[apple/network_cmds.git] / racoon.tproj / isakmp.h

/*	$KAME: isakmp.h,v 1.19 2001/04/11 06:11:55 sakane Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/* refer to RFC 2408 */

/* must include <netinet/in.h> first. */
/* must include "isakmp_var.h" first. */

#define INITIATOR	0	/* synonym sender */
#define RESPONDER	1	/* synonym receiver */

#define GENERATE	1
#define VALIDATE	0

/* 3.1 ISAKMP Header Format
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Initiator                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Responder                            !
        !                            Cookie                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !  Next Payload ! MjVer ! MnVer ! Exchange Type !     Flags     !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                          Message ID                           !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !                            Length                             !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp {
	cookie_t i_ck;		/* Initiator Cookie */
	cookie_t r_ck;		/* Responder Cookie */
	u_int8_t np;		/* Next Payload Type */
	u_int8_t v;
	u_int8_t etype;		/* Exchange Type */
	u_int8_t flags;		/* Flags */
	u_int32_t msgid;
	u_int32_t len;		/* Length */
} __attribute__((__packed__));

/* Next Payload Type */
#define ISAKMP_NPTYPE_NONE	0	/* NONE*/
#define ISAKMP_NPTYPE_SA	1	/* Security Association */
#define ISAKMP_NPTYPE_P		2	/* Proposal */
#define ISAKMP_NPTYPE_T		3	/* Transform */
#define ISAKMP_NPTYPE_KE	4	/* Key Exchange */
#define ISAKMP_NPTYPE_ID	5	/* Identification */
#define ISAKMP_NPTYPE_CERT	6	/* Certificate */
#define ISAKMP_NPTYPE_CR	7	/* Certificate Request */
#define ISAKMP_NPTYPE_HASH	8	/* Hash */
#define ISAKMP_NPTYPE_SIG	9	/* Signature */
#define ISAKMP_NPTYPE_NONCE	10	/* Nonce */
#define ISAKMP_NPTYPE_N		11	/* Notification */
#define ISAKMP_NPTYPE_D		12	/* Delete */
#define ISAKMP_NPTYPE_VID	13	/* Vendor ID */
#define ISAKMP_NPTYPE_NATD	15	/* NAT detection hash value */
#define ISAKMP_NPTYPE_MAX	16
			/*	128 - 255 Private Use */

/*
 * The following are valid when the Vendor ID is one of the
 * following:
 *
 *	MD5("A GSS-API Authentication Method for IKE")
 *	MD5("GSSAPI") (recognized by Windows 2000)
 *	MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
 *
 * See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
 */
#define ISAKMP_NPTYPE_GSS	129	/* GSS token */

#define ISAKMP_MAJOR_VERSION	1
#define ISAKMP_MINOR_VERSION	0
#define ISAKMP_VERSION_NUMBER	0x10
#define ISAKMP_GETMAJORV(v)	(((v) & 0xf0) >> 4)
#define ISAKMP_SETMAJORV(v, m)	((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
#define ISAKMP_GETMINORV(v)	((v) & 0x0f)
#define ISAKMP_SETMINORV(v, m)	((v) = ((v) & 0xf0) | ((m) & 0x0f))

/* Exchange Type */
#define ISAKMP_ETYPE_NONE	0	/* NONE */
#define ISAKMP_ETYPE_BASE	1	/* Base */
#define ISAKMP_ETYPE_IDENT	2	/* Identity Proteciton */
#define ISAKMP_ETYPE_AUTH	3	/* Authentication Only */
#define ISAKMP_ETYPE_AGG	4	/* Aggressive */
#define ISAKMP_ETYPE_INFO	5	/* Informational */
/* Additional Exchange Type */
#define ISAKMP_ETYPE_QUICK	32	/* Quick Mode */
#define ISAKMP_ETYPE_NEWGRP	33	/* New group Mode */
#define ISAKMP_ETYPE_ACKINFO	34	/* Acknowledged Informational */

