[apple/network_cmds.git] / racoon.tproj / isakmp.h

/*	$KAME: isakmp.h,v 1.19 2001/04/11 06:11:55 sakane Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef __ISAKMP_H__
#define __ISAKMP_H__

/* refer to RFC 2408 */

/* must include <netinet/in.h> first. */
/* must include "isakmp_var.h" first. */

#define INITIATOR	0	/* synonym sender */
#define RESPONDER	1	/* synonym receiver */

#define GENERATE	1
#define VALIDATE	0

/* 3.1 ISAKMP Header Format
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Initiator                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Responder                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Message ID                           !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                            Length                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp {
	cookie_t i_ck;		/* Initiator Cookie */
	cookie_t r_ck;		/* Responder Cookie */
	u_int8_t np;		/* Next Payload Type */
	u_int8_t v;
	u_int8_t etype;		/* Exchange Type */
	u_int8_t flags;		/* Flags */
	u_int32_t msgid;
	u_int32_t len;		/* Length */
} __attribute__((__packed__));

/* Next Payload Type */
#define ISAKMP_NPTYPE_NONE	0	/* NONE*/
#define ISAKMP_NPTYPE_SA	1	/* Security Association */
#define ISAKMP_NPTYPE_P		2	/* Proposal */
#define ISAKMP_NPTYPE_T		3	/* Transform */
#define ISAKMP_NPTYPE_KE	4	/* Key Exchange */
#define ISAKMP_NPTYPE_ID	5	/* Identification */
#define ISAKMP_NPTYPE_CERT	6	/* Certificate */
#define ISAKMP_NPTYPE_CR	7	/* Certificate Request */
#define ISAKMP_NPTYPE_HASH	8	/* Hash */
#define ISAKMP_NPTYPE_SIG	9	/* Signature */
#define ISAKMP_NPTYPE_NONCE	10	/* Nonce */
#define ISAKMP_NPTYPE_N		11	/* Notification */
#define ISAKMP_NPTYPE_D		12	/* Delete */
#define ISAKMP_NPTYPE_VID	13	/* Vendor ID */
#define ISAKMP_NPTYPE_NATD	15	/* NAT detection hash value */
#define ISAKMP_NPTYPE_MAX	16
			/*	128 - 255 Private Use */

/*
 * The following are valid when the Vendor ID is one of the
 * following:
 *
 *	MD5("A GSS-API Authentication Method for IKE")
 *	MD5("GSSAPI") (recognized by Windows 2000)
 *	MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
 *
 * See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
 */
#define ISAKMP_NPTYPE_GSS	129	/* GSS token */

#define ISAKMP_MAJOR_VERSION	1
#define ISAKMP_MINOR_VERSION	0
#define ISAKMP_VERSION_NUMBER	0x10
#define ISAKMP_GETMAJORV(v)	(((v) & 0xf0) >> 4)
#define ISAKMP_SETMAJORV(v, m)	((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
#define ISAKMP_GETMINORV(v)	((v) & 0x0f)
#define ISAKMP_SETMINORV(v, m)	((v) = ((v) & 0xf0) | ((m) & 0x0f))

/* Exchange Type */
#define ISAKMP_ETYPE_NONE	0	/* NONE */
#define ISAKMP_ETYPE_BASE	1	/* Base */
#define ISAKMP_ETYPE_IDENT	2	/* Identity Proteciton */
#define ISAKMP_ETYPE_AUTH	3	/* Authentication Only */
#define ISAKMP_ETYPE_AGG	4	/* Aggressive */
#define ISAKMP_ETYPE_INFO	5	/* Informational */
/* Additional Exchange Type */
#define ISAKMP_ETYPE_QUICK	32	/* Quick Mode */
#define ISAKMP_ETYPE_NEWGRP	33	/* New group Mode */
#define ISAKMP_ETYPE_ACKINFO	34	/* Acknowledged Informational */

