1 /* $OpenBSD: ikev2.h,v 1.35 2023/06/28 14:10:24 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #ifndef IKED_IKEV2_H 21 #define IKED_IKEV2_H 22 23 #define IKEV2_VERSION 0x20 /* IKE version 2.0 */ 24 #define IKEV1_VERSION 0x10 /* IKE version 1.0 */ 25 26 #define IKEV2_KEYPAD "Key Pad for IKEv2" /* don't change! */ 27 28 /* 29 * IKEv2 pseudo states 30 */ 31 32 #define IKEV2_STATE_INIT 0 /* new IKE SA */ 33 #define IKEV2_STATE_COOKIE 1 /* cookie requested */ 34 #define IKEV2_STATE_SA_INIT 2 /* init IKE SA */ 35 #define IKEV2_STATE_EAP 3 /* EAP requested */ 36 #define IKEV2_STATE_EAP_SUCCESS 4 /* EAP succeeded */ 37 #define IKEV2_STATE_AUTH_REQUEST 5 /* auth received */ 38 #define IKEV2_STATE_AUTH_SUCCESS 6 /* authenticated */ 39 #define IKEV2_STATE_VALID 7 /* authenticated AND validated certs */ 40 #define IKEV2_STATE_EAP_VALID 8 /* EAP validated */ 41 #define IKEV2_STATE_ESTABLISHED 9 /* active IKE SA */ 42 #define IKEV2_STATE_CLOSING 10 /* expect delete for this SA */ 43 #define IKEV2_STATE_CLOSED 11 /* delete this SA */ 44 45 extern struct iked_constmap ikev2_state_map[]; 46 47 /* 48 * "IKEv2 Parameters" based on the official RFC-based assignments by IANA 49 * (http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.txt) 50 */ 51 52 /* 53 * IKEv2 definitions of the IKE header 54 */ 55 56 /* IKEv2 exchange types */ 57 #define IKEV2_EXCHANGE_IKE_SA_INIT 34 /* Initial Exchange */ 58 #define IKEV2_EXCHANGE_IKE_AUTH 35 /* Authentication */ 59 #define IKEV2_EXCHANGE_CREATE_CHILD_SA 36 /* Create Child SA */ 60 #define IKEV2_EXCHANGE_INFORMATIONAL 37 /* Informational */ 61 #define IKEV2_EXCHANGE_IKE_SESSION_RESUME 38 /* RFC5723 */ 62 63 extern struct iked_constmap ikev2_exchange_map[]; 64 65 /* IKEv2 message flags */ 66 #define IKEV2_FLAG_INITIATOR 0x08 /* Sent by the initiator */ 67 #define IKEV2_FLAG_OLDVERSION 0x10 /* Supports a higher IKE version */ 68 #define IKEV2_FLAG_RESPONSE 0x20 /* Message is a response */ 69 70 extern struct iked_constmap ikev2_flag_map[]; 71 72 /* 73 * IKEv2 payloads 74 */ 75 76 struct ikev2_payload { 77 uint8_t pld_nextpayload; /* Next payload type */ 78 uint8_t pld_reserved; /* Contains the critical bit */ 79 uint16_t pld_length; /* Payload length with header */ 80 } __packed; 81 82 struct ikev2_frag_payload { 83 uint16_t frag_num; /* current fragment message number */ 84 uint16_t frag_total; /* total number of fragment messages */ 85 } __packed; 86 87 #define IKEV2_CRITICAL_PAYLOAD 0x01 /* First bit in the reserved field */ 88 89 /* IKEv2 payload types */ 90 #define IKEV2_PAYLOAD_NONE 0 /* No payload */ 91 #define IKEV2_PAYLOAD_SA 33 /* Security Association */ 92 #define IKEV2_PAYLOAD_KE 34 /* Key Exchange */ 93 #define IKEV2_PAYLOAD_IDi 35 /* Identification - Initiator */ 94 #define