/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */

/* 3.2 Payload Generic Header
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        ! Next Payload  !   RESERVED    !         Payload Length        !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_gen {
	u_int8_t np;		/* Next Payload */
	u_int8_t reserved;	/* RESERVED, unused, must set to 0 */
	u_int16_t len;		/* Payload Length */
} __attribute__((__packed__));

/* 3.3 Data Attributes
         0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        !A!       Attribute Type        !    AF=0  Attribute Length     !
        !F!                             !    AF=1  Attribute Value      !
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
        .                   AF=0  Attribute Value                       .
        .                   AF=1  Not Transmitted                       .
        +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_data {
	u_int16_t type;		/* defined by DOI-spec, and Attribute Format */
	u_int16_t lorv;		/* if f equal 1, Attribute Length */
				/* if f equal 0, Attribute Value */
	/* if f equal 1, Attribute Value */
} __attribute__((__packed__));
#define ISAKMP_GEN_TLV 0x0000
#define ISAKMP_GEN_TV  0x8000
	/* mask for type of attribute format */
#define ISAKMP_GEN_MASK 0x8000

#if 0
/* MAY NOT be used, because of being defined in ipsec-doi. */
/* 3.4 Security Association Payload */
struct isakmp_pl_sa {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int32_t sit;		/* Situation */
} __attribute__((__packed__));
#endif

/* 3.5 Proposal Payload */
	/*
	The value of the next payload field MUST only contain the value "2"
	or "0".  If there are additional Proposal payloads in the message,
	then this field will be 2.  If the current Proposal payload is the
	last within the security association proposal, then this field will
	be 0.
	*/
struct isakmp_pl_p {
	struct isakmp_gen h;
	u_int8_t p_no;		/* Proposal # */
	u_int8_t proto_id;	/* Protocol */
	u_int8_t spi_size;	/* SPI Size */
	u_int8_t num_t;		/* Number of Transforms */
	/* SPI */
} __attribute__((__packed__));

/* 3.6 Transform Payload */
	/*
	The value of the next payload field MUST only contain the value "3"
	or "0".  If there are additional Transform payloads in the proposal,
	then this field will be 3.  If the current Transform payload is the
	last within the proposal, then this field will be 0.
	*/
struct isakmp_pl_t {
	struct isakmp_gen h;
	u_int8_t t_no;		/* Transform # */
	u_int8_t t_id;		/* Transform-Id */
	u_int16_t reserved;	/* RESERVED2 */
	/* SA Attributes */
} __attribute__((__packed__));

/* 3.7 Key Exchange Payload */
struct isakmp_pl_ke {
	struct isakmp_gen h;
	/* Key Exchange Data */
} __attribute__((__packed__));

#if 0
/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
/* 3.8 Identification Payload */
struct isakmp_pl_id {
	struct isakmp_gen h;
	union {
		u_int8_t id_type;	/* ID Type */
		u_int32_t doi_data;	/* DOI Specific ID Data */
	} d;
	/* Identification Data */
} __attribute__((__packed__));
/* A.4 ISAKMP Identification Type Values */
#define ISAKMP_ID_IPV4_ADDR		0
#define ISAKMP_ID_IPV4_ADDR_SUBNET	1
#define ISAKMP_ID_IPV6_ADDR		2
#define ISAKMP_ID_IPV6_ADDR_SUBNET	3
#endif

/* 3.9 Certificate Payload */
struct isakmp_pl_cert {
	struct isakmp_gen h;
	/*
	 * Encoding type of 1 octet follows immediately,
	 * variable length CERT data follows encoding type.
	 */
} __attribute__((__packed__));

/* Certificate Type */
#define ISAKMP_CERT_NONE	0
#define ISAKMP_CERT_PKCS7	1
#define ISAKMP_CERT_PGP		2
#define ISAKMP_CERT_DNS		3
#define ISAKMP_CERT_X509SIGN	4
#define ISAKMP_CERT_X509KE	5
#define ISAKMP_CERT_KERBEROS	6
#define ISAKMP_CERT_CRL		7
#define ISAKMP_CERT_ARL		8
#define ISAKMP_CERT_SPKI	9
#define ISAKMP_CERT_X509ATTR	10

/* the method to get peers certificate */
#define ISAKMP_GETCERT_PAYLOAD		1
#define ISAKMP_GETCERT_LOCALFILE	2
#define ISAKMP_GETCERT_DNS		3

/* 3.10 Certificate Request Payload */
struct isakmp_pl_cr {
	struct isakmp_gen h;
	u_int8_t num_cert; /* # Cert. Types */
	/*
	Certificate Types (variable length)
	  -- Contains a list of the types of certificates requested,
	  sorted in order of preference.  Each individual certificate
	  type is 1 octet.  This field is NOT required.
	*/
	/* # Certificate Authorities (1 octet) */
	/* Certificate Authorities (variable length) */
} __attribute__((__packed__));

/* 3.11 Hash Payload */
struct isakmp_pl_hash {
	struct isakmp_gen h;
	/* Hash Data */
} __attribute__((__packed__));

/* 3.12 Signature Payload */
struct isakmp_pl_sig {
	struct isakmp_gen h;
	/* Signature Data */
} __attribute__((__packed__));

/* 3.13 Nonce Payload */
struct isakmp_pl_nonce {
	struct isakmp_gen h;
	/* Nonce Data */
} __attribute__((__packed__));

/* 3.14 Notification Payload */
struct isakmp_pl_n {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-ID */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t type;		/* Notify Message Type */
	/* SPI */
	/* Notification Data */
} __attribute__((__packed__));

/* 3.14.1 Notify Message Types */
/* NOTIFY MESSAGES - ERROR TYPES */
#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE	1
#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED		2
#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED	3
#define ISAKMP_NTYPE_INVALID_COOKIE		4
#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION	5
#define ISAKMP_NTYPE_INVALID_MINOR_VERSION	6
#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE	7
#define ISAKMP_NTYPE_INVALID_FLAGS		8
#define ISAKMP_NTYPE_INVALID_MESSAGE_ID		9
#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID	10
#define ISAKMP_NTYPE_INVALID_SPI		11
#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID	12
#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED	13
#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN		14
#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX	15
#define ISAKMP_NTYPE_PAYLOAD_MALFORMED		16
#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION	17
#define ISAKMP_NTYPE_INVALID_ID_INFORMATION	18
#define ISAKMP_NTYPE_INVALID_CERT_ENCODING	19
#define ISAKMP_NTYPE_INVALID_CERTIFICATE	20
#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX	21
#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY	22
#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION	23
#define ISAKMP_NTYPE_AUTHENTICATION_FAILED	24
#define ISAKMP_NTYPE_INVALID_SIGNATURE		25
#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION	26
#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME		27
#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE	28
#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE	29
#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS	30
/* NOTIFY MESSAGES - STATUS TYPES */
#define ISAKMP_NTYPE_CONNECTED			16384
/* 4.6.3 IPSEC DOI Notify Message Types */
#define ISAKMP_NTYPE_RESPONDER_LIFETIME		24576
#define ISAKMP_NTYPE_REPLAY_STATUS		24577
#define ISAKMP_NTYPE_INITIAL_CONTACT		24578

/* using only to log */
#define ISAKMP_LOG_RETRY_LIMIT_REACHED		65530

/* XXX means internal error but it's not reserved by any drafts... */
#define ISAKMP_INTERNAL_ERROR			-1

/* 3.15 Delete Payload */
struct isakmp_pl_d {
	struct isakmp_gen h;
	u_int32_t doi;		/* Domain of Interpretation */
	u_int8_t proto_id;	/* Protocol-Id */
	u_int8_t spi_size;	/* SPI Size */
	u_int16_t num_spi;	/* # of SPIs */
	/* SPI(es) */
} __attribute__((__packed__));
Commit	Line	Data
ac2f15b3	1	/* $KAME: isakmp.h,v 1.19 2001/04/11 06:11:55 sakane Exp $ */
7ba0088d A	2
	3	/*
	4	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	5	* All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of the project nor the names of its contributors
	16	* may be used to endorse or promote products derived from this software
	17	* without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	29	* SUCH DAMAGE.
	30	*/
	31
	32	/* refer to RFC 2408 */
	33
	34	/* must include <netinet/in.h> first. */
	35	/* must include "isakmp_var.h" first. */
	36
	37	#define INITIATOR 0 /* synonym sender */
	38	#define RESPONDER 1 /* synonym receiver */
	39
	40	#define GENERATE 1
	41	#define VALIDATE 0
	42
	43	/* 3.1 ISAKMP Header Format
	44	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	45	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	46	! Initiator !
	47	! Cookie !
	48	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	49	! Responder !
	50	! Cookie !
	51	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	52	! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
	53	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	54	! Message ID !
	55	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	56	! Length !
	57	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	58	*/
	59	struct isakmp {
	60	cookie_t i_ck; /* Initiator Cookie */
	61	cookie_t r_ck; /* Responder Cookie */
	62	u_int8_t np; /* Next Payload Type */
	63	u_int8_t v;
	64	u_int8_t etype; /* Exchange Type */
	65	u_int8_t flags; /* Flags */
66	u_int32_t msgid;
67	u_int32_t len; /* Length */
68	} __attribute__((__packed__));
69
70	/* Next Payload Type */
71	#define ISAKMP_NPTYPE_NONE 0 /* NONE*/
72	#define ISAKMP_NPTYPE_SA 1 /* Security Association */
73	#define ISAKMP_NPTYPE_P 2 /* Proposal */
74	#define ISAKMP_NPTYPE_T 3 /* Transform */
75	#define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
76	#define ISAKMP_NPTYPE_ID 5 /* Identification */
77	#define ISAKMP_NPTYPE_CERT 6 /* Certificate */
78	#define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
79	#define ISAKMP_NPTYPE_HASH 8 /* Hash */
80	#define ISAKMP_NPTYPE_SIG 9 /* Signature */
81	#define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
82	#define ISAKMP_NPTYPE_N 11 /* Notification */
83	#define ISAKMP_NPTYPE_D 12 /* Delete */
84	#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
ac2f15b3 A	85	#define ISAKMP_NPTYPE_NATD 15 /* NAT detection hash value */
ac2f15b3 A	86	#define ISAKMP_NPTYPE_MAX 16
7ba0088d A	87	/* 128 - 255 Private Use */
	88
	89	/*
	90	* The following are valid when the Vendor ID is one of the
	91	* following:
	92	*
	93	* MD5("A GSS-API Authentication Method for IKE")
	94	* MD5("GSSAPI") (recognized by Windows 2000)
	95	* MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
	96	*
	97	* See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
	98	*/
	99	#define ISAKMP_NPTYPE_GSS 129 /* GSS token */
	100
	101	#define ISAKMP_MAJOR_VERSION 1
	102	#define ISAKMP_MINOR_VERSION 0
	103	#define ISAKMP_VERSION_NUMBER 0x10
	104	#define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4)
	105	#define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) \| (((m) << 4) & 0xf0))
	106	#define ISAKMP_GETMINORV(v) ((v) & 0x0f)
	107	#define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) \| ((m) & 0x0f))
	108
	109	/* Exchange Type */
	110	#define ISAKMP_ETYPE_NONE 0 /* NONE */
	111	#define ISAKMP_ETYPE_BASE 1 /* Base */
	112	#define ISAKMP_ETYPE_IDENT 2 /* Identity Proteciton */
	113	#define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */
	114	#define ISAKMP_ETYPE_AGG 4 /* Aggressive */
	115	#define ISAKMP_ETYPE_INFO 5 /* Informational */
	116	/* Additional Exchange Type */
	117	#define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */
	118	#define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */
	119	#define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */
	120
	121	/* Flags */
	122	#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
	123	#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
	124	#define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
	125
	126	/* 3.2 Payload Generic Header
	127	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	128	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	129	! Next Payload ! RESERVED ! Payload Length !
	130	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	131	*/
	132	struct isakmp_gen {
	133	u_int8_t np; /* Next Payload */
	134	u_int8_t reserved; /* RESERVED, unused, must set to 0 */
	135	u_int16_t len; /* Payload Length */
	136	} __attribute__((__packed__));
	137
	138	/* 3.3 Data Attributes
	139	0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
	140	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	141	!A! Attribute Type ! AF=0 Attribute Length !
	142	!F! ! AF=1 Attribute Value !
	143	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	144	. AF=0 Attribute Value .
	145	. AF=1 Not Transmitted .
	146	+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
	147	*/
	148	struct isakmp_data {
	149	u_int16_t type; /* defined by DOI-spec, and Attribute Format */
	150	u_int16_t lorv; /* if f equal 1, Attribute Length */
151	/* if f equal 0, Attribute Value */
152	/* if f equal 1, Attribute Value */
153	} __attribute__((__packed__));
154	#define ISAKMP_GEN_TLV 0x0000
155	#define ISAKMP_GEN_TV 0x8000
156	/* mask for type of attribute format */
157	#define ISAKMP_GEN_MASK 0x8000
158
159	#if 0
160	/* MAY NOT be used, because of being defined in ipsec-doi. */
161	/* 3.4 Security Association Payload */
162	struct isakmp_pl_sa {
163	struct isakmp_gen h;
164	u_int32_t doi; /* Domain of Interpretation */
165	u_int32_t sit; /* Situation */
166	} __attribute__((__packed__));
167	#endif
168
169	/* 3.5 Proposal Payload */
170	/*
171	The value of the next payload field MUST only contain the value "2"
172	or "0". If there are additional Proposal payloads in the message,
173	then this field will be 2. If the current Proposal payload is the
174	last within the security association proposal, then this field will
175	be 0.
176	*/
177	struct isakmp_pl_p {
178	struct isakmp_gen h;
179	u_int8_t p_no; /* Proposal # */
180	u_int8_t proto_id; /* Protocol */
181	u_int8_t spi_size; /* SPI Size */
182	u_int8_t num_t; /* Number of Transforms */
183	/* SPI */
184	} __attribute__((__packed__));
185
186	/* 3.6 Transform Payload */
187	/*
188	The value of the next payload field MUST only contain the value "3"
189	or "0". If there are additional Transform payloads in the proposal,
190	then this field will be 3. If the current Transform payload is the
191	last within the proposal, then this field will be 0.
192	*/
193	struct isakmp_pl_t {
194	struct isakmp_gen h;
195	u_int8_t t_no; /* Transform # */
196	u_int8_t t_id; /* Transform-Id */
197	u_int16_t reserved; /* RESERVED2 */
198	/* SA Attributes */
199	} __attribute__((__packed__));
200
201	/* 3.7 Key Exchange Payload */
202	struct isakmp_pl_ke {
203	struct isakmp_gen h;
204	/* Key Exchange Data */
205	} __attribute__((__packed__));
206
207	#if 0
208	/* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
209	/* 3.8 Identification Payload */
210	struct isakmp_pl_id {
211	struct isakmp_gen h;
212	union {
213	u_int8_t id_type; /* ID Type */
214	u_int32_t doi_data; /* DOI Specific ID Data */
215	} d;
216	/* Identification Data */
217	} __attribute__((__packed__));
218	/* A.4 ISAKMP Identification Type Values */
219	#define ISAKMP_ID_IPV4_ADDR 0
220	#define ISAKMP_ID_IPV4_ADDR_SUBNET 1
221	#define ISAKMP_ID_IPV6_ADDR 2
222	#define ISAKMP_ID_IPV6_ADDR_SUBNET 3
223	#endif
224
225	/* 3.9 Certificate Payload */
226	struct isakmp_pl_cert {
227	struct isakmp_gen h;
228	/*
229	* Encoding type of 1 octet follows immediately,
230	* variable length CERT data follows encoding type.
231	*/
232	} __attribute__((__packed__));
233
234	/* Certificate Type */
235	#define ISAKMP_CERT_NONE 0
236	#define ISAKMP_CERT_PKCS7 1
237	#define ISAKMP_CERT_PGP 2
238	#define ISAKMP_CERT_DNS 3
239	#define ISAKMP_CERT_X509SIGN 4
240	#define ISAKMP_CERT_X509KE 5
241	#define ISAKMP_CERT_KERBEROS 6
242	#define ISAKMP_CERT_CRL 7
243	#define ISAKMP_CERT_ARL 8
244	#define ISAKMP_CERT_SPKI 9