/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */

/* 3.2 Payload Generic Header
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        ! Next Payload  !   RESERVED    !         Payload Length        !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_gen {
	u_int8_t np;		/* Next Payload */
	u_int8_t reserved;	/* RESERVED, unused, must set to 0 */
	u_int16_t len;		/* Payload Length */
} __attribute__((__packed__));

/* 3.3 Data Attributes
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !A!       Attribute Type        !    AF=0  Attribute Length     !
        !F!                             !    AF=1  Attribute Value      !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        .                   AF=0  Attribute Value                       .
        .                   AF=1  Not Transmitted                       .
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_data {
	u_int16_t type;		/* defined by DOI-spec, and Attribute Format */
	u_int16_t lorv;		/* if f equal 1, Attribute Length */
				/* if f equal 0, Attribute Value */
	/* if f equal 1, Attribute Value */
} __attribute__((__packed__));
#define ISAKMP_GEN_TLV 0x0000
#define ISAKMP_GEN_TV  0x8000
	/* mask for type of attribute format */
#define ISAKMP_GEN_MASK 0x8000

#if 0
/* MAY NOT be used, because of being defined in ipsec-doi. */
/* 3.4 Security Association Payload */
struct isakmp_pl_sa {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int32_t sit;		/* Situation */
} __attribute__((__packed__));
#endif

/* 3.5 Proposal Payload */
	/*
	The value of the next payload field MUST only contain the value "2"
	or "0".  If there are additional Proposal payloads in the message,
	then this field will be 2.  If the current Proposal payload is the
	last within the security association proposal, then this field will
	be 0.
	*/
struct isakmp_pl_p {
	struct isakmp_gen h;
	u_int8_t p_no;		/* Proposal # */
	u_int8_t proto_id;	/* Protocol */
	u_int8_t spi_size;	/* SPI Size */
	u_int8_t num_t;		/* Number of Transforms */
	/* SPI */
} __attribute__((__packed__));

/* 3.6 Transform Payload */
	/*
	The value of the next payload field MUST only contain the value "3"
	or "0".  If there are additional Transform payloads in the proposal,
	then this field will be 3.  If the current Transform payload is the
	last within the proposal, then this field will be 0.
	*/
struct isakmp_pl_t {
	struct isakmp_gen h;
	u_int8_t t_no;		/* Transform # */
	u_int8_t t_id;		/* Transform-Id */
	u_int16_t reserved;	/* RESERVED2 */
	/* SA Attributes */
} __attribute__((__packed__));

/* 3.7 Key Exchange Payload */
struct isakmp_pl_ke {
	struct isakmp_gen h;
	/* Key Exchange Data */
} __attribute__((__packed__));

#if 0
/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
/* 3.8 Identification Payload */
struct isakmp_pl_id {
	struct isakmp_gen h;
	union {
		u_int8_t id_type;	/* ID Type */
		u_int32_t doi_data;	/* DOI Specific ID Data */
	} d;
	/* Identification Data */
} __attribute__((__packed__));
/* A.4 ISAKMP Identification Type Values */
#define ISAKMP_ID_IPV4_ADDR		0
#define ISAKMP_ID_IPV4_ADDR_SUBNET	1
#define ISAKMP_ID_IPV6_ADDR		2
#define ISAKMP_ID_IPV6_ADDR_SUBNET	3
#endif

/* 3.9 Certificate Payload */
struct isakmp_pl_cert {
	struct isakmp_gen h;
	/*
	 * Encoding type of 1 octet follows immediately,
	 * variable length CERT data follows encoding type.
	 */
} __attribute__((__packed__));

/* Certificate Type */
#define ISAKMP_CERT_NONE	0
#define ISAKMP_CERT_PKCS7	1
#define ISAKMP_CERT_PGP		2
#define ISAKMP_CERT_DNS		3
#define ISAKMP_CERT_X509SIGN	4
#define ISAKMP_CERT_X509KE	5
#define ISAKMP_CERT_KERBEROS	6
#define ISAKMP_CERT_CRL		7
#define ISAKMP_CERT_ARL		8
#define ISAKMP_CERT_SPKI	9
#define ISAKMP_CERT_X509ATTR	10

