projects / apple / ipsec.git / blame
| Commit | Line | Data |
|---|---|---|
| d1e348cf A |
1 | /* $NetBSD: oakley.h,v 1.5 2006/10/06 12:02:27 manu Exp $ */ |
| 2 | ||
| 3 | /* Id: oakley.h,v 1.13 2005/05/30 20:12:43 fredsen Exp */ | |
| 52b7d2ce A |
4 | |
| 5 | /* | |
| 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. | |
| 7 | * All rights reserved. | |
| 8 | * | |
| 9 | * Redistribution and use in source and binary forms, with or without | |
| 10 | * modification, are permitted provided that the following conditions | |
| 11 | * are met: | |
| 12 | * 1. Redistributions of source code must retain the above copyright | |
| 13 | * notice, this list of conditions and the following disclaimer. | |
| 14 | * 2. Redistributions in binary form must reproduce the above copyright | |
| 15 | * notice, this list of conditions and the following disclaimer in the | |
| 16 | * documentation and/or other materials provided with the distribution. | |
| 17 | * 3. Neither the name of the project nor the names of its contributors | |
| 18 | * may be used to endorse or promote products derived from this software | |
| 19 | * without specific prior written permission. | |
| 20 | * | |
| 21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND | |
| 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | |
| 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | |
| 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE | |
| 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | |
| 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | |
| 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | |
| 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | |
| 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | |
| 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | |
| 31 | * SUCH DAMAGE. | |
| 32 | */ | |
| 33 | ||
| 34 | #ifndef _OAKLEY_H | |
| 35 | #define _OAKLEY_H | |
| 36 | ||
| e8d9021d | 37 | #include "config.h" |
| 65c25746 | 38 | #include "racoon_types.h" |
| e8d9021d | 39 | |
| 52b7d2ce | 40 | #include "vmbuf.h" |
| e8d9021d A |
41 | #ifndef HAVE_OPENSSL |
| 42 | #include <Security/SecDH.h> | |
| 43 | #endif | |
| 52b7d2ce | 44 | |
| 65c25746 | 45 | |
| 52b7d2ce A |
46 | /* refer to RFC 2409 */ |
| 47 | ||
| 48 | /* Attribute Classes */ | |
| 49 | #define OAKLEY_ATTR_ENC_ALG 1 /* B */ | |
| 50 | #define OAKLEY_ATTR_ENC_ALG_DES 1 | |
| 51 | #define OAKLEY_ATTR_ENC_ALG_IDEA 2 | |
| 52 | #define OAKLEY_ATTR_ENC_ALG_BLOWFISH 3 | |
| 53 | #define OAKLEY_ATTR_ENC_ALG_RC5 4 | |
| 54 | #define OAKLEY_ATTR_ENC_ALG_3DES 5 | |
| 55 | #define OAKLEY_ATTR_ENC_ALG_CAST 6 | |
| 56 | #define OAKLEY_ATTR_ENC_ALG_AES 7 | |
| 57 | /* 65001 - 65535 Private Use */ | |
| 58 | #define OAKLEY_ATTR_HASH_ALG 2 /* B */ | |
| 59 | #define OAKLEY_ATTR_HASH_ALG_MD5 1 | |
| 60 | #define OAKLEY_ATTR_HASH_ALG_SHA 2 | |
| 61 | #define OAKLEY_ATTR_HASH_ALG_TIGER 3 | |
| 62 | #if defined(WITH_SHA2) | |
| 63 | #define OAKLEY_ATTR_HASH_ALG_SHA2_256 4 | |
| 64 | #define OAKLEY_ATTR_HASH_ALG_SHA2_384 5 | |
| 65 | #define OAKLEY_ATTR_HASH_ALG_SHA2_512 6 | |
| 66 | #endif | |
| 67 | /* 65001 - 65535 Private Use */ | |
| 68 | #define OAKLEY_ATTR_AUTH_METHOD 3 /* B */ | |
| 69 | #define OAKLEY_ATTR_AUTH_METHOD_PSKEY 1 | |
| 70 | #define OAKLEY_ATTR_AUTH_METHOD_DSSSIG 2 | |
| 71 | #define OAKLEY_ATTR_AUTH_METHOD_RSASIG 3 | |
| 72 | #define OAKLEY_ATTR_AUTH_METHOD_RSAENC 4 | |
| 73 | #define OAKLEY_ATTR_AUTH_METHOD_RSAREV 5 | |
| 74 | #define OAKLEY_ATTR_AUTH_METHOD_EGENC 6 | |
| 75 | #define OAKLEY_ATTR_AUTH_METHOD_EGREV 7 | |
| 76 | /* Hybrid Auth */ | |
| 77 | #ifdef ENABLE_HYBRID | |
| 78 | #define OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_I 64221 | |
| 79 | #define OAKLEY_ATTR_AUTH_METHOD_HYBRID_RSA_R 64222 | |
| 80 | #define OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_I 64223 | |
| 81 | #define OAKLEY_ATTR_AUTH_METHOD_HYBRID_DSS_R 64224 | |
| 82 | ||
| 83 | /* 65001 - 65535 Private Use */ | |
| 84 | ||
| d1e348cf | 85 | /* Plain Xauth */ |
| 52b7d2ce A |
86 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I 65001 |
| 87 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R 65002 | |
| 88 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I 65003 | |
| 89 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R 65004 | |
| 90 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I 65005 | |
| 91 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R 65006 | |
| 92 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I 65007 | |
| 93 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R 65008 | |
| 94 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I 65009 | |
| 95 | #define OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R 65010 | |
| 65c25746 A |
96 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_PSKEY_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I |
| 97 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_PSKEY_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_R | |
| 98 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_DSSSIG_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_I | |
| 99 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_DSSSIG_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_DSSSIG_R | |
| 100 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_RSASIG_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_I | |
| 101 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_RSASIG_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSASIG_R | |
| 102 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAENC_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_I | |
| 103 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAENC_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAENC_R | |
| 104 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAREV_I OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_I | |
| 105 | #define OAKLEY_ATTR_AUTH_METHOD_EAP_RSAREV_R OAKLEY_ATTR_AUTH_METHOD_XAUTH_RSAREV_R | |
| 52b7d2ce A |
106 | #endif |
| 107 | ||
| d1e348cf A |
108 | /* 65500 -> still private |
| 109 | * to avoid clash with GSSAPI_KRB below | |
| 110 | */ | |
| 111 | #define FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I 65500 | |
| 65c25746 | 112 | #define FICTIVE_AUTH_METHOD_EAP_PSKEY_I FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I |
| d1e348cf A |
113 | |
| 114 | ||
| 52b7d2ce A |
115 | /* |
| 116 | * The following are valid when the Vendor ID is one of | |
| 117 | * the following: | |
| 118 | * | |
| 119 | * MD5("A GSS-API Authentication Method for IKE") | |
| 120 | * MD5("GSSAPI") (recognized by Windows 2000) | |
| 121 | * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000) | |
| 122 | */ | |
| 123 | #define OAKLEY_ATTR_AUTH_METHOD_GSSAPI_KRB 65001 | |
| 124 | #define OAKLEY_ATTR_GRP_DESC 4 /* B */ | |
| 125 | #define OAKLEY_ATTR_GRP_DESC_MODP768 1 | |
| 126 | #define OAKLEY_ATTR_GRP_DESC_MODP1024 2 | |
| 127 | #define OAKLEY_ATTR_GRP_DESC_EC2N155 3 | |
| 128 | #define OAKLEY_ATTR_GRP_DESC_EC2N185 4 | |
| 129 | #define OAKLEY_ATTR_GRP_DESC_MODP1536 5 | |
| 130 | #define OAKLEY_ATTR_GRP_DESC_MODP2048 14 | |
| 131 | #define OAKLEY_ATTR_GRP_DESC_MODP3072 15 | |
| 132 | #define OAKLEY_ATTR_GRP_DESC_MODP4096 16 | |
| 133 | #define OAKLEY_ATTR_GRP_DESC_MODP6144 17 | |
| 134 | #define OAKLEY_ATTR_GRP_DESC_MODP8192 18 | |
| 135 | /* 32768 - 65535 Private Use */ | |
| 136 | #define OAKLEY_ATTR_GRP_TYPE 5 /* B */ | |
| 137 | #define OAKLEY_ATTR_GRP_TYPE_MODP 1 | |
| 138 | #define OAKLEY_ATTR_GRP_TYPE_ECP 2 | |
| 139 | #define OAKLEY_ATTR_GRP_TYPE_EC2N 3 | |
| 140 | /* 65001 - 65535 Private Use */ | |
| 141 | #define OAKLEY_ATTR_GRP_PI 6 /* V */ | |
| 142 | #define OAKLEY_ATTR_GRP_GEN_ONE 7 /* V */ | |
| 143 | #define OAKLEY_ATTR_GRP_GEN_TWO 8 /* V */ | |
| 144 | #define OAKLEY_ATTR_GRP_CURVE_A 9 /* V */ | |
| 145 | #define OAKLEY_ATTR_GRP_CURVE_B 10 /* V */ | |
| 146 | #define OAKLEY_ATTR_SA_LD_TYPE 11 /* B */ | |
| 147 | #define OAKLEY_ATTR_SA_LD_TYPE_DEFAULT 1 | |
| 148 | #define OAKLEY_ATTR_SA_LD_TYPE_SEC 1 | |
| 149 | #define OAKLEY_ATTR_SA_LD_TYPE_KB 2 | |
| 150 | #define OAKLEY_ATTR_SA_LD_TYPE_MAX 3 | |
| 151 | /* 65001 - 65535 Private Use */ | |
| 152 | #define OAKLEY_ATTR_SA_LD 12 /* V */ | |
| 153 | #define OAKLEY_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */ | |
| 154 | #define OAKLEY_ATTR_PRF 13 /* B */ | |
| 155 | #define OAKLEY_ATTR_KEY_LEN 14 /* B */ | |
| 156 | #define OAKLEY_ATTR_FIELD_SIZE 15 /* B */ | |
| 157 | #define OAKLEY_ATTR_GRP_ORDER 16 /* V */ | |
| 158 | #define OAKLEY_ATTR_BLOCK_SIZE 17 /* B */ | |
| 159 | /* 16384 - 32767 Private Use */ | |
| 160 | ||
| 161 | /* | |
| 162 | * The following are valid when the Vendor ID is one of | |
| 163 | * the following: | |
| 164 | * | |
| 165 | * MD5("A GSS-API Authentication Method for IKE") | |
| 166 | * MD5("GSSAPI") (recognized by Windows 2000) | |
| 167 | * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000) | |
| 168 | */ | |
| 169 | #define OAKLEY_ATTR_GSS_ID 16384 | |
| 170 | ||
| 171 | #define MAXPADLWORD 20 | |
| 172 | ||
| 173 | struct dhgroup { | |
| e8d9021d A |
174 | #ifndef HAVE_OPENSSL |
| 175 | int desc; | |
| 176 | #endif | |
| 52b7d2ce A |
177 | int type; |
| 178 | vchar_t *prime; | |
| 179 | int gen1; | |
| 180 | int gen2; | |
| 181 | vchar_t *curve_a; | |
| 182 | vchar_t *curve_b; | |
| 183 | vchar_t *order; | |
| 184 | }; | |
| 185 | ||
| fce29cd9 A |
186 | typedef enum cert_status { |
| 187 | CERT_STATUS_OK = 0, | |
| 188 | CERT_STATUS_PREMATURE, | |
| 189 | CERT_STATUS_EXPIRED, | |
| e8d9021d A |
190 | CERT_STATUS_INVALID_SUBJNAME, |
| 191 | CERT_STATUS_INVALID_SUBJALTNAME, | |
| fce29cd9 A |
192 | CERT_STATUS_INVALID, |
| 193 | } cert_status_t; | |
| 194 | ||
| 195 | #define IS_CERT_STATUS_ERROR(status) (status > CERT_STATUS_OK && status < CERT_STATUS_INVALID) | |
| 196 | ||
| 52b7d2ce A |
197 | /* certificate holder */ |
| 198 | typedef struct cert_t_tag { | |
| 199 | u_int8_t type; /* type of CERT, must be same to pl->v[0]*/ | |
| 200 | vchar_t cert; /* pointer to the CERT */ | |
| 201 | vchar_t *pl; /* CERT payload minus isakmp general header */ | |
| fce29cd9 | 202 | cert_status_t status; |
| e8d9021d | 203 | struct cert_t_tag *chain; |
| 52b7d2ce A |
204 | } cert_t; |
| 205 | ||
| 52b7d2ce A |
206 | struct isakmp_ivm; |
| 207 | ||
| 65c25746 | 208 | extern int oakley_get_defaultlifetime (void); |
| 52b7d2ce | 209 | |
| 65c25746 A |
210 | extern int oakley_dhinit (void); |
| 211 | extern void oakley_dhgrp_free (struct dhgroup *); | |
| e8d9021d | 212 | #ifdef HAVE_OPENSSL |
| 65c25746 A |
213 | extern int oakley_dh_compute (const struct dhgroup *, vchar_t *, vchar_t *, vchar_t *, vchar_t **); |
| 214 | extern int oakley_dh_generate (const struct dhgroup *, vchar_t **, vchar_t **); | |
| e8d9021d | 215 | #else |
| 65c25746 A |
216 | extern int oakley_dh_compute (const struct dhgroup *, vchar_t *, size_t, vchar_t **, SecDHContext*); |
| 217 | extern int oakley_dh_generate (const struct dhgroup *, vchar_t **, size_t *, SecDHContext*); | |
| e8d9021d | 218 | #endif |
| 65c25746 | 219 | extern int oakley_setdhgroup (int, struct dhgroup **); |
| 52b7d2ce | 220 | |
| 65c25746 A |
221 | extern vchar_t *oakley_prf (vchar_t *, vchar_t *, phase1_handle_t *); |
| 222 | extern vchar_t *oakley_hash (vchar_t *, phase1_handle_t *); | |
| 52b7d2ce | 223 | |
| 65c25746 | 224 | extern int oakley_compute_keymat (phase2_handle_t *, int); |
| 52b7d2ce A |
225 | |
| 226 | #if notyet | |
| 65c25746 | 227 | extern vchar_t *oakley_compute_hashx (void); |
| 52b7d2ce | 228 | #endif |
| 65c25746 A |
229 | extern vchar_t *oakley_compute_hash3 (phase1_handle_t *, u_int32_t, vchar_t *); |
| 230 | extern vchar_t *oakley_compute_hash1 (phase1_handle_t *, u_int32_t, vchar_t *); | |
| 231 | extern vchar_t *oakley_ph1hash_common (phase1_handle_t *, int); | |
| 232 | extern vchar_t *oakley_ph1hash_base_i (phase1_handle_t *, int); | |
| 233 | extern vchar_t *oakley_ph1hash_base_r (phase1_handle_t *, int); | |
| 52b7d2ce | 234 | |
| 65c25746 A |
235 | extern int oakley_validate_auth (phase1_handle_t *); |
| 236 | extern int oakley_getmycert (phase1_handle_t *); | |
| 237 | extern int oakley_getsign (phase1_handle_t *); | |
| 238 | extern cert_t * oakley_get_peer_cert_from_certchain (phase1_handle_t *); | |
| 239 | extern int oakley_find_status_in_certchain (cert_t *, cert_status_t); | |
| 240 | extern void oakley_verify_certid (phase1_handle_t *); | |
| 241 | extern vchar_t *oakley_getcr (phase1_handle_t *); | |
| 242 | extern int oakley_checkcr (phase1_handle_t *); | |
| 243 | extern int oakley_needcr (int); | |
| 52b7d2ce | 244 | struct isakmp_gen; |
| 65c25746 A |
245 | extern int oakley_savecert (phase1_handle_t *, struct isakmp_gen *); |
| 246 | extern int oakley_savecr (phase1_handle_t *, struct isakmp_gen *); | |
| 52b7d2ce | 247 | |
| 65c25746 A |
248 | extern vchar_t * oakley_getpskall (phase1_handle_t *); |
| 249 | extern int oakley_skeyid (phase1_handle_t *); | |
| 250 | extern int oakley_skeyid_dae (phase1_handle_t *); | |
| 52b7d2ce | 251 | |
| 65c25746 A |
252 | extern int oakley_compute_enckey (phase1_handle_t *); |
| 253 | extern cert_t *oakley_newcert (void); | |
| 254 | extern void oakley_delcert (cert_t *); | |
| 255 | extern int oakley_newiv (phase1_handle_t *); | |
| 256 | extern struct isakmp_ivm *oakley_newiv2 (phase1_handle_t *, u_int32_t); | |
| 65c25746 A |
257 | extern void oakley_delivm (struct isakmp_ivm *); |
| 258 | extern vchar_t *oakley_do_decrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *); | |
| 259 | extern vchar_t *oakley_do_encrypt (phase1_handle_t *, vchar_t *, vchar_t *, vchar_t *); | |
| 52b7d2ce | 260 | |
| d1e348cf A |
261 | #ifdef ENABLE_HYBRID |
| 262 | #define AUTHMETHOD(iph1) \ | |
| 263 | (((iph1)->rmconf->xauth && \ | |
| 264 | (iph1)->approval->authmethod == OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I) ? \ | |
| 265 | FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I : (iph1)->approval->authmethod) | |
| 266 | #define RMAUTHMETHOD(iph1) \ | |
| 267 | (((iph1)->rmconf->xauth && \ | |
| 268 | (iph1)->rmconf->proposal->authmethod == \ | |
| 269 | OAKLEY_ATTR_AUTH_METHOD_XAUTH_PSKEY_I) ? \ | |
| 270 | FICTIVE_AUTH_METHOD_XAUTH_PSKEY_I : \ | |
| 271 | (iph1)->rmconf->proposal->authmethod) | |
| 272 | #else | |
| 273 | #define AUTHMETHOD(iph1) (iph1)->approval->authmethod | |
| 274 | #define RMAUTHMETHOD(iph1) (iph1)->rmconf->proposal->authmethod | |
| 275 | #endif /* ENABLE_HYBRID */ | |
| 276 | ||
| 52b7d2ce | 277 | #endif /* _OAKLEY_H */ |