Annotation of embedaddon/ipsec-tools/src/racoon/isakmp.h, revision 1.1.1.1
1.1 misho 1: /* $NetBSD: isakmp.h,v 1.7 2009/05/20 07:54:50 vanhu Exp $ */
2:
3: /* Id: isakmp.h,v 1.11 2005/04/25 22:19:39 manubsd Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #ifndef _ISAKMP_H
35: #define _ISAKMP_H
36:
37: /* refer to RFC 2408 */
38:
39: #include <netinet/in.h>
40: #include "isakmp_var.h"
41:
42: #define INITIATOR 0 /* synonym sender */
43: #define RESPONDER 1 /* synonym receiver */
44:
45: #define GENERATE 1
46: #define VALIDATE 0
47:
48: /* 3.1 ISAKMP Header Format
49: 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
50: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
51: ! Initiator !
52: ! Cookie !
53: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
54: ! Responder !
55: ! Cookie !
56: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
57: ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
58: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
59: ! Message ID !
60: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
61: ! Length !
62: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
63: */
64: struct isakmp {
65: cookie_t i_ck; /* Initiator Cookie */
66: cookie_t r_ck; /* Responder Cookie */
67: u_int8_t np; /* Next Payload Type */
68: u_int8_t v;
69: u_int8_t etype; /* Exchange Type */
70: u_int8_t flags; /* Flags */
71: u_int32_t msgid;
72: u_int32_t len; /* Length */
73: } __attribute__((__packed__));
74:
75: /* Next Payload Type */
76: #define ISAKMP_NPTYPE_NONE 0 /* NONE*/
77: #define ISAKMP_NPTYPE_SA 1 /* Security Association */
78: #define ISAKMP_NPTYPE_P 2 /* Proposal */
79: #define ISAKMP_NPTYPE_T 3 /* Transform */
80: #define ISAKMP_NPTYPE_KE 4 /* Key Exchange */
81: #define ISAKMP_NPTYPE_ID 5 /* Identification */
82: #define ISAKMP_NPTYPE_CERT 6 /* Certificate */
83: #define ISAKMP_NPTYPE_CR 7 /* Certificate Request */
84: #define ISAKMP_NPTYPE_HASH 8 /* Hash */
85: #define ISAKMP_NPTYPE_SIG 9 /* Signature */
86: #define ISAKMP_NPTYPE_NONCE 10 /* Nonce */
87: #define ISAKMP_NPTYPE_N 11 /* Notification */
88: #define ISAKMP_NPTYPE_D 12 /* Delete */
89: #define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
90: #define ISAKMP_NPTYPE_ATTR 14 /* Attribute */
91:
92:
93: /* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
94: /* XXX conflicts with values assigned to RFC 3547 */
95: #define ISAKMP_NPTYPE_NATD_BADDRAFT 15 /* NAT Discovery */
96: #define ISAKMP_NPTYPE_NATOA_BADDRAFT 16 /* NAT Original Address */
97:
98:
99: /* NAT-T RFC */
100: #define ISAKMP_NPTYPE_NATD_RFC 20 /* NAT Discovery */
101: #define ISAKMP_NPTYPE_NATOA_RFC 21 /* NAT Original Address */
102:
103: /* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
104: #define ISAKMP_NPTYPE_NATD_DRAFT 130 /* NAT Discovery */
105: #define ISAKMP_NPTYPE_NATOA_DRAFT 131 /* NAT Original Address */
106:
107: /* Frag does not seems to be documented */
108: #define ISAKMP_NPTYPE_FRAG 132 /* IKE fragmentation payload */
109:
110: #define ISAKMP_NPTYPE_MAX 17
111: /* 128 - 255 Private Use */
112:
113: /*
114: * The following are valid when the Vendor ID is one of the
115: * following:
116: *
117: * MD5("A GSS-API Authentication Method for IKE")
118: * MD5("GSSAPI") (recognized by Windows 2000)
119: * MD5("MS NT5 ISAKMPOAKLEY") (sent by Windows 2000)
120: *
121: * See draft-ietf-ipsec-isakmp-gss-auth-06.txt.
122: */
123: #define ISAKMP_NPTYPE_GSS 129 /* GSS token */
124:
125: #define ISAKMP_MAJOR_VERSION 1
126: #define ISAKMP_MINOR_VERSION 0
127: #define ISAKMP_VERSION_NUMBER 0x10
128: #define ISAKMP_GETMAJORV(v) (((v) & 0xf0) >> 4)
129: #define ISAKMP_SETMAJORV(v, m) ((v) = ((v) & 0x0f) | (((m) << 4) & 0xf0))
130: #define ISAKMP_GETMINORV(v) ((v) & 0x0f)
131: #define ISAKMP_SETMINORV(v, m) ((v) = ((v) & 0xf0) | ((m) & 0x0f))
132:
133: /* Exchange Type */
134: #define ISAKMP_ETYPE_NONE 0 /* NONE */
135: #define ISAKMP_ETYPE_BASE 1 /* Base */
136: #define ISAKMP_ETYPE_IDENT 2 /* Identity Protection */
137: #define ISAKMP_ETYPE_AUTH 3 /* Authentication Only */
138: #define ISAKMP_ETYPE_AGG 4 /* Aggressive */
139: #define ISAKMP_ETYPE_INFO 5 /* Informational */
140: #define ISAKMP_ETYPE_CFG 6 /* Mode config */
141: /* Additional Exchange Type */
142: #define ISAKMP_ETYPE_QUICK 32 /* Quick Mode */
143: #define ISAKMP_ETYPE_NEWGRP 33 /* New group Mode */
144: #define ISAKMP_ETYPE_ACKINFO 34 /* Acknowledged Informational */
145:
146: /* Flags */
147: #define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
148: #define ISAKMP_FLAG_C 0x02 /* Commit Bit */
149: #define ISAKMP_FLAG_A 0x04 /* Authentication Only Bit */
150:
151: /* 3.2 Payload Generic Header
152: 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
153: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
154: ! Next Payload ! RESERVED ! Payload Length !
155: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
156: */
157: struct isakmp_gen {
158: u_int8_t np; /* Next Payload */
159: u_int8_t reserved; /* RESERVED, unused, must set to 0 */
160: u_int16_t len; /* Payload Length */
161: } __attribute__((__packed__));
162:
163: /* 3.3 Data Attributes
164: 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
165: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
166: !A! Attribute Type ! AF=0 Attribute Length !
167: !F! ! AF=1 Attribute Value !
168: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
169: . AF=0 Attribute Value .
170: . AF=1 Not Transmitted .
171: +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
172: */
173: struct isakmp_data {
174: u_int16_t type; /* defined by DOI-spec, and Attribute Format */
175: u_int16_t lorv; /* if f equal 1, Attribute Length */
176: /* if f equal 0, Attribute Value */
177: /* if f equal 1, Attribute Value */
178: } __attribute__((__packed__));
179: #define ISAKMP_GEN_TLV 0x0000
180: #define ISAKMP_GEN_TV 0x8000
181: /* mask for type of attribute format */
182: #define ISAKMP_GEN_MASK 0x8000
183:
184: #if 0
185: /* MAY NOT be used, because of being defined in ipsec-doi. */
186: /* 3.4 Security Association Payload */
187: struct isakmp_pl_sa {
188: struct isakmp_gen h;
189: u_int32_t doi; /* Domain of Interpretation */
190: u_int32_t sit; /* Situation */
191: } __attribute__((__packed__));
192: #endif
193:
194: /* 3.5 Proposal Payload */
195: /*
196: The value of the next payload field MUST only contain the value "2"
197: or "0". If there are additional Proposal payloads in the message,
198: then this field will be 2. If the current Proposal payload is the
199: last within the security association proposal, then this field will
200: be 0.
201: */
202: struct isakmp_pl_p {
203: struct isakmp_gen h;
204: u_int8_t p_no; /* Proposal # */
205: u_int8_t proto_id; /* Protocol */
206: u_int8_t spi_size; /* SPI Size */
207: u_int8_t num_t; /* Number of Transforms */
208: /* SPI */
209: } __attribute__((__packed__));
210:
211: /* 3.6 Transform Payload */
212: /*
213: The value of the next payload field MUST only contain the value "3"
214: or "0". If there are additional Transform payloads in the proposal,
215: then this field will be 3. If the current Transform payload is the
216: last within the proposal, then this field will be 0.