/* the method to get peers certificate */
#define ISAKMP_GETCERT_PAYLOAD		1
#define ISAKMP_GETCERT_LOCALFILE	2
#define ISAKMP_GETCERT_DNS		3

/* 3.10 Certificate Request Payload */
struct isakmp_pl_cr {
	struct isakmp_gen h;
	u_int8_t num_cert; /* # Cert. Types */
	/*
	Certificate Types (variable length)
	  -- Contains a list of the types of certificates requested,
	  sorted in order of preference.  Each individual certificate
	  type is 1 octet.  This field is NOT required.
	*/
	/* # Certificate Authorities (1 octet) */
	/* Certificate Authorities (variable length) */
} __attribute__((__packed__));

/* 3.11 Hash Payload */
struct isakmp_pl_hash {
	struct isakmp_gen h;
	/* Hash Data */
} __attribute__((__packed__));

/* 3.12 Signature Payload */
struct isakmp_pl_sig {
	struct isakmp_gen h;
	/* Signature Data */
} __attribute__((__packed__));

/* 3.13 Nonce Payload */
struct isakmp_pl_nonce {
	struct isakmp_gen h;
	/* Nonce Data */
} __attribute__((__packed__));

/* 3.14 Notification Payload */
struct isakmp_pl_n {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-ID */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t type;		/* Notify Message Type */
	/* SPI */
	/* Notification Data */
} __attribute__((__packed__));

/* 3.14.1 Notify Message Types */
/* NOTIFY MESSAGES - ERROR TYPES */
#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE	1
#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED		2
#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED	3
#define ISAKMP_NTYPE_INVALID_COOKIE		4
#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION	5
#define ISAKMP_NTYPE_INVALID_MINOR_VERSION	6
#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE	7
#define ISAKMP_NTYPE_INVALID_FLAGS		8
#define ISAKMP_NTYPE_INVALID_MESSAGE_ID		9
#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID	10
#define ISAKMP_NTYPE_INVALID_SPI		11
#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID	12
#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED	13
#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN		14
#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX	15
#define ISAKMP_NTYPE_PAYLOAD_MALFORMED		16
#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION	17
#define ISAKMP_NTYPE_INVALID_ID_INFORMATION	18
#define ISAKMP_NTYPE_INVALID_CERT_ENCODING	19
#define ISAKMP_NTYPE_INVALID_CERTIFICATE	20
#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX	21
#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY	22
#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION	23
#define ISAKMP_NTYPE_AUTHENTICATION_FAILED	24
#define ISAKMP_NTYPE_INVALID_SIGNATURE		25
#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION	26
#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME		27
#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE	28
#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE	29
#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS	30
/* NOTIFY MESSAGES - STATUS TYPES */
#define ISAKMP_NTYPE_CONNECTED			16384
/* 4.6.3 IPSEC DOI Notify Message Types */
#define ISAKMP_NTYPE_RESPONDER_LIFETIME		24576
#define ISAKMP_NTYPE_REPLAY_STATUS		24577
#define ISAKMP_NTYPE_INITIAL_CONTACT		24578

/* using only to log */
#define ISAKMP_LOG_RETRY_LIMIT_REACHED		65530

/* XXX means internal error but it's not reserved by any drafts... */
#define ISAKMP_INTERNAL_ERROR			-1

/* 3.15 Delete Payload */
struct isakmp_pl_d {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-Id */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t num_spi;	/* # of SPIs */
	/* SPI(es) */
} __attribute__((__packed__));


#endif /* __ISAKMP_H__ */
Commit	Line	Data
ac2f15b3	1	/* $KAME: isakmp.h,v 1.19 2001/04/11 06:11:55 sakane Exp $ */
7ba0088d A	2
	3	/*
	4	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	5	* All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of the project nor the names of its contributors
	16	* may be used to endorse or promote products derived from this software
	17	* without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	29	* SUCH DAMAGE.
	30	*/
	31
2b484d24 A	32	#ifndef __ISAKMP_H__
	33	#define __ISAKMP_H__
	34
7ba0088d A	35	/* refer to RFC 2408 */
	36
	37	/* must include <netinet/in.h> first. */
	38	/* must include "isakmp_var.h" first. */
	39
	40	#define INITIATOR 0 /* synonym sender */
	41	#define RESPONDER 1 /* synonym receiver */
	42
	43	#define GENERATE 1
	44	#define VALIDATE 0
	45
	46	/* 3.1 ISAKMP Header Format
	47	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	48	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	49	! Initiator !
	50	! Cookie !
	51	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	52	! Responder !
	53	! Cookie !
	54	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	55	! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
	56	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	57	! Message ID !
	58	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	59	! Length !
	60	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	61	*/
	62	struct isakmp {
	63	cookie_t i_ck; /* Initiator Cookie */
	64	cookie_t r_ck; /* Responder Cookie */
	65	u_int8_t np; /* Next Payload Type */
	66	u_int8_t v;
	67	u_int8_t etype; /* Exchange Type */
	68	u_int8_t flags; /* Flags */
	69	u_int32_t msgid;
	70	u_int32_t len; /* Length */
	71	} __attribute__((__packed__));
	72
	73	/* Next Payload Type */
	74	#define ISAKMP_NPTYPE_NONE 0 /* NONE*/
	75	#define ISAKMP_NPTYPE_SA 1 /* Security Association */
	76	#define ISAKMP_NPTYPE_P 2 /* Proposal */
	77	#define ISAKMP_NPTYPE_T 3 /* Transform */
	78	#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
	79	#define ISAKMP_NPTYPE_ID 5 /* Identification */
	80	#define ISAKMP_NPTYPE_CERT 6 /* Certificate */
	81	#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
	82	#define ISAKMP_NPTYPE_HASH 8 /* Hash */
	83	#define ISAKMP_NPTYPE_SIG 9 /* Signature */
	84	#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
	85	#define ISAKMP_NPTYPE_N 11 /* Notification */
	86	#define ISAKMP_NPTYPE_D 12 /* Delete */
	87	#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
ac2f15b3 A	88	#define ISAKMP_NPTYPE_NATD 15 /* NAT detection hash value */
ac2f15b3 A	89	#define ISAKMP_NPTYPE_MAX 16
7ba0088d A	90	/* 128 - 255 Private Use */
	91
	92	/*
	93	* The following are valid when the Vendor ID is one of the
	94	* following:
	95	*
	96	* MD5("A GSS-API Authentication Method for IKE")
	97	* MD5("GSSAPI") (recognized by Windows 2000)
	98	* MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
	99	*
	100	* See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
	101	*/
	102	#define ISAKMP_NPTYPE_GSS 129 /* GSS token */
	103
	104	#define ISAKMP_MAJOR_VERSION 1
	105	#define ISAKMP_MINOR_VERSION 0
	106	#define ISAKMP_VERSION_NUMBER 0x10
	107	#define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4)
	108	#define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) \| (((m) << 4) & 0xf0))
	109	#define ISAKMP_GETMINORV(v) ((v) & 0x0f)
	110	#define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) \| ((m) & 0x0f))
	111
	112	/* Exchange Type */
	113	#define ISAKMP_ETYPE_NONE 0 /* NONE */
	114	#define ISAKMP_ETYPE_BASE 1 /* Base */
	115	#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */
	116	#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */
	117	#define ISAKMP_ETYPE_AGG 4 /* Aggressive */
	118	#define ISAKMP_ETYPE_INFO 5 /* Informational */
	119	/* Additional Exchange Type */
	120	#define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */
	121	#define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */
	122	#define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */
	123
	124	/* Flags */
	125	#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
