1: /* $NetBSD: ipsec_doi.h,v 1.12 2009/03/12 10:57:26 tteras Exp $ */
2:
3: /* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #ifndef _IPSEC_DOI_H
35: #define _IPSEC_DOI_H
36:
37: #include "isakmp.h"
38:
39: /* refered to RFC2407 */
40:
41: #define IPSEC_DOI 1
42:
43: /* 4.2 IPSEC Situation Definition */
44: #define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
45: #define IPSECDOI_SIT_SECRECY 0x00000002
46: #define IPSECDOI_SIT_INTEGRITY 0x00000004
47:
48: /* 4.4.1 IPSEC Security Protocol Identifiers */
49: /* 4.4.2 IPSEC ISAKMP Transform Values */
50: #define IPSECDOI_PROTO_ISAKMP 1
51: #define IPSECDOI_KEY_IKE 1
52:
53: /* 4.4.1 IPSEC Security Protocol Identifiers */
54: #define IPSECDOI_PROTO_IPSEC_AH 2
55: /* 4.4.3 IPSEC AH Transform Values */
56: #define IPSECDOI_AH_MD5 2
57: #define IPSECDOI_AH_SHA 3
58: #define IPSECDOI_AH_DES 4
59: #define IPSECDOI_AH_SHA256 5
60: #define IPSECDOI_AH_SHA384 6
61: #define IPSECDOI_AH_SHA512 7
62:
63: /* 4.4.1 IPSEC Security Protocol Identifiers */
64: #define IPSECDOI_PROTO_IPSEC_ESP 3
65: /* 4.4.4 IPSEC ESP Transform Identifiers */
66: #define IPSECDOI_ESP_DES_IV64 1
67: #define IPSECDOI_ESP_DES 2
68: #define IPSECDOI_ESP_3DES 3
69: #define IPSECDOI_ESP_RC5 4
70: #define IPSECDOI_ESP_IDEA 5
71: #define IPSECDOI_ESP_CAST 6
72: #define IPSECDOI_ESP_BLOWFISH 7
73: #define IPSECDOI_ESP_3IDEA 8
74: #define IPSECDOI_ESP_DES_IV32 9
75: #define IPSECDOI_ESP_RC4 10
76: #define IPSECDOI_ESP_NULL 11
77: #define IPSECDOI_ESP_AES 12
78: #define IPSECDOI_ESP_CAMELLIA 22
79: #if 1
80: /* draft-ietf-ipsec-ciph-aes-cbc-00.txt */
81: #define IPSECDOI_ESP_TWOFISH 253
82: #else
83: /* SSH uses these value for now */
84: #define IPSECDOI_ESP_TWOFISH 250
85: #endif
86:
87: /* 4.4.1 IPSEC Security Protocol Identifiers */
88: #define IPSECDOI_PROTO_IPCOMP 4
89: /* 4.4.5 IPSEC IPCOMP Transform Identifiers */
90: #define IPSECDOI_IPCOMP_OUI 1
91: #define IPSECDOI_IPCOMP_DEFLATE 2
92: #define IPSECDOI_IPCOMP_LZS 3
93:
94: /* 4.5 IPSEC Security Association Attributes */
95: /* NOTE: default value is not included in a packet. */
96: #define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */
97: #define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1
98: #define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1
99: #define IPSECDOI_ATTR_SA_LD_TYPE_KB 2
100: #define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3
101: #define IPSECDOI_ATTR_SA_LD 2 /* V */
102: #define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */
103: #define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1)))
104: #define IPSECDOI_ATTR_GRP_DESC 3 /* B */
105: #define IPSECDOI_ATTR_ENC_MODE 4 /* B */
106: /* default value: host dependent */
107: #define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */
108: #define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
109: #define IPSECDOI_ATTR_ENC_MODE_TRNS 2
110:
111: /* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
112: #define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC 3
113: #define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC 4
114:
115: /* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
116: #define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT 61443
117: #define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT 61444
118:
119: #define IPSECDOI_ATTR_AUTH 5 /* B */
120: /* 0 means not to use authentication. */
121: #define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
122: #define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
123: #define IPSECDOI_ATTR_AUTH_DES_MAC 3
124: #define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
125: #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_256 5
126: #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_384 6
127: #define IPSECDOI_ATTR_AUTH_HMAC_SHA2_512 7
128: #define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */
129: /*
130: * When negotiating ESP without authentication, the Auth
131: * Algorithm attribute MUST NOT be included in the proposal.
132: * When negotiating ESP without confidentiality, the Auth
133: * Algorithm attribute MUST be included in the proposal and
134: * the ESP transform ID must be ESP_NULL.
