1 /* $OpenBSD: ipsec.h,v 1.27 2017/11/08 13:33:49 patrick Exp $ */ 2 /* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #ifndef _IPSEC_H_ 35 #define _IPSEC_H_ 36 37 #include <sys/queue.h> 38 #include <sys/types.h> 39 #include <netinet/in.h> 40 41 #include "ipsec_doi.h" 42 #include "isakmp_cfg.h" 43 44 struct group; 45 struct hash; 46 struct ike_auth; 47 struct message; 48 struct proto; 49 struct sa; 50 51 /* 52 * IPsec-specific data to be linked into the exchange struct. 53 * XXX Should probably be several different structs, one for each kind 54 * of exchange, i.e. phase 1, phase 2 and ISAKMP configuration parameters 55 * separated. 56 */ 57 struct ipsec_exch { 58 u_int flags; 59 struct hash *hash; 60 struct ike_auth *ike_auth; 61 struct group *group; 62 u_int16_t prf_type; 63 64 /* 0 if no KEY_EXCH was proposed, 1 otherwise */ 65 u_int8_t pfs; 66 67 /* 68 * A copy of the initiator SA payload body for later computation of 69 * hashes. Phase 1 only. 70 */ 71 size_t sa_i_b_len; 72 u_int8_t *sa_i_b; 73 74 /* Diffie-Hellman values. */ 75 size_t g_x_len; 76 size_t g_xy_len; 77 u_int8_t *g_xi; 78 u_int8_t *g_xr; 79 u_int8_t *g_xy; 80 81 /* SKEYIDs. XXX Phase 1 only? */ 82 size_t skeyid_len; 83 u_int8_t *skeyid; 84 u_int8_t *skeyid_d; 85 u_int8_t *skeyid_a; 86 u_int8_t *skeyid_e; 87 88 /* HASH_I & HASH_R. XXX Do these need to be saved here? */ 89 u_int8_t *hash_i; 90 u_int8_t *hash_r; 91 92 /* KEYMAT */ 93 size_t keymat_len; 94 95 /* Phase 2. */ 96 u_int8_t *id_ci; 97 size_t id_ci_sz; 98 u_int8_t *id_cr; 99 size_t id_cr_sz; 100 101 /* ISAKMP configuration mode parameters */ 102 u_int16_t cfg_id; 103 u_int16_t cfg_type; 104 LIST_HEAD(isakmp_cfg_attr_head, isakmp_cfg_attr) attrs; 105 }; 106 107 #define IPSEC_EXCH_FLAG_NO_ID 1 108 109 struct ipsec_sa { 110 /* Phase 1. */ 111 u_int8_t hash; 112 size_t skeyid_len; 113 u_int8_t *skeyid_d; 114 u_int8_t *skeyid_a; 115 u_int16_t prf_type; 116 117 /* Phase 2. */ 118 u_int16_t group_desc; 119 120 /* Tunnel parameters. These are in network byte order. */ 121 struct sockaddr *src_net; 122 struct sockaddr *src_mask; 123 struct sockaddr *dst_net; 124 struct sockaddr *dst_mask; 125 u_int8_t tproto; 126 u_int16_t sport; 127 u_int16_t dport; 128 }; 129 130 struct ipsec_proto { 131 /* Phase 2. */ 132 u_int16_t encap_mode; 133 u_int16_t auth; 134 u_int16_t keylen; 135 u_int16_t keyrounds; 136 137 /* This is not negotiated, but rather configured. */ 138 int32_t replay_window; 139 140 /* KEYMAT */ 141 u_int8_t *keymat[2]; 142 }; 143 144 extern u_int8_t *ipsec_add_hash_payload(struct message *, size_t); 145 extern int ipsec_ah_keylength(struct proto *); 146 extern u_int8_t *ipsec_build_id(char *, size_t *); 147 extern int ipsec_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, 148 void *); 149 extern void ipsec_decode_transform(struct message *, struct sa *, 150 struct proto *, u_int8_t *); 151 extern int ipsec_esp_authkeylength(struct proto *); 152 extern int ipsec_esp_enckeylength(struct proto *); 153 extern int ipsec_fill_in_hash(struct message *); 154 extern int ipsec_gen_g_x(struct message *); 155 extern int ipsec_get_id(char *, int *, struct sockaddr **, 156 struct sockaddr **, u_int8_t *, u_int16_t *); 157 extern ssize_t ipsec_id_size(char *, u_int8_t *); 158 extern char *ipsec_id_string(u_int8_t *, size_t); 159 extern void ipsec_init(void); 160 extern int ipsec_initial_contact(struct message *); 161 extern int ipsec_is_attribute_incompatible(u_int16_t, u_int8_t *, 162 u_int16_t, void *); 163 extern int ipsec_keymat_length(struct proto *); 164 extern int ipsec_save_g_x(struct message *); 165 extern struct sa *ipsec_sa_lookup(struct sockaddr *, u_int32_t, u_int8_t); 166 167 extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, 168 size_t, int); 169 extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t); 170 171 #endif /* _IPSEC_H_ */ 172