	126	#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
	127	#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
	128
	129	/* 3.2 Payload Generic Header
	130	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	131	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	132	! Next Payload ! RESERVED ! Payload Length !
	133	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	134	*/
	135	struct isakmp_gen {
	136	u_int8_t np; /* Next Payload */
	137	u_int8_t reserved; /* RESERVED, unused, must set to 0 */
	138	u_int16_t len; /* Payload Length */
	139	} __attribute__((__packed__));
	140
	141	/* 3.3 Data Attributes
	142	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	143	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	144	!A! Attribute Type ! AF=0 Attribute Length !
	145	!F! ! AF=1 Attribute Value !
	146	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	147	. AF=0 Attribute Value .
	148	. AF=1 Not Transmitted .
	149	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	150	*/
	151	struct isakmp_data {
	152	u_int16_t type; /* defined by DOI-spec, and Attribute Format */
	153	u_int16_t lorv; /* if f equal 1, Attribute Length */
154	/* if f equal 0, Attribute Value */
155	/* if f equal 1, Attribute Value */
156	} __attribute__((__packed__));
157	#define ISAKMP_GEN_TLV 0x0000
158	#define ISAKMP_GEN_TV 0x8000
159	/* mask for type of attribute format */
160	#define ISAKMP_GEN_MASK 0x8000
161
162	#if 0
163	/* MAY NOT be used, because of being defined in ipsec-doi. */
164	/* 3.4 Security Association Payload */
165	struct isakmp_pl_sa {
166	struct isakmp_gen h;
167	u_int32_t doi; /* Domain of Interpretation */
168	u_int32_t sit; /* Situation */
169	} __attribute__((__packed__));
170	#endif
171
172	/* 3.5 Proposal Payload */
173	/*
174	The value of the next payload field MUST only contain the value "2"
175	or "0". If there are additional Proposal payloads in the message,
176	then this field will be 2. If the current Proposal payload is the
177	last within the security association proposal, then this field will
178	be 0.
179	*/
180	struct isakmp_pl_p {
181	struct isakmp_gen h;
182	u_int8_t p_no; /* Proposal # */
183	u_int8_t proto_id; /* Protocol */
184	u_int8_t spi_size; /* SPI Size */
185	u_int8_t num_t; /* Number of Transforms */
186	/* SPI */
187	} __attribute__((__packed__));
188
189	/* 3.6 Transform Payload */
190	/*
191	The value of the next payload field MUST only contain the value "3"
192	or "0". If there are additional Transform payloads in the proposal,
193	then this field will be 3. If the current Transform payload is the
194	last within the proposal, then this field will be 0.
195	*/
196	struct isakmp_pl_t {
197	struct isakmp_gen h;
198	u_int8_t t_no; /* Transform # */
199	u_int8_t t_id; /* Transform-Id */
200	u_int16_t reserved; /* RESERVED2 */
201	/* SA Attributes */
202	} __attribute__((__packed__));
203
204	/* 3.7 Key Exchange Payload */
205	struct isakmp_pl_ke {
206	struct isakmp_gen h;
207	/* Key Exchange Data */
208	} __attribute__((__packed__));
209
210	#if 0
211	/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
212	/* 3.8 Identification Payload */
213	struct isakmp_pl_id {
214	struct isakmp_gen h;
215	union {
216	u_int8_t id_type; /* ID Type */
217	u_int32_t doi_data; /* DOI Specific ID Data */
218	} d;
219	/* Identification Data */
220	} __attribute__((__packed__));
221	/* A.4 ISAKMP Identification Type Values */
222	#define ISAKMP_ID_IPV4_ADDR 0
223	#define ISAKMP_ID_IPV4_ADDR_SUBNET 1
224	#define ISAKMP_ID_IPV6_ADDR 2
225	#define ISAKMP_ID_IPV6_ADDR_SUBNET 3
226	#endif
227
228	/* 3.9 Certificate Payload */
229	struct isakmp_pl_cert {
230	struct isakmp_gen h;
231	/*
232	* Encoding type of 1 octet follows immediately,
233	* variable length CERT data follows encoding type.
234	*/
235	} __attribute__((__packed__));
236
237	/* Certificate Type */
238	#define ISAKMP_CERT_NONE 0
239	#define ISAKMP_CERT_PKCS7 1
240	#define ISAKMP_CERT_PGP 2
241	#define ISAKMP_CERT_DNS 3
242	#define ISAKMP_CERT_X509SIGN 4
243	#define ISAKMP_CERT_X509KE 5
244	#define ISAKMP_CERT_KERBEROS 6
245	#define ISAKMP_CERT_CRL 7
246	#define ISAKMP_CERT_ARL 8
247	#define ISAKMP_CERT_SPKI 9