135: */
136: #define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
137: #define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
138: #define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
139: #define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
140:
141: #ifdef HAVE_SECCTX
142: #define IPSECDOI_ATTR_SECCTX 10 /* V */
143: #endif
144:
145: /* 4.6.1 Security Association Payload */
146: struct ipsecdoi_pl_sa {
147: struct isakmp_gen h;
148: struct ipsecdoi_sa_b {
149: u_int32_t doi; /* Domain of Interpretation */
150: u_int32_t sit; /* Situation */
151: } b;
152: /* followed by Leveled Domain Identifier and so on. */
153: } __attribute__((__packed__));
154:
155: struct ipsecdoi_secrecy_h {
156: u_int16_t len;
157: u_int16_t reserved;
158: /* followed by the value */
159: } __attribute__((__packed__));
160:
161: /* 4.6.2 Identification Payload Content */
162: struct ipsecdoi_pl_id {
163: struct isakmp_gen h;
164: struct ipsecdoi_id_b {
165: u_int8_t type; /* ID Type */
166: u_int8_t proto_id; /* Protocol ID */
167: u_int16_t port; /* Port */
168: } b;
169: /* followed by Identification Data */
170: } __attribute__((__packed__));
171:
172: #define IPSECDOI_ID_IPV4_ADDR 1
173: #define IPSECDOI_ID_FQDN 2
174: #define IPSECDOI_ID_USER_FQDN 3
175: #define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
176: #define IPSECDOI_ID_IPV6_ADDR 5
177: #define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
178: #define IPSECDOI_ID_IPV4_ADDR_RANGE 7
179: #define IPSECDOI_ID_IPV6_ADDR_RANGE 8
180: #define IPSECDOI_ID_DER_ASN1_DN 9
181: #define IPSECDOI_ID_DER_ASN1_GN 10
182: #define IPSECDOI_ID_KEY_ID 11
183:
184: /* compressing doi type, it's internal use. */
185: #define IDTYPE_UNDEFINED 0
186: #define IDTYPE_FQDN 1
187: #define IDTYPE_USERFQDN 2
188: #define IDTYPE_KEYID 3
189: #define IDTYPE_ADDRESS 4
190: #define IDTYPE_ASN1DN 5
191: #define IDTYPE_SUBNET 6
192:
193: /* qualifiers for KEYID (and maybe others) */
194: #define IDQUAL_UNSPEC 0
195: #define IDQUAL_FILE 1
196: #define IDQUAL_TAG 2
197:
198: /* The use for checking proposal payload. This is not exchange type. */
199: #define IPSECDOI_TYPE_PH1 0
200: #define IPSECDOI_TYPE_PH2 1
201:
202: /*
203: * Prefix that will make ipsecdoi_sockaddr2id() generate address type
204: * identities without knowning the exact length of address.
205: */
206: #define IPSECDOI_PREFIX_HOST 0xff
207:
208: struct isakmpsa;
209: struct ipsecdoi_pl_sa;
210: struct saprop;
211: struct saproto;
212: struct satrns;
213: struct prop_pair;
214:
215: extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *));
216: extern int ipsecdoi_selectph2proposal __P((struct ph2handle *));
217: extern int ipsecdoi_checkph2proposal __P((struct ph2handle *));
218:
219: extern struct prop_pair **get_proppair __P((vchar_t *, int));
220: extern vchar_t *get_sabyproppair __P((u_int32_t, u_int32_t, struct prop_pair *));
221: extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
222: extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
223: extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int );
224: extern int ipsecdoi_checkid1 __P((struct ph1handle *));
225: extern int ipsecdoi_setid1 __P((struct ph1handle *));
226: extern int set_identifier __P((vchar_t **, int, vchar_t *));
227: extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
228: extern int ipsecdoi_setid2 __P((struct ph2handle *));
229: extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
230: extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
231: u_int8_t *, u_int16_t *));
232: extern char *ipsecdoi_id2str __P((const vchar_t *));
233: extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *,
234: struct sockaddr *, u_int));
235:
236: extern vchar_t *ipsecdoi_setph1proposal __P((struct remoteconf *,
237: struct isakmpsa *));
238: extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
239: extern int ipsecdoi_transportmode __P((struct saprop *));
240: extern int ipsecdoi_get_defaultlifetime __P((void));
241: extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
242: extern int ipproto2doi __P((int));
243: extern int doi2ipproto __P((int));
244:
245: extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *,
246: struct saprop *, struct saproto *, struct satrns *));
247: extern int ipsecdoi_authalg2trnsid __P((int));
248: extern int idtype2doi __P((int));
249: extern int doi2idtype __P((int));
250:
251: extern int ipsecdoi_parse_responder_lifetime __P((struct isakmp_pl_n *notify,
252: u_int32_t *lifetime_sec, u_int32_t *liftime_kb));
253:
254:
255: #endif /* _IPSEC_DOI_H */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ipsec_doi.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon