACK 36137
	370
	371	#define ISAKMP_NTYPE_LOAD_BALANCE 40501
	372	#define ISAKMP_NTYPE_HEARTBEAT 40503
	373
d1e348cf	374
52b7d2ce A	375	/* using only to log */
	376	#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
	377
	378	/* XXX means internal error but it's not reserved by any drafts... */
	379	#define ISAKMP_INTERNAL_ERROR -1
	380
	381	/* 3.15 Delete Payload */
	382	struct isakmp_pl_d {
	383	struct isakmp_gen h;
	384	u_int32_t doi; /* Domain of Interpretation */
	385	u_int8_t proto_id; /* Protocol-Id */
	386	u_int8_t spi_size; /* SPI Size */
	387	u_int16_t num_spi; /* # of SPIs */
	388	/* SPI(es) */
	389	} __attribute__((__packed__));
	390
	391	/* natoa payload */
	392	struct isakmp_pl_natoa {
	393	struct isakmp_gen h;
	394	u_int8_t id_type; /* address type */
	395	u_int8_t reserved1; /* reserved */
	396	u_int16_t reserved2; /* reserved */
	397	/* IP address */
	398	} __attribute__((__packed__));
	399
65c25746	400	typedef struct payload_list {
52b7d2ce A	401	struct payload_list next, prev;
	402	vchar_t *payload;
	403	int payload_type;
65c25746	404	} payload_list_t;
52b7d2ce	405
65c25746 A	406	typedef struct payload_list_head {
	407	int num_payloads;
	408	payload_list_t *payloads;
	409	} payload_list_head_t;
52b7d2ce A	410
	411	/* See draft-ietf-ipsec-isakmp-mode-cfg-04.txt, 3.2 */
	412	struct isakmp_pl_attr {
	413	struct isakmp_gen h;
	414	u_int8_t type; /* Exchange type */
	415	u_int8_t res2;
	416	u_int16_t id; /* Per transaction id */
	417	} __attribute__((__packed__));
	418
	419	/* Exchange type */
	420	#define ISAKMP_CFG_REQUEST 1
	421	#define ISAKMP_CFG_REPLY 2
	422	#define ISAKMP_CFG_SET 3
	423	#define ISAKMP_CFG_ACK 4
	424
	425	/* IKE fragmentation payload */
	426	struct isakmp_frag {
e8d9021d	427	u_int16_t unknown0; /* Next Payload (1st u_int8_t) and RESERVED (2nd u_int8_t), both must set to 0 */
52b7d2ce	428	u_int16_t len;
e8d9021d	429	u_int16_t unknown1; /* fragid */
52b7d2ce A	430	u_int8_t index;
	431	u_int8_t flags;
	432	} __attribute__((__packed__));
	433
	434	/* flags */
	435	#define ISAKMP_FRAG_LAST 1
	436
	437	/* DPD R-U-THERE / R-U-THERE-ACK Payload */
	438	struct isakmp_pl_ru {
	439	struct isakmp_gen h;
	440	u_int32_t doi; /* Domain of Interpretation */
	441	u_int8_t proto_id; /* Protocol-Id */
	442	u_int8_t spi_size; /* SPI Size */
	443	u_int16_t type; /* Notify type */
	444	cookie_t i_ck; /* Initiator Cookie */
	445	cookie_t r_ck; /* Responder cookie*/
	446	u_int32_t data; /* Notification data */
	447	} __attribute__((__packed__));
	448
	449	/* Load Balance Notification */
	450	struct isakmp_pl_lb {
	451	struct isakmp_gen h;
	452	u_int32_t doi; /* Domain of Interpretation */
	453	u_int8_t proto_id; /* Protocol-Id */
	454	u_int8_t spi_size; /* SPI Size */
	455	u_int16_t type; /* Notify type */
	456	cookie_t i_ck; /* Initiator Cookie */
	457	cookie_t r_ck; /* Responder cookie*/
	458	u_int32_t address; /* redirect address */
	459	} __attribute__((__packed__));
	460
d1e348cf A	461	/* Responder-Lifetime Notification */
	462	struct isakmp_pl_resp_lifetime {
	463	struct isakmp_gen h;
	464	u_int32_t doi; /* Domain of Interpretation */
	465	u_int8_t proto_id; /* Protocol-Id */
	466	u_int8_t spi_size; /* SPI Size */
	467	u_int16_t type; /* Notify type */
	468	/* spi follows next */
	469	/* data follows next */
	470	} __attribute__((__packed__));
	471
65c25746 A	472	extern u_char i_ck0[];
	473	extern u_char r_ck0[];
	474
52b7d2ce	475	#endif /* _ISAKMP_H */