1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
|
/* $NetBSD: ipsec_doi.h,v 1.12 2009/03/12 10:57:26 tteras Exp $ */
/* Id: ipsec_doi.h,v 1.15 2006/08/11 16:06:30 vanhu Exp */
/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _IPSEC_DOI_H
#define _IPSEC_DOI_H
#include "isakmp.h"
/* refered to RFC2407 */
#define IPSEC_DOI 1
/* 4.2 IPSEC Situation Definition */
#define IPSECDOI_SIT_IDENTITY_ONLY 0x00000001
#define IPSECDOI_SIT_SECRECY 0x00000002
#define IPSECDOI_SIT_INTEGRITY 0x00000004
/* 4.4.1 IPSEC Security Protocol Identifiers */
/* 4.4.2 IPSEC ISAKMP Transform Values */
#define IPSECDOI_PROTO_ISAKMP 1
#define IPSECDOI_KEY_IKE 1
/* 4.4.1 IPSEC Security Protocol Identifiers */
#define IPSECDOI_PROTO_IPSEC_AH 2
/* 4.4.3 IPSEC AH Transform Values */
#define IPSECDOI_AH_MD5 2
#define IPSECDOI_AH_SHA 3
#define IPSECDOI_AH_DES 4
#define IPSECDOI_AH_SHA256 5
#define IPSECDOI_AH_SHA384 6
#define IPSECDOI_AH_SHA512 7
/* 4.4.1 IPSEC Security Protocol Identifiers */
#define IPSECDOI_PROTO_IPSEC_ESP 3
/* 4.4.4 IPSEC ESP Transform Identifiers */
#define IPSECDOI_ESP_DES_IV64 1
#define IPSECDOI_ESP_DES 2
#define IPSECDOI_ESP_3DES 3
#define IPSECDOI_ESP_RC5 4
#define IPSECDOI_ESP_IDEA 5
#define IPSECDOI_ESP_CAST 6
#define IPSECDOI_ESP_BLOWFISH 7
#define IPSECDOI_ESP_3IDEA 8
#define IPSECDOI_ESP_DES_IV32 9
#define IPSECDOI_ESP_RC4 10
#define IPSECDOI_ESP_NULL 11
#define IPSECDOI_ESP_AES 12
#define IPSECDOI_ESP_CAMELLIA 22
#if 1
/* draft-ietf-ipsec-ciph-aes-cbc-00.txt */
#define IPSECDOI_ESP_TWOFISH 253
#else
/* SSH uses these value for now */
#define IPSECDOI_ESP_TWOFISH 250
#endif
/* 4.4.1 IPSEC Security Protocol Identifiers */
#define IPSECDOI_PROTO_IPCOMP 4
/* 4.4.5 IPSEC IPCOMP Transform Identifiers */
#define IPSECDOI_IPCOMP_OUI 1
#define IPSECDOI_IPCOMP_DEFLATE 2
#define IPSECDOI_IPCOMP_LZS 3
/* 4.5 IPSEC Security Association Attributes */
/* NOTE: default value is not included in a packet. */
#define IPSECDOI_ATTR_SA_LD_TYPE 1 /* B */
#define IPSECDOI_ATTR_SA_LD_TYPE_DEFAULT 1
#define IPSECDOI_ATTR_SA_LD_TYPE_SEC 1
#define IPSECDOI_ATTR_SA_LD_TYPE_KB 2
#define IPSECDOI_ATTR_SA_LD_TYPE_MAX 3
#define IPSECDOI_ATTR_SA_LD 2 /* V */
#define IPSECDOI_ATTR_SA_LD_SEC_DEFAULT 28800 /* 8 hours */
#define IPSECDOI_ATTR_SA_LD_KB_MAX (~(1 << ((sizeof(int) << 3) - 1)))
#define IPSECDOI_ATTR_GRP_DESC 3 /* B */
#define IPSECDOI_ATTR_ENC_MODE 4 /* B */
/* default value: host dependent */
#define IPSECDOI_ATTR_ENC_MODE_ANY 0 /* NOTE:internal use */
#define IPSECDOI_ATTR_ENC_MODE_TUNNEL 1
#define IPSECDOI_ATTR_ENC_MODE_TRNS 2
/* NAT-T draft-ietf-ipsec-nat-t-ike-05 and later */
#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_RFC 3
#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_RFC 4
/* NAT-T up to draft-ietf-ipsec-nat-t-ike-04 */
#define IPSECDOI_ATTR_ENC_MODE_UDPTUNNEL_DRAFT 61443
#define IPSECDOI_ATTR_ENC_MODE_UDPTRNS_DRAFT 61444
#define IPSECDOI_ATTR_AUTH 5 /* B */
/* 0 means not to use authentication. */
#define IPSECDOI_ATTR_AUTH_HMAC_MD5 1
#define IPSECDOI_ATTR_AUTH_HMAC_SHA1 2
#define IPSECDOI_ATTR_AUTH_DES_MAC 3
#define IPSECDOI_ATTR_AUTH_KPDK 4 /*RFC-1826(Key/Pad/Data/Key)*/
#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_256 5
#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_384 6
#define IPSECDOI_ATTR_AUTH_HMAC_SHA2_512 7
#define IPSECDOI_ATTR_AUTH_NONE 254 /* NOTE:internal use */
/*
* When negotiating ESP without authentication, the Auth
* Algorithm attribute MUST NOT be included in the proposal.
* When negotiating ESP without confidentiality, the Auth
* Algorithm attribute MUST be included in the proposal and
* the ESP transform ID must be ESP_NULL.
