1 /*
2  * fiked - a fake IKE PSK+XAUTH daemon based on vpnc
3  * Copyright (C) 2005, Daniel Roethlisberger <daniel@roe.ch>
4  *
5  * This program is free software; you can redistribute it and/or modify
6  * it under the terms of the GNU General Public License as published by
7  * the Free Software Foundation; either version 2 of the License, or
8  * (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, see http://www.gnu.org/copyleft/
17  *
18  * $Id: isakmp.h 62 2005-10-31 00:42:54Z roe $
19  * $VPNC: isakmp.h 61 2005-09-20 11:30:30Z massar $
20  */
21 
22 /* ISAKMP constants.
23    Copyright (C) 2002  Geoffrey Keating
24 
25    This program is free software; you can redistribute it and/or modify
26    it under the terms of the GNU General Public License as published by
27    the Free Software Foundation; either version 2 of the License, or
28    (at your option) any later version.
29 
30    This program is distributed in the hope that it will be useful,
31    but WITHOUT ANY WARRANTY; without even the implied warranty of
32    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
33    GNU General Public License for more details.
34 
35    You should have received a copy of the GNU General Public License
36    along with this program; if not, write to the Free Software
37    Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
38 */
39 
40 #ifndef __ISAKMP_H__
41 #define __ISAKMP_H__
42 
43 /* Flag bits for header.  */
44 #define ISAKMP_FLAG_E	0x1
45 #define ISAKMP_FLAG_C	0x2
46 #define ISAKMP_FLAG_A	0x4
47 
48 /* Payload types */
49 enum isakmp_payload_enum {
50 	ISAKMP_PAYLOAD_NONE = 0,
51 	ISAKMP_PAYLOAD_SA,
52 	ISAKMP_PAYLOAD_P,
53 	ISAKMP_PAYLOAD_T,
54 	ISAKMP_PAYLOAD_KE,
55 	ISAKMP_PAYLOAD_ID,
56 	ISAKMP_PAYLOAD_CERT,
57 	ISAKMP_PAYLOAD_CR,
58 	ISAKMP_PAYLOAD_HASH,
59 	ISAKMP_PAYLOAD_SIG,
60 	ISAKMP_PAYLOAD_NONCE,
61 	ISAKMP_PAYLOAD_N,
62 	ISAKMP_PAYLOAD_D,
63 	ISAKMP_PAYLOAD_VID,
64 	ISAKMP_PAYLOAD_MODECFG_ATTR,
65 	ISAKMP_PAYLOAD_NAT_D,
66 	ISAKMP_PAYLOAD_NAT_OA,
67 	ISAKMP_PAYLOAD_NAT_D_OLD = 0x82
68 };
69 
70 /* Exchange types.  */
71 enum isakmp_exchange_enum {
72 	ISAKMP_EXCHANGE_NONE = 0,
73 	ISAKMP_EXCHANGE_BASE,
74 	ISAKMP_EXCHANGE_IDENTITY,
75 	ISAKMP_EXCHANGE_AUTH_ONLY,
76 	ISAKMP_EXCHANGE_AGGRESSIVE,
77 	ISAKMP_EXCHANGE_INFORMATIONAL,
78 	ISAKMP_EXCHANGE_MODECFG_TRANSACTION,
79 	ISAKMP_EXCHANGE_IKE_QUICK = 32,
80 	ISAKMP_EXCHANGE_IKE_NEW_GROUP
81 };
82 
83 /* DOI types.  */
84 enum isakmp_doi_enum {
85 	ISAKMP_DOI_GENERIC = 0,
86 	ISAKMP_DOI_IPSEC
87 };
88 
89 /* Notify message types.  */
90 enum isakmp_notify_enum {
91 	ISAKMP_N_INVALID_PAYLOAD_TYPE = 1,
92 	ISAKMP_N_DOI_NOT_SUPPORTED,
93 	ISAKMP_N_SITUATION_NOT_SUPPORTED,
94 	ISAKMP_N_INVALID_COOKIE,
95 	ISAKMP_N_INVALID_MAJOR_VERSION,
96 	ISAKMP_N_INVALID_MINOR_VERSION,
97 	ISAKMP_N_INVALID_EXCHANGE_TYPE,
98 	ISAKMP_N_INVALID_FLAGS,
99 	ISAKMP_N_INVALID_MESSAGE_ID,
100 	ISAKMP_N_INVALID_PROTOCOL_ID,
101 	ISAKMP_N_INVALID_SPI,
102 	ISAKMP_N_INVALID_TRANSFORM_ID,
103 	ISAKMP_N_ATTRIBUTES_NOT_SUPPORTED,
104 	ISAKMP_N_NO_PROPOSAL_CHOSEN,
105 	ISAKMP_N_BAD_PROPOSAL_SYNTAX,
106 	ISAKMP_N_PAYLOAD_MALFORMED,
107 	ISAKMP_N_INVALID_KEY_INFORMATION,
108 	ISAKMP_N_INVALID_ID_INFORMATION,
109 	ISAKMP_N_INVALID_CERT_ENCODING,
110 	ISAKMP_N_INVALID_CERTIFICATE,
111 	ISAKMP_N_CERT_TYPE_UNSUPPORTED,
112 	ISAKMP_N_INVALID_CERT_AUTHORITY,
113 	ISAKMP_N_INVALID_HASH_INFORMATION,
114 	ISAKMP_N_AUTHENTICATION_FAILED,
115 	ISAKMP_N_INVALID_SIGNATURE,
116 	ISAKMP_N_ADDRESS_NOTIFICATION,
117 	ISAKMP_N_NOTIFY_SA_LIFETIME,
118 	ISAKMP_N_CERTIFICATE_UNAVAILABLE,
119 	ISAKMP_N_UNSUPPORTED_EXCHANGE_TYPE,
120 	ISAKMP_N_UNEQUAL_PAYLOAD_LENGTHS,
121 	ISAKMP_N_CONNECTED = 16384,
122 	ISAKMP_N_IPSEC_RESPONDER_LIFETIME = 24576,
123 	ISAKMP_N_IPSEC_REPLAY_STATUS,
124 	ISAKMP_N_IPSEC_INITIAL_CONTACT,
125 	ISAKMP_N_CISCO_LOAD_BALANCE = 40501,
126 	ISAKMP_N_CISCO_HEARTBEAT = 40756
127 };
128 
129 /* IKE attribute types.  */
130 enum ike_attr_enum {
131 	IKE_ATTRIB_ENC = 1,
132 	IKE_ATTRIB_HASH,
133 	IKE_ATTRIB_AUTH_METHOD,
134 	IKE_ATTRIB_GROUP_DESC,
135 	IKE_ATTRIB_GROUP_TYPE,
136 	IKE_ATTRIB_GROUP_PRIME,
137 	IKE_ATTRIB_GROUP_GEN_1,
138 	IKE_ATTRIB_GROUP_GEN_2,
139 	IKE_ATTRIB_GROUP_CURVE_A,
140 	IKE_ATTRIB_GROUP_CURVE_B,
141 	IKE_ATTRIB_LIFE_TYPE,
142 	IKE_ATTRIB_LIFE_DURATION,
143 	IKE_ATTRIB_PRF,
144 	IKE_ATTRIB_KEY_LENGTH,
145 	IKE_ATTRIB_FIELD_SIZE,
146 	IKE_ATTRIB_GROUP_ORDER,
147 	IKE_ATTRIB_BLOCK_SIZE
148 };
149 
150 /* IKE encryption algorithm IDs.  */
151 enum ike_enc_enum {
152 	IKE_ENC_DES_CBC = 1,
153 	IKE_ENC_IDEA_CBC,
154 	IKE_ENC_BLOWFISH_CBC,
155 	IKE_ENC_RC5_R16_B16_CBC,
156 	IKE_ENC_3DES_CBC,
157 	IKE_ENC_CAST_CBC,
158 	IKE_ENC_AES_CBC
159 };
160 
161 /* IKE hash algorithm IDs.  */
162 enum ike_hash_enum {
163 	IKE_HASH_MD5 = 1,
164 	IKE_HASH_SHA,
165 	IKE_HASH_TIGER,
166 	IKE_HASH_SHA2_256,
167 	IKE_HASH_SHA2_384,
168 	IKE_HASH_SHA2_512
169 };
170 
171 /* IKE authentication method IDs.  */
172 enum ike_auth_enum {
173 	IKE_AUTH_PRESHARED = 1,
174 	IKE_AUTH_DSS,
175 	IKE_AUTH_RSA_SIG,
176 	IKE_AUTH_RSA_ENC,
177 	IKE_AUTH_RSA_ENC_2,
178 	IKE_AUTH_EL_GAMAL_ENC,
179 	IKE_AUTH_EL_GAMAL_ENC_REV,
180 	IKE_AUTH_ECDSA_SIG,
181 	IKE_AUTH_XAUTHInitPreShared = 65001,
182 	IKE_AUTH_XAUTHRespPreShared,
183 	IKE_AUTH_XAUTHInitDSS,
184 	IKE_AUTH_XAUTHRespDSS,
185 	IKE_AUTH_XAUTHInitRSA,
186 	IKE_AUTH_XAUTHRespRSA,
187 	IKE_AUTH_XAUTHInitRSAEncryption,
188 	IKE_AUTH_XAUTHRespRSAEncryption,
189 	IKE_AUTH_XAUTHInitRSARevisedEncryption,
190 	IKE_AUTH_XAUTHRespRSARevisedEncryption
191 };
192 
193 /* IKE group IDs.  */
194 enum ike_group_enum {
195 	IKE_GROUP_MODP_768 = 1,
196 	IKE_GROUP_MODP_1024,
197 	IKE_GROUP_EC2N_155,
198 	IKE_GROUP_EC2N_185,
199 	IKE_GROUP_MODP_1536,
200 	IKE_GROUP_EC2N_163sect,
201 	IKE_GROUP_EC2N_163K,
202 	IKE_GROUP_EC2N_283sect,
203 	IKE_GROUP_EC2N_283K,
204 	IKE_GROUP_EC2N_409sect,
205 	IKE_GROUP_EC2N_409K,
206 	IKE_GROUP_EC2N_571sect,
207 	IKE_GROUP_EC2N_571K
208 };
209 
210 /* IKE group type IDs.  */
211 enum ike_group_type_enum {
212 	IKE_GROUP_TYPE_MODP = 1,
213 	IKE_GROUP_TYPE_ECP,
214 	IKE_GROUP_TYPE_EC2N
215 };
216 
217 /* IKE life type IDs.  */
218 enum ike_life_enum {
219 	IKE_LIFE_TYPE_SECONDS = 1,
220 	IKE_LIFE_TYPE_K
221 };
222 
223 /* IPSEC situation masks.  */
224 enum isakmp_ipsect_sit_enum {
225 	ISAKMP_IPSEC_SIT_IDENTITY_ONLY = 0x1,
226 	ISAKMP_IPSEC_SIT_SECRECY       = 0x2,
227 	ISAKMP_IPSEC_SIT_INTEGRITY     = 0x4
228 };
229 
230 /* IPSEC Identification types.  */
231 enum isakmp_ipsec_id_enum {
232 	ISAKMP_IPSEC_ID_RESERVED = 0,
233 	ISAKMP_IPSEC_ID_IPV4_ADDR,
234 	ISAKMP_IPSEC_ID_FQDN,
235 	ISAKMP_IPSEC_ID_USER_FQDN,
236 	ISAKMP_IPSEC_ID_IPV4_ADDR_SUBNET,
237 	ISAKMP_IPSEC_ID_IPV6_ADDR,
238 	ISAKMP_IPSEC_ID_IPV6_ADDR_SUBNET,
239 	ISAKMP_IPSEC_ID_IPV4_ADDR_RANGE,
240 	ISAKMP_IPSEC_ID_IPV6_ADDR_RANGE,
241 	ISAKMP_IPSEC_ID_DER_ASN1_DN,
242 	ISAKMP_IPSEC_ID_DER_ASN1_GN,
243 	ISAKMP_IPSEC_ID_KEY_ID
244 };
245 
246 /* IPSEC protocol IDs.  */
247 enum isakmp_ipsec_proto_enum {
248 	ISAKMP_IPSEC_PROTO_RESERVED = 0,
249 	ISAKMP_IPSEC_PROTO_ISAKMP,
250 	ISAKMP_IPSEC_PROTO_IPSEC_AH,
251 	ISAKMP_IPSEC_PROTO_IPSEC_ESP,
252 	ISAKMP_IPSEC_PROTO_IPCOMP
253 };
254 
255 /* IPSEC transform IDs.  */
256 enum isakmp_ipsec_key_enum {
257 	ISAKMP_IPSEC_KEY_RESERVED = 0,
258 	ISAKMP_IPSEC_KEY_IKE
259 };
260 
261 /* IPSEC AH IDs.  */
262 enum isakmp_ipsec_ah_enum {
263 	ISAKMP_IPSEC_AH_RESERVED = 0,
264 	ISAKMP_IPSEC_AH_MD5 = 2,
265 	ISAKMP_IPSEC_AH_SHA,
266 	ISAKMP_IPSEC_AH_DES,
267 	ISAKMP_IPSEC_AH_SHA2_256,
268 	ISAKMP_IPSEC_AH_SHA2_384,
269 	ISAKMP_IPSEC_AH_SHA2_512,
270 	ISAKMP_IPSEC_AH_RIPEMD
271 };
272 
273 /* IPSEC ESP IDs.  */