217: */
218: struct isakmp_pl_t {
219: struct isakmp_gen h;
220: u_int8_t t_no; /* Transform # */
221: u_int8_t t_id; /* Transform-Id */
222: u_int16_t reserved; /* RESERVED2 */
223: /* SA Attributes */
224: } __attribute__((__packed__));
225:
226: /* 3.7 Key Exchange Payload */
227: struct isakmp_pl_ke {
228: struct isakmp_gen h;
229: /* Key Exchange Data */
230: } __attribute__((__packed__));
231:
232: #if 0
233: /* NOTE: MUST NOT use because of being defined in ipsec-doi instead them. */
234: /* 3.8 Identification Payload */
235: struct isakmp_pl_id {
236: struct isakmp_gen h;
237: union {
238: u_int8_t id_type; /* ID Type */
239: u_int32_t doi_data; /* DOI Specific ID Data */
240: } d;
241: /* Identification Data */
242: } __attribute__((__packed__));
243: /* A.4 ISAKMP Identification Type Values */
244: #define ISAKMP_ID_IPV4_ADDR 0
245: #define ISAKMP_ID_IPV4_ADDR_SUBNET 1
246: #define ISAKMP_ID_IPV6_ADDR 2
247: #define ISAKMP_ID_IPV6_ADDR_SUBNET 3
248: #endif
249:
250: /* 3.9 Certificate Payload */
251: struct isakmp_pl_cert {
252: struct isakmp_gen h;
253: /*
254: * Encoding type of 1 octet follows immediately,
255: * variable length CERT data follows encoding type.
256: */
257: } __attribute__((__packed__));
258:
259: /* Certificate Type */
260: #define ISAKMP_CERT_NONE 0
261: #define ISAKMP_CERT_PKCS7 1
262: #define ISAKMP_CERT_PGP 2
263: #define ISAKMP_CERT_DNS 3
264: #define ISAKMP_CERT_X509SIGN 4
265: #define ISAKMP_CERT_X509KE 5
266: #define ISAKMP_CERT_KERBEROS 6
267: #define ISAKMP_CERT_CRL 7
268: #define ISAKMP_CERT_ARL 8
269: #define ISAKMP_CERT_SPKI 9
270: #define ISAKMP_CERT_X509ATTR 10
271: #define ISAKMP_CERT_PLAINRSA 11
272:
273: /* 3.10 Certificate Request Payload */
274: struct isakmp_pl_cr {
275: struct isakmp_gen h;
276: u_int8_t num_cert; /* # Cert. Types */
277: /*
278: Certificate Types (variable length)
279: -- Contains a list of the types of certificates requested,
280: sorted in order of preference. Each individual certificate
281: type is 1 octet. This field is NOT required.
282: */
283: /* # Certificate Authorities (1 octet) */
284: /* Certificate Authorities (variable length) */
285: } __attribute__((__packed__));
286:
287: /* 3.11 Hash Payload */
288: struct isakmp_pl_hash {
289: struct isakmp_gen h;
290: /* Hash Data */
291: } __attribute__((__packed__));
292:
293: /* 3.12 Signature Payload */
294: struct isakmp_pl_sig {
295: struct isakmp_gen h;
296: /* Signature Data */
297: } __attribute__((__packed__));
298:
299: /* 3.13 Nonce Payload */
300: struct isakmp_pl_nonce {
301: struct isakmp_gen h;
302: /* Nonce Data */
303: } __attribute__((__packed__));
304:
305: /* 3.14 Notification Payload */
306: struct isakmp_pl_n {
307: struct isakmp_gen h;
308: u_int32_t doi; /* Domain of Interpretation */
309: u_int8_t proto_id; /* Protocol-ID */
310: u_int8_t spi_size; /* SPI Size */
311: u_int16_t type; /* Notify Message Type */
312: /* SPI */
313: /* Notification Data */
314: } __attribute__((__packed__));
315:
316: /* 3.14.1 Notify Message Types */
317: /* NOTIFY MESSAGES - ERROR TYPES */
318: #define ISAKMP_NTYPE_INVALID_PAYLOAD_TYPE 1
319: #define ISAKMP_NTYPE_DOI_NOT_SUPPORTED 2
320: #define ISAKMP_NTYPE_SITUATION_NOT_SUPPORTED 3
321: #define ISAKMP_NTYPE_INVALID_COOKIE 4
322: #define ISAKMP_NTYPE_INVALID_MAJOR_VERSION 5
323: #define ISAKMP_NTYPE_INVALID_MINOR_VERSION 6
324: #define ISAKMP_NTYPE_INVALID_EXCHANGE_TYPE 7
325: #define ISAKMP_NTYPE_INVALID_FLAGS 8
326: #define ISAKMP_NTYPE_INVALID_MESSAGE_ID 9
327: #define ISAKMP_NTYPE_INVALID_PROTOCOL_ID 10
328: #define ISAKMP_NTYPE_INVALID_SPI 11
329: #define ISAKMP_NTYPE_INVALID_TRANSFORM_ID 12
330: #define ISAKMP_NTYPE_ATTRIBUTES_NOT_SUPPORTED 13
331: #define ISAKMP_NTYPE_NO_PROPOSAL_CHOSEN 14
332: #define ISAKMP_NTYPE_BAD_PROPOSAL_SYNTAX 15
333: #define ISAKMP_NTYPE_PAYLOAD_MALFORMED 16
334: #define ISAKMP_NTYPE_INVALID_KEY_INFORMATION 17
335: #define ISAKMP_NTYPE_INVALID_ID_INFORMATION 18
336: #define ISAKMP_NTYPE_INVALID_CERT_ENCODING 19
337: #define ISAKMP_NTYPE_INVALID_CERTIFICATE 20
338: #define ISAKMP_NTYPE_BAD_CERT_REQUEST_SYNTAX 21
339: #define ISAKMP_NTYPE_INVALID_CERT_AUTHORITY 22
340: #define ISAKMP_NTYPE_INVALID_HASH_INFORMATION 23
341: #define ISAKMP_NTYPE_AUTHENTICATION_FAILED 24
342: #define ISAKMP_NTYPE_INVALID_SIGNATURE 25
343: #define ISAKMP_NTYPE_ADDRESS_NOTIFICATION 26
344: #define ISAKMP_NTYPE_NOTIFY_SA_LIFETIME 27
345: #define ISAKMP_NTYPE_CERTIFICATE_UNAVAILABLE 28
346: #define ISAKMP_NTYPE_UNSUPPORTED_EXCHANGE_TYPE 29
347: #define ISAKMP_NTYPE_UNEQUAL_PAYLOAD_LENGTHS 30
348: #define ISAKMP_NTYPE_MINERROR 1
349: #define ISAKMP_NTYPE_MAXERROR 16383
350: /* NOTIFY MESSAGES - STATUS TYPES */
351: #define ISAKMP_NTYPE_CONNECTED 16384
352: /* 4.6.3 IPSEC DOI Notify Message Types */
353: #define ISAKMP_NTYPE_RESPONDER_LIFETIME 24576
354: #define ISAKMP_NTYPE_REPLAY_STATUS 24577
355: #define ISAKMP_NTYPE_INITIAL_CONTACT 24578
356:
357: /* DPD */
358: #define ISAKMP_NTYPE_R_U_THERE 36136
359: #define ISAKMP_NTYPE_R_U_THERE_ACK 36137
360:
361: #define ISAKMP_NTYPE_HEARTBEAT 40503
362:
363: /* using only to log */
364: #define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
365:
366: /* XXX means internal error but it's not reserved by any drafts... */
367: #define ISAKMP_INTERNAL_ERROR -1
368:
369: /* 3.15 Delete Payload */
370: struct isakmp_pl_d {
371: struct isakmp_gen h;
372: u_int32_t doi; /* Domain of Interpretation */
373: u_int8_t proto_id; /* Protocol-Id */
374: u_int8_t spi_size; /* SPI Size */
375: u_int16_t num_spi; /* # of SPIs */
376: /* SPI(es) */
377: } __attribute__((__packed__));
378:
379: struct payload_list {
380: struct payload_list *next, *prev;
381: vchar_t *payload;
382: u_int8_t payload_type;
383: u_int8_t free_payload;
384: };
385:
386:
387: /* See draft-ietf-ipsec-isakmp-mode-cfg-04.txt, 3.2 */
388: struct isakmp_pl_attr {
389: struct isakmp_gen h;
390: u_int8_t type; /* Exchange type */
391: u_int8_t res2;
392: u_int16_t id; /* Per transaction id */
393: } __attribute__((__packed__));
394:
395: /* Exchange type */
396: #define ISAKMP_CFG_REQUEST 1
397: #define ISAKMP_CFG_REPLY 2
398: #define ISAKMP_CFG_SET 3
399: #define ISAKMP_CFG_ACK 4
400:
401: /* IKE fragmentation payload */
402: struct isakmp_frag {
403: u_int16_t unknown0; /* always set to zero? */
404: u_int16_t len;
405: u_int16_t unknown1; /* always set to 1? */
406: u_int8_t index;
407: u_int8_t flags;
408: } __attribute__((__packed__));
409:
410: /* flags */
411: #define ISAKMP_FRAG_LAST 1
412:
413: /* DPD R-U-THERE / R-U-THERE-ACK Payload */
414: struct isakmp_pl_ru {
415: struct isakmp_gen h;
416: u_int32_t doi; /* Domain of Interpretation */
417: u_int8_t proto_id; /* Protocol-Id */
418: u_int8_t spi_size; /* SPI Size */
419: u_int16_t type; /* Notify type */
420: cookie_t i_ck; /* Initiator Cookie */
421: cookie_t r_ck; /* Responder cookie*/
422: u_int32_t data; /* Notification data */
423: } __attribute__((__packed__));
424:
425: #endif /* _ISAKMP_H */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to isakmp.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon