xref: /openbsd/sbin/iked/ikev2.h (revision 6f40fd34) 
1 /*	$OpenBSD: ikev2.h,v 1.26 2017/03/27 10:06:41 reyk Exp $	*/
2 
3 /*
4  * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
5  *
6  * Permission to use, copy, modify, and distribute this software for any
7  * purpose with or without fee is hereby granted, provided that the above
8  * copyright notice and this permission notice appear in all copies.
9  *
10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17  */
18 
19 #ifndef IKED_IKEV2_H
20 #define IKED_IKEV2_H
21 
22 #define IKEV2_VERSION		0x20	/* IKE version 2.0 */
23 #define IKEV1_VERSION		0x10	/* IKE version 1.0 */
24 
25 #define IKEV2_KEYPAD		"Key Pad for IKEv2"	/* don't change! */
26 
27 /*
28  * IKEv2 pseudo states
29  */
30 
31 #define IKEV2_STATE_INIT		0	/* new IKE SA */
32 #define IKEV2_STATE_COOKIE		1	/* cookie requested */
33 #define IKEV2_STATE_SA_INIT		2	/* init IKE SA */
34 #define IKEV2_STATE_EAP			3	/* EAP requested */
35 #define IKEV2_STATE_EAP_SUCCESS		4	/* EAP succeeded */
36 #define IKEV2_STATE_AUTH_REQUEST	5	/* auth received */
37 #define IKEV2_STATE_AUTH_SUCCESS	6	/* authenticated */
38 #define IKEV2_STATE_VALID		7	/* authenticated AND validated certs */
39 #define IKEV2_STATE_EAP_VALID		8	/* EAP validated */
40 #define IKEV2_STATE_ESTABLISHED		9	/* active IKE SA */
41 #define IKEV2_STATE_CLOSING		10	/* expect delete for this SA */
42 #define IKEV2_STATE_CLOSED		11	/* delete this SA */
43 
44 extern struct iked_constmap ikev2_state_map[];
45 
46 /*
47  * "IKEv2 Parameters" based on the official RFC-based assignments by IANA
48  * (http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.txt)
49  */
50 
51 /*
52  * IKEv2 definitions of the IKE header
53  */
54 
55 /* IKEv2 exchange types */
56 #define IKEV2_EXCHANGE_IKE_SA_INIT		34	/* Initial Exchange */
57 #define IKEV2_EXCHANGE_IKE_AUTH			35	/* Authentication */
58 #define IKEV2_EXCHANGE_CREATE_CHILD_SA		36	/* Create Child SA */
59 #define IKEV2_EXCHANGE_INFORMATIONAL		37	/* Informational */
60 #define IKEV2_EXCHANGE_IKE_SESSION_RESUME	38	/* RFC5723 */
61 
62 extern struct iked_constmap ikev2_exchange_map[];
63 
64 /* IKEv2 message flags */
65 #define IKEV2_FLAG_INITIATOR		0x08	/* Sent by the initiator */
66 #define IKEV2_FLAG_OLDVERSION		0x10	/* Supports a higher IKE version */
67 #define IKEV2_FLAG_RESPONSE		0x20	/* Message is a response */
68 
69 extern struct iked_constmap ikev2_flag_map[];
70 
71 /*
72  * IKEv2 payloads
73  */
74 
75 struct ikev2_payload {
76 	uint8_t		 pld_nextpayload;	/* Next payload type */
77 	uint8_t		 pld_reserved;		/* Contains the critical bit */
78 	uint16_t	 pld_length;		/* Payload length with header */
79 } __packed;
80 
81 #define IKEV2_CRITICAL_PAYLOAD	0x01	/* First bit in the reserved field */
82 
83 /* IKEv2 payload types */
84 #define IKEV2_PAYLOAD_NONE	0	/* No payload */
85 #define IKEV2_PAYLOAD_SA	33	/* Security Association */
86 #define IKEV2_PAYLOAD_KE	34	/* Key Exchange */
87 #define IKEV2_PAYLOAD_IDi	35	/* Identification - Initiator */
88 #define IKEV2_PAYLOAD_IDr	36	/* Identification - Responder */
89 #define IKEV2_PAYLOAD_CERT	37	/* Certificate */
90 #define IKEV2_PAYLOAD_CERTREQ	38	/* Certificate Request */
91 #define IKEV2_PAYLOAD_AUTH	39	/* Authentication */
92 #define IKEV2_PAYLOAD_NONCE	40	/* Nonce */
93 #define IKEV2_PAYLOAD_NOTIFY	41	/* Notify */
94 #define IKEV2_PAYLOAD_DELETE	42	/* Delete */
95 #define IKEV2_PAYLOAD_VENDOR	43	/* Vendor ID */
96 #define IKEV2_PAYLOAD_TSi	44	/* Traffic Selector - Initiator */
97 #define IKEV2_PAYLOAD_TSr	45	/* Traffic Selector - Responder */
98 #define IKEV2_PAYLOAD_SK	46	/* Encrypted */
99 #define IKEV2_PAYLOAD_CP	47	/* Configuration Payload */
100 #define IKEV2_PAYLOAD_EAP	48	/* Extensible Authentication */
101 #define IKEV2_PAYLOAD_GSPM	49	/* RFC6467 Generic Secure Password */
102 
103 extern struct iked_constmap ikev2_payload_map[];
104 
105 /*
106  * SA payload
107  */
108 
109 struct ikev2_sa_proposal {
110 	uint8_t		 sap_more;		/* Last proposal or more */
111 	uint8_t		 sap_reserved;		/* Must be set to zero */
112 	uint16_t	 sap_length;		/* Proposal length */
113 	uint8_t		 sap_proposalnr;	/* Proposal number */
114 	uint8_t		 sap_protoid;		/* Protocol Id */
115 	uint8_t		 sap_spisize;		/* SPI size */
116 	uint8_t		 sap_transforms;	/* Number of transforms */
117 	/* Followed by variable-length SPI */
118 	/* Followed by variable-length transforms */
119 } __packed;
120 
121 #define IKEV2_SAP_LAST	0
122 #define IKEV2_SAP_MORE	2
123 
124 #define IKEV2_SAPROTO_NONE		0	/* None */
125 #define IKEV2_SAPROTO_IKE		1	/* IKEv2 */
126 #define IKEV2_SAPROTO_AH		2	/* AH */
127 #define IKEV2_SAPROTO_ESP		3	/* ESP */
128 #define IKEV2_SAPROTO_FC_ESP_HEADER	4	/* RFC4595 */
129 #define IKEV2_SAPROTO_FC_CT_AUTH	5	/* RFC4595 */
130 #define IKEV2_SAPROTO_IPCOMP		204	/* private, should be 4 */
131 
132 extern struct iked_constmap ikev2_saproto_map[];
133 
134 struct ikev2_transform {
135 	uint8_t		xfrm_more;		/* Last transform or more */
136 	uint8_t		xfrm_reserved;		/* Must be set to zero */
137 	uint16_t	xfrm_length;		/* Transform length */
138 	uint8_t		xfrm_type;		/* Transform type */
139 	uint8_t		xfrm_reserved1;		/* Must be set to zero */
140 	uint16_t	xfrm_id;		/* Transform Id */
141 	/* Followed by variable-length transform attributes */
142 } __packed;
143 
144 #define IKEV2_XFORM_LAST		0
145 #define IKEV2_XFORM_MORE		3
146 
147 #define IKEV2_XFORMTYPE_ENCR		1	/* Encryption */
148 #define IKEV2_XFORMTYPE_PRF		2	/* Pseudo-Random Function */
149 #define IKEV2_XFORMTYPE_INTEGR		3	/* Integrity Algorithm */
150 #define IKEV2_XFORMTYPE_DH		4	/* Diffie-Hellman Group */
151 #define IKEV2_XFORMTYPE_ESN		5	/* Extended Sequence Numbers */
152 #define IKEV2_XFORMTYPE_MAX		6
153 
154 extern struct iked_constmap ikev2_xformtype_map[];
155 
156 #define IKEV2_XFORMENCR_NONE		0	/* None */
157 #define IKEV2_XFORMENCR_DES_IV64	1	/* RFC1827 */
158 #define IKEV2_XFORMENCR_DES		2	/* RFC2405 */
159 #define IKEV2_XFORMENCR_3DES		3	/* RFC2451 */
160 #define IKEV2_XFORMENCR_RC5		4	/* RFC2451 */
161 #define IKEV2_XFORMENCR_IDEA		5	/* RFC2451 */
162 #define IKEV2_XFORMENCR_CAST		6	/* RFC2451 */
163 #define IKEV2_XFORMENCR_BLOWFISH	7	/* RFC2451 */
164 #define IKEV2_XFORMENCR_3IDEA		8	/* RFC2451 */
165 #define IKEV2_XFORMENCR_DES_IV32	9	/* DESIV32 */
166 #define IKEV2_XFORMENCR_RC4		10	/* RFC2451 */
167 #define IKEV2_XFORMENCR_NULL		11	/* RFC2410 */
168 #define IKEV2_XFORMENCR_AES_CBC		12	/* RFC3602 */
169 #define IKEV2_XFORMENCR_AES_CTR		13	/* RFC3664 */
170 #define IKEV2_XFORMENCR_AES_CCM_8	14	/* RFC5282 */
171 #define IKEV2_XFORMENCR_AES_CCM_12	15	/* RFC5282 */
172 #define IKEV2_XFORMENCR_AES_CCM_16	16	/* RFC5282 */
173 #define IKEV2_XFORMENCR_AES_GCM_8	18	/* RFC5282 */
174 #define IKEV2_XFORMENCR_AES_GCM_12	19	/* RFC5282 */
175 #define IKEV2_XFORMENCR_AES_GCM_16	20	/* RFC5282 */
176 #define IKEV2_XFORMENCR_NULL_AES_GMAC	21	/* RFC4543 */
177 #define IKEV2_XFORMENCR_XTS_AES		22	/* IEEE P1619 */
178 #define IKEV2_XFORMENCR_CAMELLIA_CBC	23	/* RFC5529 */
179 #define IKEV2_XFORMENCR_CAMELLIA_CTR	24	/* RFC5529 */
180 #define IKEV2_XFORMENCR_CAMELLIA_CCM_8	25	/* RFC5529 */
181 #define IKEV2_XFORMENCR_CAMELLIA_CCM_12	26	/* RFC5529 */
182 #define IKEV2_XFORMENCR_CAMELLIA_CCM_16	27	/* RFC5529 */
183 #define IKEV2_XFORMENCR_CHACHA20_POLY1305 28	/* RFC7634 */
184 
185 extern struct iked_constmap ikev2_xformencr_map[];
186 
187 #define IKEV2_IPCOMP_OUI		1	/* RFC5996 */
188 #define IKEV2_IPCOMP_DEFLATE		2	/* RFC2394 */
189 #define IKEV2_IPCOMP_LZS		3	/* RFC2395 */
190 #define IKEV2_IPCOMP_LZJH		4	/* RFC3051 */
191 
192 extern struct iked_constmap ikev2_ipcomp_map[];
193 
194 #define IKEV2_XFORMPRF_HMAC_MD5		1	/* RFC2104 */
195 #define IKEV2_XFORMPRF_HMAC_SHA1	2	/* RFC2104 */
196 #define IKEV2_XFORMPRF_HMAC_TIGER	3	/* RFC2104 */
197 #define IKEV2_XFORMPRF_AES128_XCBC	4	/* RFC3664 */
198 #define IKEV2_XFORMPRF_HMAC_SHA2_256	5	/* RFC4868 */
199 #define IKEV2_XFORMPRF_HMAC_SHA2_384	6	/* RFC4868 */
200 #define IKEV2_XFORMPRF_HMAC_SHA2_512	7	/* RFC4868 */
201 #define IKEV2_XFORMPRF_AES128_CMAC	8	/* RFC4615 */
202 
203 extern struct iked_constmap ikev2_xformprf_map[];
204 
205 #define IKEV2_XFORMAUTH_NONE		0	/* No Authentication */
206 #define IKEV2_XFORMAUTH_HMAC_MD5_96	1	/* RFC2403 */
207 #define IKEV2_XFORMAUTH_HMAC_SHA1_96	2	/* RFC2404 */
208 #define IKEV2_XFORMAUTH_DES_MAC		3	/* DES-MAC */