IKEV2_PAYLOAD_IDr 36 /* Identification - Responder */ 95 #define IKEV2_PAYLOAD_CERT 37 /* Certificate */ 96 #define IKEV2_PAYLOAD_CERTREQ 38 /* Certificate Request */ 97 #define IKEV2_PAYLOAD_AUTH 39 /* Authentication */ 98 #define IKEV2_PAYLOAD_NONCE 40 /* Nonce */ 99 #define IKEV2_PAYLOAD_NOTIFY 41 /* Notify */ 100 #define IKEV2_PAYLOAD_DELETE 42 /* Delete */ 101 #define IKEV2_PAYLOAD_VENDOR 43 /* Vendor ID */ 102 #define IKEV2_PAYLOAD_TSi 44 /* Traffic Selector - Initiator */ 103 #define IKEV2_PAYLOAD_TSr 45 /* Traffic Selector - Responder */ 104 #define IKEV2_PAYLOAD_SK 46 /* Encrypted */ 105 #define IKEV2_PAYLOAD_CP 47 /* Configuration Payload */ 106 #define IKEV2_PAYLOAD_EAP 48 /* Extensible Authentication */ 107 #define IKEV2_PAYLOAD_GSPM 49 /* RFC6467 Generic Secure Password */ 108 #define IKEV2_PAYLOAD_SKF 53 /* RFC7383 Encrypted Fragment Payload */ 109 110 extern struct iked_constmap ikev2_payload_map[]; 111 112 /* 113 * SA payload 114 */ 115 116 struct ikev2_sa_proposal { 117 uint8_t sap_more; /* Last proposal or more */ 118 uint8_t sap_reserved; /* Must be set to zero */ 119 uint16_t sap_length; /* Proposal length */ 120 uint8_t sap_proposalnr; /* Proposal number */ 121 uint8_t sap_protoid; /* Protocol Id */ 122 uint8_t sap_spisize; /* SPI size */ 123 uint8_t sap_transforms; /* Number of transforms */ 124 /* Followed by variable-length SPI */ 125 /* Followed by variable-length transforms */ 126 } __packed; 127 128 #define IKEV2_SAP_LAST 0 129 #define IKEV2_SAP_MORE 2 130 131 #define IKEV2_SAPROTO_NONE 0 /* None */ 132 #define IKEV2_SAPROTO_IKE 1 /* IKEv2 */ 133 #define IKEV2_SAPROTO_AH 2 /* AH */ 134 #define IKEV2_SAPROTO_ESP 3 /* ESP */ 135 #define IKEV2_SAPROTO_FC_ESP_HEADER 4 /* RFC4595 */ 136 #define IKEV2_SAPROTO_FC_CT_AUTH 5 /* RFC4595 */ 137 #define IKEV2_SAPROTO_IPCOMP 204 /* private, should be 4 */ 138 139 extern struct iked_constmap ikev2_saproto_map[]; 140 141 struct ikev2_transform { 142 uint8_t xfrm_more; /* Last transform or more */ 143 uint8_t xfrm_reserved; /* Must be set to zero */ 144 uint16_t xfrm_length; /* Transform length */ 145 uint8_t xfrm_type; /* Transform type */ 146 uint8_t xfrm_reserved1; /* Must be set to zero */ 147 uint16_t xfrm_id; /* Transform Id */ 148 /* Followed by variable-length transform attributes */ 149 } __packed; 150 151 #define IKEV2_XFORM_LAST 0 152 #define IKEV2_XFORM_MORE 3 153 154 #define IKEV2_XFORMTYPE_ENCR 1 /* Encryption */ 155 #define IKEV2_XFORMTYPE_PRF 2 /* Pseudo-Random Function */ 156 #define IKEV2_XFORMTYPE_INTEGR 3 /* Integrity Algorithm */ 157 #define IKEV2_XFORMTYPE_DH 4 /* Diffie-Hellman Group */ 158 #define IKEV2_XFORMTYPE_ESN 5 /* Extended Sequence Numbers */ 159 #define IKEV2_XFORMTYPE_MAX 6 160 161 extern struct iked_constmap ikev2_xformtype_map[]; 162 163 #define IKEV2_XFORMENCR_NONE 0 /* None */ 164 #define IKEV2_XFORMENCR_DES_IV64 1 /* RFC1827 */ 165 #define IKEV2_XFORMENCR_DES 2 /* RFC2405 */ 166 #define IKEV2_XFORMENCR_3DES 3 /* RFC2451 */ 167 #define IKEV2_XFORMENCR_RC5 4 /* RFC2451 */ 168 #define IKEV2_XFORMENCR_IDEA 5 /* RFC2451 */ 169 #define IKEV2_XFORMENCR_CAST 6 /* RFC2451 */ 170 #define IKEV2_XFORMENCR_BLOWFISH 7 /* RFC2451 */ 171 #define IKEV2_XFORMENCR_3IDEA 8 /* RFC2451 */ 172 #define IKEV2_XFORMENCR_DES_IV32 9 /* DESIV32 */ 173 #define IKEV2_XFORMENCR_RC4 10 /* RFC2451 */ 174 #define IKEV2_XFORMENCR_NULL 11 /* RFC2410 */ 175 #define IKEV2_XFORMENCR_AES_CBC 12 /* RFC3602 */ 176 #define IKEV2_XFORMENCR_AES_CTR 13 /* RFC3664 */ 177 #define IKEV2_XFORMENCR_AES_CCM_8 14 /* RFC5282 */ 178 #define IKEV2_XFORMENCR_AES_CCM_12 15 /* RFC5282 */ 179 #define IKEV2_XFORMENCR_AES_CCM_16 16 /* RFC5282 */ 180 #define IKEV2_XFORMENCR_AES_GCM_8 18 /* RFC5282 */ 181 #define IKEV2_XFORMENCR_AES_GCM_12 19 /* RFC5282 */ 182 #define IKEV2_XFORMENCR_AES_GCM_16 20 /* RFC5282 */ 183 #define IKEV2_XFORMENCR_NULL_AES_GMAC 21 /* RFC4543 */ 184 #define IKEV2_XFORMENCR_XTS_AES 22 /* IEEE P1619 */ 185 #define IKEV2_XFORMENCR_CAMELLIA_CBC 23 /* RFC5529 */ 186 #define IKEV2_XFORMENCR_CAMELLIA_CTR 24 /* RFC5529 */ 187 #define IKEV2_XFORMENCR_CAMELLIA_CCM_8 25 /* RFC5529 */ 188 #define IKEV2_XFORMENCR_CAMELLIA_CCM_12 26 /* RFC5529 */ 189 #define IKEV2_XFORMENCR_CAMELLIA_CCM_16 27 /* RFC5529 */ 190 #define IKEV2_XFORMENCR_CHACHA20_POLY1305 28 /* RFC7634 */ 191 192 extern struct iked_constmap ikev2_xformencr_map[]; 193 194 #define IKEV2_IPCOMP_OUI 1 /* UNSPECIFIED */ 195 #define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */ 196 #define IKEV2_IPCOMP_LZS 3 /* RFC2395 */ 197 #define IKEV2_IPCOMP_LZJH 4 /* RFC3051 */ 198 199 extern struct iked_constmap ikev2_ipcomp_map[]; 200 201 #define IKEV2_XFORMPRF_HMAC_MD5 1 /* RFC2104 */ 202 #define IKEV2_XFORMPRF_HMAC_SHA1 2 /* RFC2104 */ 203 #define IKEV2_XFORMPRF_HMAC_TIGER 3 /* RFC2104 */ 204 #define IKEV2_XFORMPRF_AES128_XCBC 4 /* RFC3664 */ 205 #define IKEV2_XFORMPRF_HMAC_SHA2_256 5 /* RFC4868 */ 206 #define IKEV2_XFORMPRF_HMAC_SHA2_384 6 /* RFC4868 */ 207 #define IKEV2_XFORMPRF_HMAC_SHA2_512 7 /* RFC4868 */ 208 #define IKEV2_XFORMPRF_AES128_CMAC 8 /* RFC4615 */ 209 210 extern struct iked_constmap ikev2_xformprf_map[]; 211 212 #define IKEV2_XFORMAUTH_NONE 0 /* No Authentication */ 213 #define IKEV2_XFORMAUTH_HMAC_MD5_96 1 /* RFC2403 */ 214 #define IKEV2_XFORMAUTH_HMAC_SHA1_96 2 /* RFC2404 */ 215 #define IKEV2_XFORMAUTH_DES_MAC 3 /* DES-MAC */ 216 #define IKEV2_XFORMAUTH_KPDK_MD5 4 /* RFC1826 */ 217 #define IKEV2_XFORMAUTH_AES_XCBC_96 5 /* RFC3566 */ 218 #define IKEV2_XFORMAUTH_HMAC_MD5_128 6 /* RFC4595 */ 219 #define IKEV2_XFORMAUTH_HMAC_SHA1_160 7 /* RFC4595 */ 220 #define IKEV2_XFORMAUTH_AES_CMAC_96 8 /* RFC4494 */ 221 #define IKEV2_XFORMAUTH_AES_128_GMAC 9 /* RFC4543 */ 222 #define IKEV2_XFORMAUTH_AES_192_GMAC 10 /* RFC4543 */ 223 #define IKEV2_XFORMAUTH_AES_256_GMAC 11 /* RFC4543 */ 224 #define IKEV2_XFORMAUTH_HMAC_SHA2_256_128 12 /* RFC4868 */ 225 #define IKEV2_XFORMAUTH_HMAC_SHA2_384_192 13 /* RFC4868 */ 226 #define IKEV2_XFORMAUTH_HMAC_SHA2_512_256 14 /* RFC4868 */ 227 228 /* Placeholders for AEAD ciphers (only used internally) */ 229 #define IKEV2_XFORMAUTH_AES_GCM_8 2018 /* internal */ 230 #define IKEV2_XFORMAUTH_AES_GCM_12 2019 /* internal */ 231 #define IKEV2_XFORMAUTH_AES_GCM_16 2020 /* internal */ 232 233 extern struct iked_constmap ikev2_xformauth_map[]; 234 235 #define IKEV2_XFORMDH_NONE 0 /* No DH */ 236 #define IKEV2_XFORMDH_MODP_768 1 /* DH Group 1 */ 237 #define IKEV2_XFORMDH_MODP_1024 2 /* DH Group 2 */ 238 #define IKEV2_XFORMDH_MODP_1536 5 /* DH Group 5 */ 239 #define IKEV2_XFORMDH_MODP_2048 14 /* DH Group 14 */ 240 #define IKEV2_XFORMDH_MODP_3072 15 /* DH Group 15 */ 241 #define IKEV2_XFORMDH_MODP_4096 16 /* DH Group 16 */ 242 #define IKEV2_XFORMDH_MODP_6144 17 /* DH Group 17 */ 243 #define IKEV2_XFORMDH_MODP_8192 18 /* DH Group 18 */ 244 #define IKEV2_XFORMDH_ECP_256 19 /* RFC5114 */ 245 #define IKEV2_XFORMDH_ECP_384 20 /* RFC5114 */ 246 #define IKEV2_XFORMDH_ECP_521 21 /* RFC5114 */ 247 #define IKEV2_XFORMDH_ECP_192 25 /* RFC5114 */ 248 #define IKEV2_XFORMDH_ECP_224 26 /* RFC5114 */ 249 #define IKEV2_XFORMDH_BRAINPOOL_P224R1 27 /* RFC6954 */ 250 #define IKEV2_XFORMDH_BRAINPOOL_P256R1 28 /* RFC6954 */ 251 #define IKEV2_XFORMDH_BRAINPOOL_P384R1 29 /* RFC6954 */ 252 #define IKEV2_XFORMDH_BRAINPOOL_P512R1 30 /* RFC6954 */ 253 #define IKEV2_XFORMDH_CURVE25519 31 /* RFC8031 */ 254 #define IKEV2_XFORMDH_X_SNTRUP761X25519 1035 /* private */ 255 256 extern struct iked_constmap ikev2_xformdh_map[]; 257 258 #define IKEV2_IPV4_OVERHEAD (20 + 8 + 28) /* IPv4 + UDP + IKE_HDR*/ 259 #define IKEV2_MAXLEN_IPV4_FRAG (576 - IKEV2_IPV4_OVERHEAD) 260 #define IKEV2_IPV6_OVERHEAD (40 + 8 + 28) /* IPv6 + UDP + IKE_HDR*/ 261 #define IKEV2_MAXLEN_IPV6_FRAG (1280 - IKEV2_IPV6_OVERHEAD) 262 263 #define IKEV2_MAXNUM_TSS 255 /* 8 bit Number of TSs field */ 264 265 #define IKEV2_XFORMESN_NONE 0 /* No ESN */ 266 #define IKEV2_XFORMESN_ESN 1 /* ESN */ 267 268 extern struct iked_constmap ikev2_xformesn_map[]; 269 270 struct ikev2_attribute { 271 uint16_t attr_type; /* Attribute type */ 272 uint16_t attr_length; /* Attribute length or value */ 273 /* Followed by variable length (TLV) */ 274 } __packed; 275 276 #define IKEV2_ATTRAF_TLV 0x0000 /* Type-Length-Value format */ 277 #define IKEV2_ATTRAF_TV 0x8000 /* Type-Value format */ 278 279 #define IKEV2_ATTRTYPE_KEY_LENGTH 14 /* Key length */ 280 281 extern struct iked_constmap ikev2_attrtype_map[]; 282 283 /* 284 * KE Payload 285 */ 286 287 struct ikev2_keyexchange { 288 uint16_t kex_dhgroup; /* DH Group # */ 289 uint16_t kex_reserved; /* Reserved */ 290 } __packed; 291 292 /* 293 * N payload 294 */ 295 296 struct ikev2_notify { 297 uint8_t n_protoid; /* Protocol Id */ 298 uint8_t n_spisize; /* SPI size */ 299 uint16_t n_type; /* Notify message type */ 300 /* Followed by variable length SPI */ 301 /* Followed by variable length notification data */ 302 } __packed; 303 304 #define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC7296 */ 305 #define IKEV2_N_INVALID_IKE_SPI 4 /* RFC7296 */ 306 #define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC7296 */ 307 #define IKEV2_N_INVALID_SYNTAX 7 /* RFC7296 */ 308 #define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC7296 */ 309 #define IKEV2_N_INVALID_SPI 11 /* RFC7296 */ 310 #define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC7296 */ 311 #define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC7296 */ 312 #define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC7296 */ 313 #define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC7296 */ 314 #define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC7296 */ 315 #define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC7296 */ 316 #define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC7296 */ 317 #define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC7296 */ 318 #define IKEV2_N_INVALID_SELECTORS 39 /* RFC7296 */ 319 #define IKEV2_N_UNACCEPTABLE_ADDRESSES 40 /* RFC4555 */ 320 #define IKEV2_N_UNEXPECTED_NAT_DETECTED 41 /* RFC4555 */ 321 #define IKEV2_N_USE_ASSIGNED_HoA 42 /* RFC5026 */ 322 #define IKEV2_N_TEMPORARY_FAILURE 43 /* RFC7296 */ 323 #define IKEV2_N_CHILD_SA_NOT_FOUND 44 /* RFC7296 */ 324 #define IKEV2_N_INITIAL_CONTACT 16384 /* RFC7296 */ 325 #define IKEV2_N_SET_WINDOW_SIZE 16385 /* RFC7296 */ 326 #define IKEV2_N_ADDITIONAL_TS_POSSIBLE 16386 /* RFC7296 */ 327 #define IKEV2_N_IPCOMP_SUPPORTED 16387 /* RFC7296 */ 328 #define IKEV2_N_NAT_DETECTION_SOURCE_IP 16388 /* RFC7296 */ 329 #define IKEV2_N_NAT_DETECTION_DESTINATION_IP 16389 /* RFC7296 */ 330 #define IKEV2_N_COOKIE 16390 /* RFC7296 */ 331 #define IKEV2_N_USE_TRANSPORT_MODE 16391 /* RFC7296 */ 332 #define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED 16392 /* RFC7296 */ 333 #define IKEV2_N_REKEY_SA 16393 /* RFC7296 */ 334 #define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED 16394 /* RFC7296 */ 335 #define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO 16395 /* RFC7296 */ 336 #define IKEV2_N_MOBIKE_SUPPORTED 16396 /* RFC4555 */ 337 #define IKEV2_N_ADDITIONAL_IP4_ADDRESS 16397 /* RFC4555 */ 338 #define IKEV2_N_ADDITIONAL_IP6_ADDRESS 16398 /* RFC4555 */ 339 #define IKEV2_N_NO_ADDITIONAL_ADDRESSES 16399 /* RFC4555 */ 340 #define IKEV2_N_UPDATE_SA_ADDRESSES 16400 /* RFC4555 */ 341 #define IKEV2_N_COOKIE2 16401 /* RFC4555 */ 342 #define IKEV2_N_NO_NATS_ALLOWED 16402 /* RFC4555 */ 343 #define IKEV2_N_AUTH_LIFETIME 16403 /* RFC4478 */ 344 #define IKEV2_N_MULTIPLE_AUTH_SUPPORTED 16404 /* RFC4739 */ 345 #define IKEV2_N_ANOTHER_AUTH_FOLLOWS 16405 /* RFC4739 */ 346 #define IKEV2_N_REDIRECT_SUPPORTED 16406 /* RFC5685 */ 347 #define IKEV2_N_REDIRECT 16407 /* RFC5685 */ 348 #define IKEV2_N_REDIRECTED_FROM 16408 /* RFC5685 */ 349 #define IKEV2_N_TICKET_LT_OPAQUE 16409 /* RFC5723 */ 350 #define IKEV2_N_TICKET_REQUEST 16410 /* RFC5723 */ 351 #define IKEV2_N_TICKET_ACK 16411 /* RFC5723 */ 352 #define IKEV2_N_TICKET_NACK 16412 /* RFC5723 */ 353 #define IKEV2_N_TICKET_OPAQUE 16413 /* RFC5723 */ 354 #define IKEV2_N_LINK_ID 16414 /* RFC5739 */ 355 #define IKEV2_N_USE_WESP_MODE 16415 /* RFC5415 */ 356 #define IKEV2_N_ROHC_SUPPORTED 16416 /* RFC5857 */ 357 #define IKEV2_N_EAP_ONLY_AUTHENTICATION 16417 /* RFC5998 */ 358 #define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED 16418 /* RFC6023 */ 359 #define IKEV2_N_QUICK_CRASH_DETECTION 16419 /* RFC6290 */ 360 #define IKEV2_N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED 16420 /* RFC6311 */ 361 #define IKEV2_N_IPSEC_REPLAY_CTR_SYNC_SUPPORTED 16421 /* RFC6311 */ 362 #define IKEV2_N_IKEV2_MESSAGE_ID_SYNC 16422 /* RFC6311 */ 363 #define IKEV2_N_IPSEC_REPLAY_CTR_SYNC 16423 /* RFC6311 */ 364 #define IKEV2_N_SECURE_PASSWORD_METHODS 16424 /* RFC6467 */ 365 #define IKEV2_N_PSK_PERSIST 16425 /* RFC6631 */ 366 #define IKEV2_N_PSK_CONFIRM 16426 /* RFC6631 */ 367 #define IKEV2_N_ERX_SUPPORTED 16427 /* RFC6867 */ 368 #define IKEV2_N_IFOM_CAPABILITY 16428 /* OA3GPP */ 369 #define IKEV2_N_FRAGMENTATION_SUPPORTED 16430 /* RFC7383 */ 370 #define IKEV2_N_SIGNATURE_HASH_ALGORITHMS 16431 /* RFC7427 */ 371 372 extern struct iked_constmap ikev2_n_map[]; 373 374 /* 375 * DELETE payload 376 */ 377 378 struct ikev2_delete { 379 uint8_t del_protoid; /* Protocol Id */ 380 uint8_t del_spisize; /* SPI size */ 381 uint16_t del_nspi; /* Number of SPIs */ 382 /* Followed by variable length SPIs */ 383 } __packed; 384 385 /* 386 * ID payload 387 */ 388 389 struct ikev2_id { 390 uint8_t id_type; /* Id type */ 391 uint8_t id_reserved[3]; /* Reserved */ 392 /* Followed by the identification data */ 393 } __packed; 394 395 #define IKEV2_ID_NONE 0 /* No ID */ 396 #define IKEV2_ID_IPV4 1 /* RFC7296 (ID_IPV4_ADDR) */ 397 #define IKEV2_ID_FQDN 2 /* RFC7296 */ 398 #define IKEV2_ID_UFQDN 3 /* RFC7296 (ID_RFC822_ADDR) */ 399 #define IKEV2_ID_IPV6 5 /* RFC7296 (ID_IPV6_ADDR) */ 400 #define IKEV2_ID_ASN1_DN 9 /* RFC7296 */ 401 #define IKEV2_ID_ASN1_GN 10 /* RFC7296 */ 402 #define IKEV2_ID_KEY_ID 11 /* RFC7296 */ 403 #define IKEV2_ID_FC_NAME 12 /* RFC4595 */ 404 405 extern struct iked_constmap ikev2_id_map[]; 406 407 /* 408 * CERT/CERTREQ payloads 409 */ 410 411 struct ikev2_cert { 412 uint8_t cert_type; /* Encoding */ 413 /* Followed by the certificate data */ 414 } __packed; 415 416 #define IKEV2_CERT_NONE 0 /* None */ 417 #define IKEV2_CERT_X509_PKCS7 1 /* UNSPECIFIED */ 418 #define IKEV2_CERT_PGP 2 /* UNSPECIFIED */ 419 #define IKEV2_CERT_DNS_SIGNED_KEY 3 /* UNSPECIFIED */ 420 #define IKEV2_CERT_X509_CERT 4 /* RFC7296 */ 421 #define IKEV2_CERT_KERBEROS_TOKEN 6 /* UNSPECIFIED */ 422 #define IKEV2_CERT_CRL 7 /* RFC7296 */ 423 #define IKEV2_CERT_ARL 8 /* UNSPECIFIED */ 424 #define IKEV2_CERT_SPKI 9 /* UNSPECIFIED */ 425 #define IKEV2_CERT_X509_ATTR 10 /* UNSPECIFIED */ 426 #define IKEV2_CERT_RSA_KEY 11 /* RFC7296 */ 427 #define IKEV2_CERT_HASHURL_X509 12 /* RFC7296 */ 428 #define IKEV2_CERT_HASHURL_X509_BUNDLE 13 /* RFC7296 */ 429 #define IKEV2_CERT_OCSP 14 /* RFC4806 */ 430 /* 431 * As of November 2014, work was still in progress to add a more generic 432 * format for raw public keys (RFC7296), so we use a number in IANA's private 433 * use range (201-255, same RFC) for ECDSA. 434 */ 435 #define IKEV2_CERT_ECDSA 201 /* Private */ 436 #define IKEV2_CERT_BUNDLE 254 /* Private */ 437 438 extern struct iked_constmap ikev2_cert_map[]; 439 440 /* 441 * TSi/TSr payloads 442 */ 443 444 struct ikev2_tsp { 445 uint8_t tsp_count; /* Number of TSs */ 446 uint8_t tsp_reserved[3]; /* Reserved */ 447 /* Followed by the traffic selectors */ 448 } __packed; 449 450 struct ikev2_ts { 451 uint8_t ts_type; /* TS type */ 452 uint8_t ts_protoid; /* Protocol Id */ 453 uint16_t ts_length; /* Length */ 454 uint16_t ts_startport; /* Start port */ 455 uint16_t ts_endport; /* End port */ 456 } __packed; 457 458 #define IKEV2_TS_IPV4_ADDR_RANGE 7 /* RFC7296 */ 459 #define IKEV2_TS_IPV6_ADDR_RANGE 8 /* RFC7296 */ 460 #define IKEV2_TS_FC_ADDR_RANGE 9 /* RFC4595 */ 461 462 extern struct iked_constmap ikev2_ts_map[]; 463 464 /* 465 * AUTH payload 466 */ 467 468 struct ikev2_auth { 469 uint8_t auth_method; /* Signature type */ 470 uint8_t auth_reserved[3]; /* Reserved */ 471 /* Followed by the signature */ 472 } __packed; 473 474 #define IKEV2_AUTH_NONE 0 /* None */ 475 #define IKEV2_AUTH_RSA_SIG 1 /* RFC7296 */ 476 #define IKEV2_AUTH_SHARED_KEY_MIC 2 /* RFC7296 */ 477 #define IKEV2_AUTH_DSS_SIG 3 /* RFC7296 */ 478 #define IKEV2_AUTH_ECDSA_256 9 /* RFC4754 */ 479 #define IKEV2_AUTH_ECDSA_384 10 /* RFC4754 */ 480 #define IKEV2_AUTH_ECDSA_521 11 /* RFC4754 */ 481 #define IKEV2_AUTH_GSPM 12 /* RFC6467 */ 482 #define IKEV2_AUTH_NULL 13 /* RFC7619 */ 483 #define IKEV2_AUTH_SIG 14 /* RFC7427 */ 484 #define IKEV2_AUTH_SIG_ANY 255 /* Internal (any signature) */ 485 /* 486 * AUTH_SIG also serves as an indication that a given policy has 487 * been configured to accept RSA or ECDSA payloads, as long as it 488 * successfully authenticates against a configured CA. 489 */ 490 491 extern struct iked_constmap ikev2_auth_map[]; 492 493 /* Notifications used together with IKEV2_AUTH_SIG */ 494 495 #define IKEV2_SIGHASH_RESERVED 0 /* RFC7427 */ 496 #define IKEV2_SIGHASH_SHA1 1 /* RFC7427 */ 497 #define IKEV2_SIGHASH_SHA2_256 2 /* RFC7427 */ 498 #define IKEV2_SIGHASH_SHA2_384 3 /* RFC7427 */ 499 #define IKEV2_SIGHASH_SHA2_512 4 /* RFC7427 */ 500 501 extern struct iked_constmap ikev2_sighash_map[]; 502 503 /* 504 * CP payload 505 */ 506 507 struct ikev2_cp { 508 uint8_t cp_type; 509 uint8_t cp_reserved[3]; 510 /* Followed by the attributes */ 511 } __packed; 512 513 #define IKEV2_CP_REQUEST 1 /* CFG-Request */ 514 #define IKEV2_CP_REPLY 2 /* CFG-Reply */ 515 #define IKEV2_CP_SET 3 /* CFG-SET */ 516 #define IKEV2_CP_ACK 4 /* CFG-ACK */ 517 518 extern struct iked_constmap ikev2_cp_map[]; 519 520 struct ikev2_cfg { 521 uint16_t cfg_type; /* first bit must be set to zero */ 522 uint16_t cfg_length; 523 /* Followed by variable-length data */ 524 } __packed; 525 526 #define IKEV2_CFG_INTERNAL_IP4_ADDRESS 1 /* RFC7296 */ 527 #define IKEV2_CFG_INTERNAL_IP4_NETMASK 2 /* RFC7296 */ 528 #define IKEV2_CFG_INTERNAL_IP4_DNS 3 /* RFC7296 */ 529 #define IKEV2_CFG_INTERNAL_IP4_NBNS 4 /* RFC7296 */ 530 #define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY 5 /* RFC4306 */ 531 #define IKEV2_CFG_INTERNAL_IP4_DHCP 6 /* RFC7296 */ 532 #define IKEV2_CFG_APPLICATION_VERSION 7 /* RFC7296 */ 533 #define IKEV2_CFG_INTERNAL_IP6_ADDRESS 8 /* RFC7296 */ 534 #define IKEV2_CFG_INTERNAL_IP6_DNS 10 /* RFC7296 */ 535 #define IKEV2_CFG_INTERNAL_IP6_NBNS 11 /* RFC4306 */ 536 #define IKEV2_CFG_INTERNAL_IP6_DHCP 12 /* RFC7296 */ 537 #define IKEV2_CFG_INTERNAL_IP4_SUBNET 13 /* RFC7296 */ 538 #define IKEV2_CFG_SUPPORTED_ATTRIBUTES 14 /* RFC7296 */ 539 #define IKEV2_CFG_INTERNAL_IP6_SUBNET 15 /* RFC7296 */ 540 #define IKEV2_CFG_MIP6_HOME_PREFIX 16 /* RFC5026 */ 541 #define IKEV2_CFG_INTERNAL_IP6_LINK 17 /* RFC5739 */ 542 #define IKEV2_CFG_INTERNAL_IP6_PREFIX 18 /* RFC5739 */ 543 #define IKEV2_CFG_HOME_AGENT_ADDRESS 19 /* http://www.3gpp.org/ftp/Specs/html-info/24302.htm */ 544 #define IKEV2_CFG_INTERNAL_IP4_SERVER 23456 /* MS-IKEE */ 545 #define IKEV2_CFG_INTERNAL_IP6_SERVER 23457 /* MS-IKEE */ 546 547 extern struct iked_constmap ikev2_cfg_map[]; 548 549 /* IKEv1 payload types */ 550 #define IKEV1_PAYLOAD_NONE 0 /* No payload */ 551 #define IKEV1_PAYLOAD_PROPOSAL 2 /* Proposal */ 552 553 #endif /* IKED_IKEV2_H */ 554