245	#define ISAKMP_CERT_X509ATTR 10
246
247	/* the method to get peers certificate */
248	#define ISAKMP_GETCERT_PAYLOAD 1
249	#define ISAKMP_GETCERT_LOCALFILE 2
250	#define ISAKMP_GETCERT_DNS 3
251
252	/* 3.10 Certificate Request Payload */
253	struct isakmp_pl_cr {
254	struct isakmp_gen h;
255	u_int8_t num_cert; /* # Cert. Types */
256	/*
257	Certificate Types (variable length)
258	-- Contains a list of the types of certificates requested,
259	sorted in order of preference. Each individual certificate
260	type is 1 octet. This field is NOT required.
261	*/
262	/* # Certificate Authorities (1 octet) */
263	/* Certificate Authorities (variable length) */
264	} __attribute__((__packed__));
265
266	/* 3.11 Hash Payload */
267	struct isakmp_pl_hash {
268	struct isakmp_gen h;
269	/* Hash Data */
270	} __attribute__((__packed__));
271
272	/* 3.12 Signature Payload */
273	struct isakmp_pl_sig {
274	struct isakmp_gen h;
275	/* Signature Data */
276	} __attribute__((__packed__));
277
278	/* 3.13 Nonce Payload */
279	struct isakmp_pl_nonce {
280	struct isakmp_gen h;
281	/* Nonce Data */
282	} __attribute__((__packed__));
283
284	/* 3.14 Notification Payload */
285	struct isakmp_pl_n {
286	struct isakmp_gen h;
287	u_int32_t doi; /* Domain of Interpretation */
288	u_int8_t proto_id; /* Protocol-ID */
289	u_int8_t spi_size; /* SPI Size */
290	u_int16_t type; /* Notify Message Type */
291	/* SPI */
292	/* Notification Data */
293	} __attribute__((__packed__));
294
295	/* 3.14.1 Notify Message Types */
296	/* NOTIFY MESSAGES - ERROR TYPES */
297	#define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
298	#define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
299	#define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
300	#define ISAKMP_NTYPE_INVALID_COOKIE 4
301	#define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
302	#define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
303	#define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
304	#define ISAKMP_NTYPE_INVALID_FLAGS 8
305	#define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
306	#define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
307	#define ISAKMP_NTYPE_INVALID_SPI 11
308	#define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
309	#define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
310	#define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
311	#define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
312	#define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
313	#define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
314	#define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
315	#define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
316	#define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
317	#define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
318	#define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
319	#define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
320	#define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
321	#define ISAKMP_NTYPE_INVALID_SIGNATURE 25
322	#define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
323	#define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27
324	#define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28
325	#define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
326	#define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
327	/* NOTIFY MESSAGES - STATUS TYPES */
328	#define ISAKMP_NTYPE_CONNECTED 16384
329	/* 4.6.3 IPSEC DOI Notify Message Types */
330	#define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576
331	#define ISAKMP_NTYPE_REPLAY_STATUS 24577
332	#define ISAKMP_NTYPE_INITIAL_CONTACT 24578
333
334	/* using only to log */
335	#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
336
337	/* XXX means internal error but it's not reserved by any drafts... */
338	#define ISAKMP_INTERNAL_ERROR -1
339
340	/* 3.15 Delete Payload */
341	struct isakmp_pl_d {
342	struct isakmp_gen h;
343	u_int32_t doi; /* Domain of Interpretation */
344	u_int8_t proto_id; /* Protocol-Id */
345	u_int8_t spi_size; /* SPI Size */
346	u_int16_t num_spi; /* # of SPIs */
347	/* SPI(es) */
348	} __attribute__((__packed__));
349