209 #define IKEV2_XFORMAUTH_KPDK_MD5	4	/* RFC1826 */
210 #define IKEV2_XFORMAUTH_AES_XCBC_96	5	/* RFC3566 */
211 #define IKEV2_XFORMAUTH_HMAC_MD5_128	6	/* RFC4595 */
212 #define IKEV2_XFORMAUTH_HMAC_SHA1_160	7	/* RFC4595 */
213 #define IKEV2_XFORMAUTH_AES_CMAC_96	8	/* RFC4494 */
214 #define IKEV2_XFORMAUTH_AES_128_GMAC	9	/* RFC4543 */
215 #define IKEV2_XFORMAUTH_AES_192_GMAC	10	/* RFC4543 */
216 #define IKEV2_XFORMAUTH_AES_256_GMAC	11	/* RFC4543 */
217 #define IKEV2_XFORMAUTH_HMAC_SHA2_256_128 12	/* RFC4868 */
218 #define IKEV2_XFORMAUTH_HMAC_SHA2_384_192 13	/* RFC4868 */
219 #define IKEV2_XFORMAUTH_HMAC_SHA2_512_256 14	/* RFC4868 */
220 
221 extern struct iked_constmap ikev2_xformauth_map[];
222 
223 #define IKEV2_XFORMDH_NONE		0	/* No DH */
224 #define IKEV2_XFORMDH_MODP_768		1	/* DH Group 1 */
225 #define IKEV2_XFORMDH_MODP_1024		2	/* DH Group 2 */
226 #define IKEV2_XFORMDH_EC2N_155		3	/* DH Group 3 */
227 #define IKEV2_XFORMDH_EC2N_185		4	/* DH Group 3 */
228 #define IKEV2_XFORMDH_MODP_1536		5	/* DH Group 5 */
229 #define IKEV2_XFORMDH_MODP_2048		14	/* DH Group 14 */
230 #define IKEV2_XFORMDH_MODP_3072		15	/* DH Group 15 */
231 #define IKEV2_XFORMDH_MODP_4096		16	/* DH Group 16 */
232 #define IKEV2_XFORMDH_MODP_6144		17	/* DH Group 17 */
233 #define IKEV2_XFORMDH_MODP_8192		18	/* DH Group 18 */
234 #define IKEV2_XFORMDH_ECP_256		19	/* DH Group 19 */
235 #define IKEV2_XFORMDH_ECP_384		20	/* DH Group 20 */
236 #define IKEV2_XFORMDH_ECP_521		21	/* DH Group 21 */
237 #define IKEV2_XFORMDH_ECP_192		25	/* DH Group 25 */
238 #define IKEV2_XFORMDH_ECP_224		26	/* DH Group 26 */
239 #define IKEV2_XFORMDH_BRAINPOOL_P224R1	27	/* DH Group 27 */
240 #define IKEV2_XFORMDH_BRAINPOOL_P256R1	28	/* DH Group 28 */
241 #define IKEV2_XFORMDH_BRAINPOOL_P384R1	29	/* DH Group 29 */
242 #define IKEV2_XFORMDH_BRAINPOOL_P512R1	30	/* DH Group 30 */
243 #define IKEV2_XFORMDH_X_CURVE25519	1034	/* draft-ietf-ipsecme-safecurves-00 */
244 
245 extern struct iked_constmap ikev2_xformdh_map[];
246 
247 #define IKEV2_XFORMESN_NONE		0	/* No ESN */
248 #define IKEV2_XFORMESN_ESN		1	/* ESN */
249 
250 extern struct iked_constmap ikev2_xformesn_map[];
251 
252 struct ikev2_attribute {
253 	uint16_t	attr_type;	/* Attribute type */
254 	uint16_t	attr_length;	/* Attribute length or value */
255 	/* Followed by variable length (TLV) */
256 } __packed;
257 
258 #define IKEV2_ATTRAF_TLV		0x0000	/* Type-Length-Value format */
259 #define IKEV2_ATTRAF_TV			0x8000	/* Type-Value format */
260 
261 #define IKEV2_ATTRTYPE_KEY_LENGTH	14	/* Key length */
262 
263 extern struct iked_constmap ikev2_attrtype_map[];
264 
265 /*
266  * KE Payload
267  */
268 
269 struct ikev2_keyexchange {
270 	uint16_t	 kex_dhgroup;		/* DH Group # */
271 	uint16_t	 kex_reserved;		/* Reserved */
272 } __packed;
273 
274 /*
275  * N payload
276  */
277 
278 struct ikev2_notify {
279 	uint8_t		 n_protoid;		/* Protocol Id */
280 	uint8_t		 n_spisize;		/* SPI size */
281 	uint16_t	 n_type;		/* Notify message type */
282 	/* Followed by variable length SPI */
283 	/* Followed by variable length notification data */
284 } __packed;
285 
286 #define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD	1	/* RFC4306 */
287 #define IKEV2_N_INVALID_IKE_SPI			4	/* RFC4306 */
288 #define IKEV2_N_INVALID_MAJOR_VERSION		5	/* RFC4306 */
289 #define IKEV2_N_INVALID_SYNTAX			7	/* RFC4306 */
290 #define IKEV2_N_INVALID_MESSAGE_ID		9	/* RFC4306 */
291 #define IKEV2_N_INVALID_SPI			11	/* RFC4306 */
292 #define IKEV2_N_NO_PROPOSAL_CHOSEN		14	/* RFC4306 */
293 #define IKEV2_N_INVALID_KE_PAYLOAD		17	/* RFC4306 */
294 #define IKEV2_N_AUTHENTICATION_FAILED		24	/* RFC4306 */
295 #define IKEV2_N_SINGLE_PAIR_REQUIRED		34	/* RFC4306 */
296 #define IKEV2_N_NO_ADDITIONAL_SAS		35	/* RFC4306 */
297 #define IKEV2_N_INTERNAL_ADDRESS_FAILURE	36	/* RFC4306 */
298 #define IKEV2_N_FAILED_CP_REQUIRED		37	/* RFC4306 */
299 #define IKEV2_N_TS_UNACCEPTABLE			38	/* RFC4306 */
300 #define IKEV2_N_INVALID_SELECTORS		39	/* RFC4306 */
301 #define IKEV2_N_UNACCEPTABLE_ADDRESSES		40	/* RFC4555 */
302 #define IKEV2_N_UNEXPECTED_NAT_DETECTED		41	/* RFC4555 */
303 #define IKEV2_N_USE_ASSIGNED_HoA		42	/* RFC5026 */
304 #define IKEV2_N_TEMPORARY_FAILURE		43	/* RFC5996 */
305 #define IKEV2_N_CHILD_SA_NOT_FOUND		44	/* RFC5996 */
306 #define IKEV2_N_INITIAL_CONTACT			16384	/* RFC4306 */
307 #define IKEV2_N_SET_WINDOW_SIZE			16385	/* RFC4306 */
308 #define IKEV2_N_ADDITIONAL_TS_POSSIBLE		16386	/* RFC4306 */
309 #define IKEV2_N_IPCOMP_SUPPORTED		16387	/* RFC4306 */
310 #define IKEV2_N_NAT_DETECTION_SOURCE_IP		16388	/* RFC4306 */
311 #define IKEV2_N_NAT_DETECTION_DESTINATION_IP	16389	/* RFC4306 */
312 #define IKEV2_N_COOKIE				16390	/* RFC4306 */
313 #define IKEV2_N_USE_TRANSPORT_MODE		16391	/* RFC4306 */
314 #define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED	16392	/* RFC4306 */
315 #define IKEV2_N_REKEY_SA			16393	/* RFC4306 */
316 #define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED	16394	/* RFC4306 */
317 #define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO	16395	/* RFC4306 */
318 #define IKEV2_N_MOBIKE_SUPPORTED		16396	/* RFC4555 */
319 #define IKEV2_N_ADDITIONAL_IP4_ADDRESS		16397	/* RFC4555 */
320 #define IKEV2_N_ADDITIONAL_IP6_ADDRESS		16398	/* RFC4555 */
321 #define IKEV2_N_NO_ADDITIONAL_ADDRESSES		16399	/* RFC4555 */
322 #define IKEV2_N_UPDATE_SA_ADDRESSES		16400	/* RFC4555 */
323 #define IKEV2_N_COOKIE2				16401	/* RFC4555 */
324 #define IKEV2_N_NO_NATS_ALLOWED			16402	/* RFC4555 */
325 #define IKEV2_N_AUTH_LIFETIME			16403	/* RFC4478 */
326 #define IKEV2_N_MULTIPLE_AUTH_SUPPORTED		16404	/* RFC4739 */
327 #define IKEV2_N_ANOTHER_AUTH_FOLLOWS		16405	/* RFC4739 */
328 #define IKEV2_N_REDIRECT_SUPPORTED		16406	/* RFC5685 */
329 #define IKEV2_N_REDIRECT			16407	/* RFC5685 */
330 #define IKEV2_N_REDIRECTED_FROM			16408	/* RFC5685 */
331 #define IKEV2_N_TICKET_LT_OPAQUE		16409	/* RFC5723 */
332 #define IKEV2_N_TICKET_REQUEST			16410	/* RFC5723 */
333 #define IKEV2_N_TICKET_ACK			16411	/* RFC5723 */
334 #define IKEV2_N_TICKET_NACK			16412	/* RFC5723 */
335 #define IKEV2_N_TICKET_OPAQUE			16413	/* RFC5723 */
336 #define IKEV2_N_LINK_ID				16414	/* RFC5739 */
337 #define IKEV2_N_USE_WESP_MODE			16415	/* RFC-ietf-ipsecme-traffic-visibility-12.txt */
338 #define IKEV2_N_ROHC_SUPPORTED			16416	/* RFC-ietf-rohc-ikev2-extensions-hcoipsec-12.txt */
339 #define IKEV2_N_EAP_ONLY_AUTHENTICATION		16417	/* RFC5998 */
340 #define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED	16418	/* RFC6023 */
341 #define IKEV2_N_QUICK_CRASH_DETECTION		16419	/* RFC6290 */
342 #define IKEV2_N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED	16420	/* RFC6311 */
343 #define IKEV2_N_IPSEC_REPLAY_CTR_SYNC_SUPPORTED	16421	/* RFC6311 */
344 #define IKEV2_N_IKEV2_MESSAGE_ID_SYNC		16422	/* RFC6311 */
345 #define IKEV2_N_IPSEC_REPLAY_CTR_SYNC		16423	/* RFC6311 */
346 #define IKEV2_N_SECURE_PASSWORD_METHODS		16424	/* RFC6467 */
347 #define IKEV2_N_PSK_PERSIST			16425	/* RFC6631 */
348 #define IKEV2_N_PSK_CONFIRM			16426	/* RFC6631 */
349 #define IKEV2_N_ERX_SUPPORTED			16427	/* RFC6867 */
350 #define IKEV2_N_IFOM_CAPABILITY			16428	/* OA3GPP */
351 #define IKEV2_N_FRAGMENTATION_SUPPORTED		16430	/* RFC7383 */
352 #define IKEV2_N_SIGNATURE_HASH_ALGORITHMS	16431	/* RFC7427 */
353 
354 extern struct iked_constmap ikev2_n_map[];
355 
356 /*
357  * DELETE payload
358  */
359 
360 struct ikev2_delete {
361 	uint8_t		 del_protoid;		/* Protocol Id */
362 	uint8_t		 del_spisize;		/* SPI size */
363 	uint16_t	 del_nspi;		/* Number of SPIs */
364 	/* Followed by variable length SPIs */
365 } __packed;
366 
367 /*
368  * ID payload
369  */
370 
371 struct ikev2_id {
372 	uint8_t		 id_type;		/* Id type */
373 	uint8_t		 id_reserved[3];	/* Reserved */
374 	/* Followed by the identification data */
375 } __packed;
376 
377 #define IKEV2_ID_NONE		0	/* No ID */
378 #define IKEV2_ID_IPV4		1	/* RFC4306 (ID_IPV4_ADDR) */
379 #define IKEV2_ID_FQDN		2	/* RFC4306 */
380 #define IKEV2_ID_UFQDN		3	/* RFC4306 (ID_RFC822_ADDR) */
381 #define IKEV2_ID_IPV6		5	/* RFC4306 (ID_IPV6_ADDR) */
382 #define IKEV2_ID_ASN1_DN	9	/* RFC4306 */
383 #define IKEV2_ID_ASN1_GN	10	/* RFC4306 */
384 #define IKEV2_ID_KEY_ID		11	/* RFC4306 */
385 #define IKEV2_ID_FC_NAME	12	/* RFC4595 */
386 
387 extern struct iked_constmap ikev2_id_map[];
388 
389 /*
390  * CERT/CERTREQ payloads
391  */
392 
393 struct ikev2_cert {
394 	uint8_t		cert_type;	/* Encoding */
395 	/* Followed by the certificate data */
396 } __packed;
397 
398 #define IKEV2_CERT_NONE			0	/* None */
399 #define IKEV2_CERT_X509_PKCS7		1	/* RFC4306 */
400 #define IKEV2_CERT_PGP			2	/* RFC4306 */
401 #define IKEV2_CERT_DNS_SIGNED_KEY	3	/* RFC4306 */
402 #define IKEV2_CERT_X509_CERT		4	/* RFC4306 */
403 #define IKEV2_CERT_KERBEROS_TOKEN	6	/* RFC4306 */
404 #define IKEV2_CERT_CRL			7	/* RFC4306 */
405 #define IKEV2_CERT_ARL			8	/* RFC4306 */
406 #define IKEV2_CERT_SPKI			9	/* RFC4306 */
407 #define IKEV2_CERT_X509_ATTR		10	/* RFC4306 */
408 #define IKEV2_CERT_RSA_KEY		11	/* RFC4306 */
409 #define IKEV2_CERT_HASHURL_X509		12	/* RFC4306 */
410 #define IKEV2_CERT_HASHURL_X509_BUNDLE	13	/* RFC4306 */
411 #define IKEV2_CERT_OCSP			14	/* RFC4806 */
412 /*
413  * As of November 2014, work was still in progress to add a more generic
414  * format for raw public keys (RFC7296), so we use a number in IANA's private
415  * use range (201-255, same RFC) for ECDSA.
416  */
417 #define IKEV2_CERT_ECDSA		201	/* Private */
418 
419 extern struct iked_constmap ikev2_cert_map[];
420 
421 /*
422  * TSi/TSr payloads
423  */
424 
425 struct ikev2_tsp {
426 	uint8_t		tsp_count;		/* Number of TSs */
427 	uint8_t		tsp_reserved[3];	/* Reserved */
428 	/* Followed by the traffic selectors */
429 } __packed;
430 
431 struct ikev2_ts {
432 	uint8_t		ts_type;		/* TS type */
433 	uint8_t		ts_protoid;		/* Protocol Id */
434 	uint16_t	ts_length;		/* Length */
435 	uint16_t	ts_startport;		/* Start port */
436 	uint16_t	ts_endport;		/* End port */
437 } __packed;
438 
439 #define IKEV2_TS_IPV4_ADDR_RANGE	7	/* RFC4306 */
440 #define IKEV2_TS_IPV6_ADDR_RANGE	8	/* RFC4306 */
441 #define IKEV2_TS_FC_ADDR_RANGE		9	/* RFC4595 */
442 
443 extern struct iked_constmap ikev2_ts_map[];
444 
445 /*
446  * AUTH payload
447  */
448 
449 struct ikev2_auth {
450 	uint8_t		auth_method;		/* Signature type */
451 	uint8_t		auth_reserved[3];	/* Reserved */
452 	/* Followed by the signature */
453 } __packed;
454 
455 #define IKEV2_AUTH_NONE			0	/* None */
456 #define IKEV2_AUTH_RSA_SIG		1	/* RFC4306 */
457 #define IKEV2_AUTH_SHARED_KEY_MIC	2	/* RFC4306 */
458 #define IKEV2_AUTH_DSS_SIG		3	/* RFC4306 */
459 #define IKEV2_AUTH_ECDSA_256		9	/* RFC4754 */
460 #define IKEV2_AUTH_ECDSA_384		10	/* RFC4754 */
461 #define IKEV2_AUTH_ECDSA_521		11	/* RFC4754 */
462 #define IKEV2_AUTH_GSPM			12	/* RFC6467 */
463 #define IKEV2_AUTH_NULL			13	/* RFC7619 */
464 #define IKEV2_AUTH_SIG			14	/* RFC7427 */
465 #define IKEV2_AUTH_SIG_ANY		255	/* Internal (any signature) */
466 /*
467  * AUTH_SIG also serves as an indication that a given policy has
468  * been configured to accept RSA or ECDSA payloads, as long as it
469  * successfully authenticates against a configured CA.