274 enum isakmp_ipsec_esp_enum {
275 	ISAKMP_IPSEC_ESP_RESERVED = 0,
276 	ISAKMP_IPSEC_ESP_DES_IV64,
277 	ISAKMP_IPSEC_ESP_DES,
278 	ISAKMP_IPSEC_ESP_3DES,
279 	ISAKMP_IPSEC_ESP_RC5,
280 	ISAKMP_IPSEC_ESP_IDEA,
281 	ISAKMP_IPSEC_ESP_CAST,
282 	ISAKMP_IPSEC_ESP_BLOWFISH,
283 	ISAKMP_IPSEC_ESP_3IDEA,
284 	ISAKMP_IPSEC_ESP_DES_IV32,
285 	ISAKMP_IPSEC_ESP_RC4,
286 	ISAKMP_IPSEC_ESP_NULL,
287 	ISAKMP_IPSEC_ESP_AES,
288 	ISAKMP_IPSEC_ESP_AES_128_CTR,
289 	ISAKMP_IPSEC_ESP_AES_MARS = 249,
290 	ISAKMP_IPSEC_ESP_AES_RC6,
291 	ISAKMP_IPSEC_ESP_AES_RIJNDAEL,
292 	ISAKMP_IPSEC_ESP_AES_SERPENT,
293 	ISAKMP_IPSEC_ESP_AES_TWOFISH
294 };
295 
296 /* IPSEC attribute types.  */
297 enum isakmp_ipsec_attr_enum {
298 	ISAKMP_IPSEC_ATTRIB_SA_LIFE_TYPE = 1,
299 	ISAKMP_IPSEC_ATTRIB_SA_LIFE_DURATION,
300 	ISAKMP_IPSEC_ATTRIB_GROUP_DESC,
301 	ISAKMP_IPSEC_ATTRIB_ENCAP_MODE,
302 	ISAKMP_IPSEC_ATTRIB_AUTH_ALG,
303 	ISAKMP_IPSEC_ATTRIB_KEY_LENGTH,
304 	ISAKMP_IPSEC_ATTRIB_KEY_ROUNDS,
305 	ISAKMP_IPSEC_ATTRIB_COMP_DICT_SIZE,
306 	ISAKMP_IPSEC_ATTRIB_COMP_PRIVATE_ALG,
307 	ISAKMP_IPSEC_ATTRIB_ECN_TUNNEL
308 };
309 
310 /* IPSEC compression IDs.  */
311 enum isakmp_ipsec_ipcomp_enum {
312 	ISAKMP_IPSEC_IPCOMP_RESERVED = 0,
313 	ISAKMP_IPSEC_IPCOMP_OUI,
314 	ISAKMP_IPSEC_IPCOMP_DEFLATE,
315 	ISAKMP_IPSEC_IPCOMP_LZS,
316 	ISAKMP_IPSEC_IPCOMP_V42BIS
317 };
318 
319 /* IPSEC lifetime attribute values.  */
320 enum ipsec_life_enum {
321 	IPSEC_LIFE_SECONDS = 1,
322 	IPSEC_LIFE_K
323 };
324 
325 /* IPSEC encapsulation attribute numbers.  */
326 enum ipsec_encap_enum {
327 	IPSEC_ENCAP_TUNNEL = 1,
328 	IPSEC_ENCAP_TRANSPORT,
329 	IPSEC_ENCAP_UDP_TUNNEL,
330 	IPSEC_ENCAP_UDP_TRANSPORT,
331 	IPSEC_ENCAP_UDP_TUNNEL_OLD = 61443,
332 	IPSEC_ENCAP_UDP_TRANSPORT_OLD
333 };
334 
335 /* IPSEC authentication attribute numbers.  */
336 enum ipsec_auth_enum {
337 	IPSEC_AUTH_HMAC_MD5 = 1,
338 	IPSEC_AUTH_HMAC_SHA,
339 	IPSEC_AUTH_DES_MAC,
340 	IPSEC_AUTH_KPDK
341 };
342 
343 /* Other numbers.  */
344 #define ISAKMP_COOKIE_LENGTH		8
345 #define ISAKMP_VERSION			0x10
346 /* offsets */
347 #define ISAKMP_I_COOKIE_O		0
348 #define ISAKMP_R_COOKIE_O		8
349 #define ISAKMP_EXCHANGE_TYPE_O		18
350 #define ISAKMP_FLAGS_O			19
351 #define ISAKMP_MESSAGE_ID_O		20
352 #define ISAKMP_LENGTH_O			24
353 #define ISAKMP_PAYLOAD_O		28
354 
355 /* Support for draft-ietf-ipsec-isakmp-xauth-06.txt (yuk).  */
356 #define XAUTH_VENDOR_ID { 0x09, 0x00, 0x26, 0x89, 0xDF, 0xD6, 0xB7, 0x12 }
357 /* From dead-peer-detection RFC 3706 */
358 #define DPD_VENDOR_ID { 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, 0xC9, \