*/
#define IPSECDOI_ATTR_KEY_LENGTH 6 /* B */
#define IPSECDOI_ATTR_KEY_ROUNDS 7 /* B */
#define IPSECDOI_ATTR_COMP_DICT_SIZE 8 /* B */
#define IPSECDOI_ATTR_COMP_PRIVALG 9 /* V */
#ifdef HAVE_SECCTX
#define IPSECDOI_ATTR_SECCTX 10 /* V */
#endif
/* 4.6.1 Security Association Payload */
struct ipsecdoi_pl_sa {
struct isakmp_gen h;
struct ipsecdoi_sa_b {
u_int32_t doi; /* Domain of Interpretation */
u_int32_t sit; /* Situation */
} b;
/* followed by Leveled Domain Identifier and so on. */
} __attribute__((__packed__));
struct ipsecdoi_secrecy_h {
u_int16_t len;
u_int16_t reserved;
/* followed by the value */
} __attribute__((__packed__));
/* 4.6.2 Identification Payload Content */
struct ipsecdoi_pl_id {
struct isakmp_gen h;
struct ipsecdoi_id_b {
u_int8_t type; /* ID Type */
u_int8_t proto_id; /* Protocol ID */
u_int16_t port; /* Port */
} b;
/* followed by Identification Data */
} __attribute__((__packed__));
#define IPSECDOI_ID_IPV4_ADDR 1
#define IPSECDOI_ID_FQDN 2
#define IPSECDOI_ID_USER_FQDN 3
#define IPSECDOI_ID_IPV4_ADDR_SUBNET 4
#define IPSECDOI_ID_IPV6_ADDR 5
#define IPSECDOI_ID_IPV6_ADDR_SUBNET 6
#define IPSECDOI_ID_IPV4_ADDR_RANGE 7
#define IPSECDOI_ID_IPV6_ADDR_RANGE 8
#define IPSECDOI_ID_DER_ASN1_DN 9
#define IPSECDOI_ID_DER_ASN1_GN 10
#define IPSECDOI_ID_KEY_ID 11
/* compressing doi type, it's internal use. */
#define IDTYPE_UNDEFINED 0
#define IDTYPE_FQDN 1
#define IDTYPE_USERFQDN 2
#define IDTYPE_KEYID 3
#define IDTYPE_ADDRESS 4
#define IDTYPE_ASN1DN 5
#define IDTYPE_SUBNET 6
/* qualifiers for KEYID (and maybe others) */
#define IDQUAL_UNSPEC 0
#define IDQUAL_FILE 1
#define IDQUAL_TAG 2
/* The use for checking proposal payload. This is not exchange type. */
#define IPSECDOI_TYPE_PH1 0
#define IPSECDOI_TYPE_PH2 1
/*
* Prefix that will make ipsecdoi_sockaddr2id() generate address type
* identities without knowning the exact length of address.
*/
#define IPSECDOI_PREFIX_HOST 0xff
struct isakmpsa;
struct ipsecdoi_pl_sa;
struct saprop;
struct saproto;
struct satrns;
struct prop_pair;
extern int ipsecdoi_checkph1proposal __P((vchar_t *, struct ph1handle *));
extern int ipsecdoi_selectph2proposal __P((struct ph2handle *));
extern int ipsecdoi_checkph2proposal __P((struct ph2handle *));
extern struct prop_pair **get_proppair __P((vchar_t *, int));
extern vchar_t *get_sabyproppair __P((u_int32_t, u_int32_t, struct prop_pair *));
extern int ipsecdoi_updatespi __P((struct ph2handle *iph2));
extern vchar_t *get_sabysaprop __P((struct saprop *, vchar_t *));
extern int ipsecdoi_chkcmpids( const vchar_t *, const vchar_t *, int );
extern int ipsecdoi_checkid1 __P((struct ph1handle *));
extern int ipsecdoi_setid1 __P((struct ph1handle *));
extern int set_identifier __P((vchar_t **, int, vchar_t *));
extern int set_identifier_qual __P((vchar_t **, int, vchar_t *, int));
extern int ipsecdoi_setid2 __P((struct ph2handle *));
extern vchar_t *ipsecdoi_sockaddr2id __P((struct sockaddr *, u_int, u_int));
extern int ipsecdoi_id2sockaddr __P((vchar_t *, struct sockaddr *,
u_int8_t *, u_int16_t *));
extern char *ipsecdoi_id2str __P((const vchar_t *));
extern vchar_t *ipsecdoi_sockrange2id __P(( struct sockaddr *,
struct sockaddr *, u_int));
extern vchar_t *ipsecdoi_setph1proposal __P((struct remoteconf *,
struct isakmpsa *));
extern int ipsecdoi_setph2proposal __P((struct ph2handle *));
extern int ipsecdoi_transportmode __P((struct saprop *));
extern int ipsecdoi_get_defaultlifetime __P((void));
extern int ipsecdoi_checkalgtypes __P((int, int, int, int));
extern int ipproto2doi __P((int));
extern int doi2ipproto __P((int));
extern int ipsecdoi_t2satrns __P((struct isakmp_pl_t *,
struct saprop *, struct saproto *, struct satrns *));
extern int ipsecdoi_authalg2trnsid __P((int));
extern int idtype2doi __P((int));
extern int doi2idtype __P((int));
extern int ipsecdoi_parse_responder_lifetime __P((struct isakmp_pl_n *notify,
u_int32_t *lifetime_sec, u_int32_t *liftime_kb));
#endif /* _IPSEC_DOI_H */
|