470  */
471 
472 extern struct iked_constmap ikev2_auth_map[];
473 
474 /* Notifications used together with IKEV2_AUTH_SIG */
475 
476 #define IKEV2_SIGHASH_RESERVED		0	/* RFC7427 */
477 #define IKEV2_SIGHASH_SHA1		1	/* RFC7427 */
478 #define IKEV2_SIGHASH_SHA2_256		2	/* RFC7427 */
479 #define IKEV2_SIGHASH_SHA2_384		3	/* RFC7427 */
480 #define IKEV2_SIGHASH_SHA2_512		4	/* RFC7427 */
481 
482 extern struct iked_constmap ikev2_sighash_map[];
483 
484 /*
485  * CP payload
486  */
487 
488 struct ikev2_cp {
489 	uint8_t		cp_type;
490 	uint8_t		cp_reserved[3];
491 	/* Followed by the attributes */
492 } __packed;
493 
494 #define IKEV2_CP_REQUEST	1	/* CFG-Request */
495 #define IKEV2_CP_REPLY		2	/* CFG-Reply */
496 #define IKEV2_CP_SET		3	/* CFG-SET */
497 #define IKEV2_CP_ACK		4	/* CFG-ACK */
498 
499 extern struct iked_constmap ikev2_cp_map[];
500 
501 struct ikev2_cfg {
502 	uint16_t	cfg_type;	/* first bit must be set to zero */
503 	uint16_t	cfg_length;
504 	/* Followed by variable-length data */
505 } __packed;
506 
507 #define IKEV2_CFG_INTERNAL_IP4_ADDRESS		1	/* RFC5996 */
508 #define IKEV2_CFG_INTERNAL_IP4_NETMASK		2	/* RFC5996 */
509 #define IKEV2_CFG_INTERNAL_IP4_DNS		3	/* RFC5996 */
510 #define IKEV2_CFG_INTERNAL_IP4_NBNS		4	/* RFC5996 */
511 #define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY	5	/* RFC4306 */
512 #define IKEV2_CFG_INTERNAL_IP4_DHCP		6	/* RFC5996 */
513 #define IKEV2_CFG_APPLICATION_VERSION		7	/* RFC5996 */
514 #define IKEV2_CFG_INTERNAL_IP6_ADDRESS		8	/* RFC5996 */
515 #define IKEV2_CFG_INTERNAL_IP6_DNS		10	/* RFC5996 */
516 #define IKEV2_CFG_INTERNAL_IP6_NBNS		11	/* RFC4306 */
517 #define IKEV2_CFG_INTERNAL_IP6_DHCP		12	/* RFC5996 */
518 #define IKEV2_CFG_INTERNAL_IP4_SUBNET		13	/* RFC5996 */
519 #define IKEV2_CFG_SUPPORTED_ATTRIBUTES		14	/* RFC5996 */
520 #define IKEV2_CFG_INTERNAL_IP6_SUBNET		15	/* RFC5996 */
521 #define IKEV2_CFG_MIP6_HOME_PREFIX		16	/* RFC5026 */
522 #define IKEV2_CFG_INTERNAL_IP6_LINK		17	/* RFC5739 */
523 #define IKEV2_CFG_INTERNAL_IP6_PREFIX		18	/* RFC5739 */
524 #define IKEV2_CFG_HOME_AGENT_ADDRESS		19	/* http://www.3gpp.org/ftp/Specs/html-info/24302.htm */
525 #define IKEV2_CFG_INTERNAL_IP4_SERVER		23456	/* MS-IKEE */
526 #define IKEV2_CFG_INTERNAL_IP6_SERVER		23457	/* MS-IKEE */
527 
528 extern struct iked_constmap ikev2_cfg_map[];
529 
530 #endif /* IKED_IKEV2_H */
531