[apple/network_cmds.git] / racoon.tproj / isakmp.h

/*	$KAME: isakmp.h,v 1.19 2001/04/11 06:11:55 sakane Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef __ISAKMP_H__
#define __ISAKMP_H__

/* refer to RFC 2408 */

/* must include <netinet/in.h> first. */
/* must include "isakmp_var.h" first. */

#define INITIATOR	0	/* synonym sender */
#define RESPONDER	1	/* synonym receiver */

#define GENERATE	1
#define VALIDATE	0

/* 3.1 ISAKMP Header Format
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Initiator                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Responder                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Message ID                           !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                            Length                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp {
	cookie_t i_ck;		/* Initiator Cookie */
	cookie_t r_ck;		/* Responder Cookie */
	u_int8_t np;		/* Next Payload Type */
	u_int8_t v;
	u_int8_t etype;		/* Exchange Type */
	u_int8_t flags;		/* Flags */
	u_int32_t msgid;
	u_int32_t len;		/* Length */
} __attribute__((__packed__));

/* Next Payload Type */
#define ISAKMP_NPTYPE_NONE	0	/* NONE*/
#define ISAKMP_NPTYPE_SA	1	/* Security Association */
#define ISAKMP_NPTYPE_P		2	/* Proposal */
#define ISAKMP_NPTYPE_T		3	/* Transform */
#define ISAKMP_NPTYPE_KE	4	/* Key Exchange */
#define ISAKMP_NPTYPE_ID	5	/* Identification */
#define ISAKMP_NPTYPE_CERT	6	/* Certificate */
#define ISAKMP_NPTYPE_CR	7	/* Certificate Request */
#define ISAKMP_NPTYPE_HASH	8	/* Hash */
#define ISAKMP_NPTYPE_SIG	9	/* Signature */
#define ISAKMP_NPTYPE_NONCE	10	/* Nonce */
#define ISAKMP_NPTYPE_N		11	/* Notification */
#define ISAKMP_NPTYPE_D		12	/* Delete */
#define ISAKMP_NPTYPE_VID	13	/* Vendor ID */

/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
#define ISAKMP_NPTYPE_NATD_DRAFT	130	/* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_DRAFT	131	/* NAT Original Address */


/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
/* XXX conflicts with values assigned to RFC 3547 */
#define ISAKMP_NPTYPE_NATD_BADDRAFT		15	/* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_BADDRAFT	16	/* NAT Original Address */


#define ISAKMP_NPTYPE_NATD_RFC	20	/* NAT Discovery */
#define ISAKMP_NPTYPE_NATOA_RFC	21	/* NAT Original Address */


			/*	128 - 255 Private Use */

/*
 * The following are valid when the Vendor ID is one of the
 * following:
 *
 *	MD5("A GSS-API Authentication Method for IKE")
 *	MD5("GSSAPI") (recognized by Windows 2000)
 *	MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
 *
 * See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
 */
#define ISAKMP_NPTYPE_GSS	129	/* GSS token */

#define ISAKMP_MAJOR_VERSION	1
#define ISAKMP_MINOR_VERSION	0
#define ISAKMP_VERSION_NUMBER	0x10
#define ISAKMP_GETMAJORV(v)	(((v) & 0xf0) >> 4)
#define ISAKMP_SETMAJORV(v, m)	((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
#define ISAKMP_GETMINORV(v)	((v) & 0x0f)
#define ISAKMP_SETMINORV(v, m)	((v) = ((v) & 0xf0) | ((m) & 0x0f))

/* Exchange Type */
#define ISAKMP_ETYPE_NONE	0	/* NONE */
#define ISAKMP_ETYPE_BASE	1	/* Base */
#define ISAKMP_ETYPE_IDENT	2	/* Identity Proteciton */
#define ISAKMP_ETYPE_AUTH	3	/* Authentication Only */
#define ISAKMP_ETYPE_AGG	4	/* Aggressive */
#define ISAKMP_ETYPE_INFO	5	/* Informational */
/* Additional Exchange Type */
#define ISAKMP_ETYPE_QUICK	32	/* Quick Mode */
#define ISAKMP_ETYPE_NEWGRP	33	/* New group Mode */
#define ISAKMP_ETYPE_ACKINFO	34	/* Acknowledged Informational */

/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */

/* 3.2 Payload Generic Header
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        ! Next Payload  !   RESERVED    !         Payload Length        !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_gen {
	u_int8_t np;		/* Next Payload */
	u_int8_t reserved;	/* RESERVED, unused, must set to 0 */
	u_int16_t len;		/* Payload Length */
} __attribute__((__packed__));

/* 3.3 Data Attributes
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !A!       Attribute Type        !    AF=0  Attribute Length     !
        !F!                             !    AF=1  Attribute Value      !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        .                   AF=0  Attribute Value                       .
        .                   AF=1  Not Transmitted                       .
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_data {
	u_int16_t type;		/* defined by DOI-spec, and Attribute Format */
	u_int16_t lorv;		/* if f equal 1, Attribute Length */
				/* if f equal 0, Attribute Value */
	/* if f equal 1, Attribute Value */
} __attribute__((__packed__));
#define ISAKMP_GEN_TLV 0x0000
#define ISAKMP_GEN_TV  0x8000
	/* mask for type of attribute format */
#define ISAKMP_GEN_MASK 0x8000

#if 0
/* MAY NOT be used, because of being defined in ipsec-doi. */
/* 3.4 Security Association Payload */
struct isakmp_pl_sa {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int32_t sit;		/* Situation */
} __attribute__((__packed__));
#endif

/* 3.5 Proposal Payload */
	/*
	The value of the next payload field MUST only contain the value "2"
	or "0".  If there are additional Proposal payloads in the message,
	then this field will be 2.  If the current Proposal payload is the
	last within the security association proposal, then this field will
	be 0.
	*/
struct isakmp_pl_p {
	struct isakmp_gen h;
	u_int8_t p_no;		/* Proposal # */
	u_int8_t proto_id;	/* Protocol */
	u_int8_t spi_size;	/* SPI Size */
	u_int8_t num_t;		/* Number of Transforms */
	/* SPI */
} __attribute__((__packed__));

/* 3.6 Transform Payload */
	/*
	The value of the next payload field MUST only contain the value "3"
	or "0".  If there are additional Transform payloads in the proposal,
	then this field will be 3.  If the current Transform payload is the
	last within the proposal, then this field will be 0.
	*/
struct isakmp_pl_t {
	struct isakmp_gen h;
	u_int8_t t_no;		/* Transform # */
	u_int8_t t_id;		/* Transform-Id */
	u_int16_t reserved;	/* RESERVED2 */
	/* SA Attributes */
} __attribute__((__packed__));

/* 3.7 Key Exchange Payload */
struct isakmp_pl_ke {
	struct isakmp_gen h;
	/* Key Exchange Data */
} __attribute__((__packed__));

#if 0
/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
/* 3.8 Identification Payload */
struct isakmp_pl_id {
	struct isakmp_gen h;
	union {
		u_int8_t id_type;	/* ID Type */
		u_int32_t doi_data;	/* DOI Specific ID Data */
	} d;
	/* Identification Data */
} __attribute__((__packed__));
/* A.4 ISAKMP Identification Type Values */
#define ISAKMP_ID_IPV4_ADDR		0
#define ISAKMP_ID_IPV4_ADDR_SUBNET	1
#define ISAKMP_ID_IPV6_ADDR		2
#define ISAKMP_ID_IPV6_ADDR_SUBNET	3
#endif

/* 3.9 Certificate Payload */
struct isakmp_pl_cert {
	struct isakmp_gen h;
	/*
	 * Encoding type of 1 octet follows immediately,
	 * variable length CERT data follows encoding type.
	 */
} __attribute__((__packed__));

/* Certificate Type */
#define ISAKMP_CERT_NONE	0
#define ISAKMP_CERT_PKCS7	1
#define ISAKMP_CERT_PGP		2
#define ISAKMP_CERT_DNS		3
#define ISAKMP_CERT_X509SIGN	4
#define ISAKMP_CERT_X509KE	5
#define ISAKMP_CERT_KERBEROS	6
#define ISAKMP_CERT_CRL		7
#define ISAKMP_CERT_ARL		8
#define ISAKMP_CERT_SPKI	9
#define ISAKMP_CERT_X509ATTR	10

/* the method to get peers certificate */
#define ISAKMP_GETCERT_PAYLOAD		1
#define ISAKMP_GETCERT_LOCALFILE	2
#define ISAKMP_GETCERT_DNS		3

/* 3.10 Certificate Request Payload */
struct isakmp_pl_cr {
	struct isakmp_gen h;
	u_int8_t num_cert; /* # Cert. Types */
	/*
	Certificate Types (variable length)
	  -- Contains a list of the types of certificates requested,
	  sorted in order of preference.  Each individual certificate
	  type is 1 octet.  This field is NOT required.
	*/
	/* # Certificate Authorities (1 octet) */
	/* Certificate Authorities (variable length) */
} __attribute__((__packed__));

/* 3.11 Hash Payload */
struct isakmp_pl_hash {
	struct isakmp_gen h;
	/* Hash Data */
} __attribute__((__packed__));

/* 3.12 Signature Payload */
struct isakmp_pl_sig {
	struct isakmp_gen h;
	/* Signature Data */
} __attribute__((__packed__));

/* 3.13 Nonce Payload */
struct isakmp_pl_nonce {
	struct isakmp_gen h;
	/* Nonce Data */
} __attribute__((__packed__));

/* 3.14 Notification Payload */
struct isakmp_pl_n {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-ID */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t type;		/* Notify Message Type */
	/* SPI */
	/* Notification Data */
} __attribute__((__packed__));

/* 3.14.1 Notify Message Types */
/* NOTIFY MESSAGES - ERROR TYPES */
#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE	1
#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED		2
#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED	3
#define ISAKMP_NTYPE_INVALID_COOKIE		4
#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION	5
#define ISAKMP_NTYPE_INVALID_MINOR_VERSION	6
#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE	7
#define ISAKMP_NTYPE_INVALID_FLAGS		8
#define ISAKMP_NTYPE_INVALID_MESSAGE_ID		9
#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID	10
#define ISAKMP_NTYPE_INVALID_SPI		11
#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID	12
#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED	13
#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN		14
#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX	15
#define ISAKMP_NTYPE_PAYLOAD_MALFORMED		16
#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION	17
#define ISAKMP_NTYPE_INVALID_ID_INFORMATION	18
#define ISAKMP_NTYPE_INVALID_CERT_ENCODING	19
#define ISAKMP_NTYPE_INVALID_CERTIFICATE	20
#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX	21
#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY	22
#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION	23
#define ISAKMP_NTYPE_AUTHENTICATION_FAILED	24
#define ISAKMP_NTYPE_INVALID_SIGNATURE		25
#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION	26
#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME		27
#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE	28
#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE	29
#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS	30
/* NOTIFY MESSAGES - STATUS TYPES */
#define ISAKMP_NTYPE_CONNECTED			16384
/* 4.6.3 IPSEC DOI Notify Message Types */
#define ISAKMP_NTYPE_RESPONDER_LIFETIME		24576
#define ISAKMP_NTYPE_REPLAY_STATUS		24577
#define ISAKMP_NTYPE_INITIAL_CONTACT		24578

/* using only to log */
#define ISAKMP_LOG_RETRY_LIMIT_REACHED		65530

/* XXX means internal error but it's not reserved by any drafts... */
#define ISAKMP_INTERNAL_ERROR			-1

/* 3.15 Delete Payload */
struct isakmp_pl_d {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-Id */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t num_spi;	/* # of SPIs */
	/* SPI(es) */
} __attribute__((__packed__));

/* natoa payload */
struct isakmp_pl_natoa {
	struct isakmp_gen h;
	u_int8_t id_type;		/* address type */
	u_int8_t reserved1;		/* reserved */
	u_int16_t reserved2;	/* reserved */
	/* IP address */
} __attribute__((__packed__));


#endif /* __ISAKMP_H__ */
Commit	Line	Data
ac2f15b3	1	/* $KAME: isakmp.h,v 1.19 2001/04/11 06:11:55 sakane Exp $ */
7ba0088d A	2
	3	/*
	4	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	5	* All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of the project nor the names of its contributors
	16	* may be used to endorse or promote products derived from this software
	17	* without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	29	* SUCH DAMAGE.
	30	*/
	31
2b484d24 A	32	#ifndef __ISAKMP_H__
	33	#define __ISAKMP_H__
	34
7ba0088d A	35	/* refer to RFC 2408 */
	36
	37	/* must include <netinet/in.h> first. */
	38	/* must include "isakmp_var.h" first. */
	39
	40	#define INITIATOR 0 /* synonym sender */
	41	#define RESPONDER 1 /* synonym receiver */
	42
	43	#define GENERATE 1
	44	#define VALIDATE 0
	45
	46	/* 3.1 ISAKMP Header Format
	47	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	48	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	49	! Initiator !
	50	! Cookie !
	51	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	52	! Responder !
	53	! Cookie !
	54	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	55	! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
	56	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	57	! Message ID !
	58	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	59	! Length !
	60	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	61	*/
	62	struct isakmp {
	63	cookie_t i_ck; /* Initiator Cookie */
	64	cookie_t r_ck; /* Responder Cookie */
	65	u_int8_t np; /* Next Payload Type */
	66	u_int8_t v;
	67	u_int8_t etype; /* Exchange Type */
	68	u_int8_t flags; /* Flags */
	69	u_int32_t msgid;
	70	u_int32_t len; /* Length */
	71	} __attribute__((__packed__));
	72
	73	/* Next Payload Type */
	74	#define ISAKMP_NPTYPE_NONE 0 /* NONE*/
	75	#define ISAKMP_NPTYPE_SA 1 /* Security Association */
	76	#define ISAKMP_NPTYPE_P 2 /* Proposal */
	77	#define ISAKMP_NPTYPE_T 3 /* Transform */
	78	#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
	79	#define ISAKMP_NPTYPE_ID 5 /* Identification */
	80	#define ISAKMP_NPTYPE_CERT 6 /* Certificate */
	81	#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
	82	#define ISAKMP_NPTYPE_HASH 8 /* Hash */
	83	#define ISAKMP_NPTYPE_SIG 9 /* Signature */
	84	#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
	85	#define ISAKMP_NPTYPE_N 11 /* Notification */
	86	#define ISAKMP_NPTYPE_D 12 /* Delete */
	87	#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
ffda1f4a A	88
	89	/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
	90	#define ISAKMP_NPTYPE_NATD_DRAFT 130 /* NAT Discovery */
	91	#define ISAKMP_NPTYPE_NATOA_DRAFT 131 /* NAT Original Address */
	92
	93
	94	/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
	95	/* XXX conflicts with values assigned to RFC 3547 */
	96	#define ISAKMP_NPTYPE_NATD_BADDRAFT 15 /* NAT Discovery */
	97	#define ISAKMP_NPTYPE_NATOA_BADDRAFT 16 /* NAT Original Address */
	98
	99
	100	#define ISAKMP_NPTYPE_NATD_RFC 20 /* NAT Discovery */
	101	#define ISAKMP_NPTYPE_NATOA_RFC 21 /* NAT Original Address */
	102
	103
7ba0088d A	104	/* 128 - 255 Private Use */
	105
	106	/*
	107	* The following are valid when the Vendor ID is one of the
	108	* following:
	109	*
	110	* MD5("A GSS-API Authentication Method for IKE")
	111	* MD5("GSSAPI") (recognized by Windows 2000)
	112	* MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
	113	*
	114	* See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
	115	*/
	116	#define ISAKMP_NPTYPE_GSS 129 /* GSS token */
	117
	118	#define ISAKMP_MAJOR_VERSION 1
	119	#define ISAKMP_MINOR_VERSION 0
	120	#define ISAKMP_VERSION_NUMBER 0x10
	121	#define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4)
	122	#define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) \| (((m) << 4) & 0xf0))
	123	#define ISAKMP_GETMINORV(v) ((v) & 0x0f)
	124	#define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) \| ((m) & 0x0f))
	125
	126	/* Exchange Type */
	127	#define ISAKMP_ETYPE_NONE 0 /* NONE */
	128	#define ISAKMP_ETYPE_BASE 1 /* Base */
	129	#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */
	130	#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */
	131	#define ISAKMP_ETYPE_AGG 4 /* Aggressive */
	132	#define ISAKMP_ETYPE_INFO 5 /* Informational */
	133	/* Additional Exchange Type */
	134	#define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */
	135	#define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */
	136	#define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */
	137
	138	/* Flags */
	139	#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
	140	#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
	141	#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
	142
	143	/* 3.2 Payload Generic Header
	144	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	145	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	146	! Next Payload ! RESERVED ! Payload Length !
	147	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	148	*/
	149	struct isakmp_gen {
	150	u_int8_t np; /* Next Payload */
	151	u_int8_t reserved; /* RESERVED, unused, must set to 0 */
	152	u_int16_t len; /* Payload Length */
	153	} __attribute__((__packed__));
	154
	155	/* 3.3 Data Attributes
	156	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	157	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	158	!A! Attribute Type ! AF=0 Attribute Length !
	159	!F! ! AF=1 Attribute Value !
	160	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	161	. AF=0 Attribute Value .
	162	. AF=1 Not Transmitted .
	163	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	164	*/
	165	struct isakmp_data {
	166	u_int16_t type; /* defined by DOI-spec, and Attribute Format */
	167	u_int16_t lorv; /* if f equal 1, Attribute Length */
168	/* if f equal 0, Attribute Value */
169	/* if f equal 1, Attribute Value */
170	} __attribute__((__packed__));
171	#define ISAKMP_GEN_TLV 0x0000
172	#define ISAKMP_GEN_TV 0x8000
173	/* mask for type of attribute format */
174	#define ISAKMP_GEN_MASK 0x8000
175
176	#if 0
177	/* MAY NOT be used, because of being defined in ipsec-doi. */
178	/* 3.4 Security Association Payload */
179	struct isakmp_pl_sa {
180	struct isakmp_gen h;
181	u_int32_t doi; /* Domain of Interpretation */
182	u_int32_t sit; /* Situation */
183	} __attribute__((__packed__));
184	#endif
185
186	/* 3.5 Proposal Payload */
187	/*
188	The value of the next payload field MUST only contain the value "2"
189	or "0". If there are additional Proposal payloads in the message,
190	then this field will be 2. If the current Proposal payload is the
191	last within the security association proposal, then this field will
192	be 0.
193	*/
194	struct isakmp_pl_p {
195	struct isakmp_gen h;
196	u_int8_t p_no; /* Proposal # */
197	u_int8_t proto_id; /* Protocol */
198	u_int8_t spi_size; /* SPI Size */
199	u_int8_t num_t; /* Number of Transforms */
200	/* SPI */
201	} __attribute__((__packed__));
202
203	/* 3.6 Transform Payload */
204	/*
205	The value of the next payload field MUST only contain the value "3"
206	or "0". If there are additional Transform payloads in the proposal,
207	then this field will be 3. If the current Transform payload is the
208	last within the proposal, then this field will be 0.
209	*/
210	struct isakmp_pl_t {
211	struct isakmp_gen h;
212	u_int8_t t_no; /* Transform # */
213	u_int8_t t_id; /* Transform-Id */
214	u_int16_t reserved; /* RESERVED2 */
215	/* SA Attributes */
216	} __attribute__((__packed__));
217
218	/* 3.7 Key Exchange Payload */
219	struct isakmp_pl_ke {
220	struct isakmp_gen h;
221	/* Key Exchange Data */
222	} __attribute__((__packed__));
223
224	#if 0
225	/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
226	/* 3.8 Identification Payload */
227	struct isakmp_pl_id {
228	struct isakmp_gen h;
229	union {
230	u_int8_t id_type; /* ID Type */
231	u_int32_t doi_data; /* DOI Specific ID Data */
232	} d;
233	/* Identification Data */
234	} __attribute__((__packed__));
235	/* A.4 ISAKMP Identification Type Values */
236	#define ISAKMP_ID_IPV4_ADDR 0
237	#define ISAKMP_ID_IPV4_ADDR_SUBNET 1
238	#define ISAKMP_ID_IPV6_ADDR 2
239	#define ISAKMP_ID_IPV6_ADDR_SUBNET 3
240	#endif
241
242	/* 3.9 Certificate Payload */
243	struct isakmp_pl_cert {
244	struct isakmp_gen h;
245	/*
246	* Encoding type of 1 octet follows immediately,
247	* variable length CERT data follows encoding type.
248	*/
249	} __attribute__((__packed__));
250
251	/* Certificate Type */
252	#define ISAKMP_CERT_NONE 0
253	#define ISAKMP_CERT_PKCS7 1
254	#define ISAKMP_CERT_PGP 2
255	#define ISAKMP_CERT_DNS 3
256	#define ISAKMP_CERT_X509SIGN 4
257	#define ISAKMP_CERT_X509KE 5
258	#define ISAKMP_CERT_KERBEROS 6
259	#define ISAKMP_CERT_CRL 7
260	#define ISAKMP_CERT_ARL 8
261	#define ISAKMP_CERT_SPKI 9
262	#define ISAKMP_CERT_X509ATTR 10
263
264	/* the method to get peers certificate */
265	#define ISAKMP_GETCERT_PAYLOAD 1
266	#define ISAKMP_GETCERT_LOCALFILE 2
267	#define ISAKMP_GETCERT_DNS 3
268
269	/* 3.10 Certificate Request Payload */
270	struct isakmp_pl_cr {
271	struct isakmp_gen h;
272	u_int8_t num_cert; /* # Cert. Types */
273	/*
274	Certificate Types (variable length)
275	-- Contains a list of the types of certificates requested,
276	sorted in order of preference. Each individual certificate
277	type is 1 octet. This field is NOT required.
278	*/
279	/* # Certificate Authorities (1 octet) */
280	/* Certificate Authorities (variable length) */
281	} __attribute__((__packed__));
282
283	/* 3.11 Hash Payload */
284	struct isakmp_pl_hash {
285	struct isakmp_gen h;
286	/* Hash Data */
287	} __attribute__((__packed__));
288
289	/* 3.12 Signature Payload */
290	struct isakmp_pl_sig {
291	struct isakmp_gen h;
292	/* Signature Data */
293	} __attribute__((__packed__));
294
295	/* 3.13 Nonce Payload */
296	struct isakmp_pl_nonce {
297	struct isakmp_gen h;
298	/* Nonce Data */
299	} __attribute__((__packed__));
300
301	/* 3.14 Notification Payload */
302	struct isakmp_pl_n {
303	struct isakmp_gen h;
304	u_int32_t doi; /* Domain of Interpretation */
305	u_int8_t proto_id; /* Protocol-ID */
306	u_int8_t spi_size; /* SPI Size */
307	u_int16_t type; /* Notify Message Type */
308	/* SPI */
309	/* Notification Data */
310	} __attribute__((__packed__));
311
312	/* 3.14.1 Notify Message Types */
313	/* NOTIFY MESSAGES - ERROR TYPES */
314	#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
315	#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
316	#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
317	#define ISAKMP_NTYPE_INVALID_COOKIE 4
318	#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
319	#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
320	#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
321	#define ISAKMP_NTYPE_INVALID_FLAGS 8
322	#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
323	#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
324	#define ISAKMP_NTYPE_INVALID_SPI 11
325	#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
326	#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
327	#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
328	#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
329	#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
330	#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
331	#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
332	#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
333	#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
334	#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
335	#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
336	#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
337	#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
338	#define ISAKMP_NTYPE_INVALID_SIGNATURE 25
339	#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
340	#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27
341	#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28
342	#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
343	#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
344	/* NOTIFY MESSAGES - STATUS TYPES */
345	#define ISAKMP_NTYPE_CONNECTED 16384
346	/* 4.6.3 IPSEC DOI Notify Message Types */
347	#define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576
348	#define ISAKMP_NTYPE_REPLAY_STATUS 24577
349	#define ISAKMP_NTYPE_INITIAL_CONTACT 24578
350
351	/* using only to log */
352	#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
353
354	/* XXX means internal error but it's not reserved by any drafts... */
355	#define ISAKMP_INTERNAL_ERROR -1
356
357	/* 3.15 Delete Payload */
358	struct isakmp_pl_d {
359	struct isakmp_gen h;
360	u_int32_t doi; /* Domain of Interpretation */
361	u_int8_t proto_id; /* Protocol-Id */
362	u_int8_t spi_size; /* SPI Size */
363	u_int16_t num_spi; /* # of SPIs */
364	/* SPI(es) */
365	} __attribute__((__packed__));
366
ffda1f4a A	367	/* natoa payload */
	368	struct isakmp_pl_natoa {
	369	struct isakmp_gen h;
	370	u_int8_t id_type; /* address type */
	371	u_int8_t reserved1; /* reserved */
	372	u_int16_t reserved2; /* reserved */
	373	/* IP address */
	374	} __attribute__((__packed__));
	375
2b484d24 A	376
	377	#endif /* __ISAKMP_H__ */
	378