248	#define ISAKMP_CERT_X509ATTR 10
249
250	/* the method to get peers certificate */
251	#define ISAKMP_GETCERT_PAYLOAD 1
252	#define ISAKMP_GETCERT_LOCALFILE 2
253	#define ISAKMP_GETCERT_DNS 3
254
255	/* 3.10 Certificate Request Payload */
256	struct isakmp_pl_cr {
257	struct isakmp_gen h;
258	u_int8_t num_cert; /* # Cert. Types */
259	/*
260	Certificate Types (variable length)
261	-- Contains a list of the types of certificates requested,
262	sorted in order of preference. Each individual certificate
263	type is 1 octet. This field is NOT required.
264	*/
265	/* # Certificate Authorities (1 octet) */
266	/* Certificate Authorities (variable length) */
267	} __attribute__((__packed__));
268
269	/* 3.11 Hash Payload */
270	struct isakmp_pl_hash {
271	struct isakmp_gen h;
272	/* Hash Data */
273	} __attribute__((__packed__));
274
275	/* 3.12 Signature Payload */
276	struct isakmp_pl_sig {
277	struct isakmp_gen h;
278	/* Signature Data */
279	} __attribute__((__packed__));
280
281	/* 3.13 Nonce Payload */
282	struct isakmp_pl_nonce {
283	struct isakmp_gen h;
284	/* Nonce Data */
285	} __attribute__((__packed__));
286
287	/* 3.14 Notification Payload */
288	struct isakmp_pl_n {
289	struct isakmp_gen h;
290	u_int32_t doi; /* Domain of Interpretation */
291	u_int8_t proto_id; /* Protocol-ID */
292	u_int8_t spi_size; /* SPI Size */
293	u_int16_t type; /* Notify Message Type */
294	/* SPI */
295	/* Notification Data */
296	} __attribute__((__packed__));
297
298	/* 3.14.1 Notify Message Types */
299	/* NOTIFY MESSAGES - ERROR TYPES */
300	#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
301	#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
302	#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
303	#define ISAKMP_NTYPE_INVALID_COOKIE 4
304	#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
305	#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
306	#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
307	#define ISAKMP_NTYPE_INVALID_FLAGS 8
308	#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
309	#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
310	#define ISAKMP_NTYPE_INVALID_SPI 11
311	#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
312	#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
313	#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
314	#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
315	#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
316	#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
317	#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
318	#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
319	#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
320	#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
321	#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
322	#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
323	#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
324	#define ISAKMP_NTYPE_INVALID_SIGNATURE 25
325	#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
326	#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27
327	#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28
328	#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
329	#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
330	/* NOTIFY MESSAGES - STATUS TYPES */
331	#define ISAKMP_NTYPE_CONNECTED 16384
332	/* 4.6.3 IPSEC DOI Notify Message Types */
333	#define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576
334	#define ISAKMP_NTYPE_REPLAY_STATUS 24577
335	#define ISAKMP_NTYPE_INITIAL_CONTACT 24578
336
337	/* using only to log */
338	#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
339
340	/* XXX means internal error but it's not reserved by any drafts... */
341	#define ISAKMP_INTERNAL_ERROR -1
342
343	/* 3.15 Delete Payload */
344	struct isakmp_pl_d {
345	struct isakmp_gen h;
346	u_int32_t doi; /* Domain of Interpretation */
347	u_int8_t proto_id; /* Protocol-Id */
348	u_int8_t spi_size; /* SPI Size */
349	u_int16_t num_spi; /* # of SPIs */
350	/* SPI(es) */
351	} __attribute__((__packed__));
352
2b484d24 A	353
	354	#endif /* __ISAKMP_H__ */
	355