1 /* $OpenBSD: ipsec.h,v 1.22 2003/06/04 07:31:17 ho Exp $ */ 2 /* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #ifndef _IPSEC_H_ 35 #define _IPSEC_H_ 36 37 #include <sys/queue.h> 38 #include <sys/types.h> 39 #include <netinet/in.h> 40 41 #include "ipsec_doi.h" 42 #ifdef USE_ISAKMP_CFG 43 #include "isakmp_cfg.h" 44 #endif 45 46 struct group; 47 struct hash; 48 struct ike_auth; 49 struct message; 50 struct proto; 51 struct sa; 52 53 /* 54 * IPsec-specific data to be linked into the exchange struct. 55 * XXX Should probably be several different structs, one for each kind 56 * of exchange, i.e. phase 1, phase 2 and ISAKMP configuration parameters 57 * separated. 58 */ 59 struct ipsec_exch { 60 u_int flags; 61 struct hash *hash; 62 struct ike_auth *ike_auth; 63 struct group *group; 64 u_int16_t prf_type; 65 66 /* 0 if no KEY_EXCH was proposed, 1 otherwise */ 67 u_int8_t pfs; 68 69 /* 70 * A copy of the initiator SA payload body for later computation of hashes. 71 * Phase 1 only. 72 */ 73 size_t sa_i_b_len; 74 u_int8_t *sa_i_b; 75 76 /* Diffie-Hellman values. */ 77 size_t g_x_len; 78 u_int8_t *g_xi; 79 u_int8_t *g_xr; 80 u_int8_t* g_xy; 81 82 /* SKEYIDs. XXX Phase 1 only? */ 83 size_t skeyid_len; 84 u_int8_t *skeyid; 85 u_int8_t *skeyid_d; 86 u_int8_t *skeyid_a; 87 u_int8_t *skeyid_e; 88 89 /* HASH_I & HASH_R. XXX Do these need to be saved here? */ 90 u_int8_t *hash_i; 91 u_int8_t *hash_r; 92 93 /* KEYMAT */ 94 size_t keymat_len; 95 96 /* Phase 2. */ 97 u_int8_t *id_ci; 98 size_t id_ci_sz; 99 u_int8_t *id_cr; 100 size_t id_cr_sz; 101 102 #ifdef USE_ISAKMP_CFG 103 /* ISAKMP configuration mode parameters */ 104 u_int16_t cfg_id; 105 u_int16_t cfg_type; 106 LIST_HEAD (isakmp_cfg_attr_head, isakmp_cfg_attr) attrs; 107 #endif 108 }; 109 110 #define IPSEC_EXCH_FLAG_NO_ID 1 111 112 struct ipsec_sa { 113 /* Phase 1. */ 114 u_int8_t hash; 115 size_t skeyid_len; 116 u_int8_t *skeyid_d; 117 u_int8_t *skeyid_a; 118 u_int16_t prf_type; 119 120 /* Phase 2. */ 121 u_int16_t group_desc; 122 123 /* Tunnel parameters. These are in network byte order. */ 124 struct sockaddr *src_net; 125 struct sockaddr *src_mask; 126 struct sockaddr *dst_net; 127 struct sockaddr *dst_mask; 128 u_int8_t tproto; 129 u_int16_t sport; 130 u_int16_t dport; 131 }; 132 133 struct ipsec_proto { 134 /* Phase 2. */ 135 u_int16_t encap_mode; 136 u_int16_t auth; 137 u_int16_t keylen; 138 u_int16_t keyrounds; 139 140 /* This is not negotiated, but rather configured. */ 141 int32_t replay_window; 142 143 /* KEYMAT */ 144 u_int8_t *keymat[2]; 145 }; 146 147 extern u_int8_t *ipsec_add_hash_payload (struct message *msg, size_t); 148 extern int ipsec_ah_keylength (struct proto *); 149 extern u_int8_t *ipsec_build_id (char *, size_t *); 150 extern int ipsec_decode_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); 151 extern void ipsec_decode_transform (struct message *, struct sa *, 152 struct proto *, u_int8_t *); 153 extern int ipsec_esp_authkeylength (struct proto *); 154 extern int ipsec_esp_enckeylength (struct proto *); 155 extern int ipsec_fill_in_hash (struct message *msg); 156 extern int ipsec_gen_g_x (struct message *); 157 extern int ipsec_get_id (char *, int *, struct sockaddr **, 158 struct sockaddr **, u_int8_t *, u_int16_t *); 159 extern ssize_t ipsec_id_size (char *, u_int8_t *); 160 extern char *ipsec_id_string (u_int8_t *, size_t); 161 extern void ipsec_init (void); 162 extern int ipsec_initial_contact (struct message *msg); 163 extern int ipsec_is_attribute_incompatible (u_int16_t, u_int8_t *, u_int16_t, 164 void *); 165 extern int ipsec_keymat_length (struct proto *); 166 extern int ipsec_save_g_x (struct message *); 167 extern struct sa *ipsec_sa_lookup (struct sockaddr *, u_int32_t, u_int8_t); 168 169 extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, size_t, 170 int); 171 extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t); 172 173 #endif /* _IPSEC_H_ */ 174