359 	0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, 0x01, 0x00}
360 #define UNITY_VENDOR_ID { 0x12, 0xF5, 0xF2, 0x8C, 0x45, 0x71, 0x68, 0xA9, \
361 	0x70, 0x2D, 0x9F, 0xE2, 0x74, 0xCC, 0x01, 0x00 }
362 #define UNKNOWN_VENDOR_ID { 0x12, 0x6E, 0x1F, 0x57, 0x72, 0x91, 0x15, 0x3B, \
363 	0x20, 0x48, 0x5F, 0x7F, 0x15, 0x5B, 0x4B, 0xC8 }
364 /* Support for draft-ietf-ipsec-nat-t-ike-02 */
365 #define NATT_VENDOR_ID { 0x90, 0xCB, 0x80, 0x91, 0x3E, 0xBB, 0x69, 0x6E, \
366 	0x08, 0x63, 0x81, 0xB5, 0xEC, 0x42, 0x7B, 0x1F }
367 
368 /* Support for draft-ietf-ipsec-isakmp-mode-cfg-05.txt (yuk).  */
369 
370 enum isakmp_modecfg_cfg_enum {
371 	ISAKMP_MODECFG_CFG_REQUEST = 1,
372 	ISAKMP_MODECFG_CFG_REPLY,
373 	ISAKMP_MODECFG_CFG_SET,
374 	ISAKMP_MODECFG_CFG_ACK
375 };
376 
377 enum isakmp_modecfg_attrib_enum {
378 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_ADDRESS = 1,
379 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NETMASK,
380 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DNS,
381 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_NBNS,
382 	ISAKMP_MODECFG_ATTRIB_INTERNAL_ADDRESS_EXPIRY,
383 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_DHCP,
384 	ISAKMP_MODECFG_ATTRIB_APPLICATION_VERSION,
385 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_ADDRESS,
386 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_NETMASK,
387 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_DNS,
388 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_NBNS,
389 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_DHCP,
390 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP4_SUBNET,
391 	ISAKMP_MODECFG_ATTRIB_SUPPORTED_ATTRIBUTES,
392 	ISAKMP_MODECFG_ATTRIB_INTERNAL_IP6_SUBNET,
393 	ISAKMP_XAUTH_ATTRIB_TYPE = 0x4088,
394 	ISAKMP_XAUTH_ATTRIB_USER_NAME,
395 	ISAKMP_XAUTH_ATTRIB_USER_PASSWORD,
396 	ISAKMP_XAUTH_ATTRIB_PASSCODE,
397 	ISAKMP_XAUTH_ATTRIB_MESSAGE,
398 	ISAKMP_XAUTH_ATTRIB_CHALLENGE,
399 	ISAKMP_XAUTH_ATTRIB_DOMAIN,
400 	ISAKMP_XAUTH_ATTRIB_STATUS,
401 	ISAKMP_XAUTH_ATTRIB_NEXT_PIN,
402 	ISAKMP_XAUTH_ATTRIB_ANSWER, /* TYPE .. ANSWER is excluded from dump */
403 	ISAKMP_MODECFG_ATTRIB_CISCO_BANNER = 0x7000,
404 	ISAKMP_MODECFG_ATTRIB_CISCO_SAVE_PW,
405 	ISAKMP_MODECFG_ATTRIB_CISCO_DEF_DOMAIN,
406 	ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_DNS,
407 	ISAKMP_MODECFG_ATTRIB_CISCO_SPLIT_INC,
408 	ISAKMP_MODECFG_ATTRIB_CISCO_UDP_ENCAP_PORT,
409 	ISAKMP_MODECFG_ATTRIB_CISCO_UNKNOWN, /* whatever 0x7006 is... */
410 	ISAKMP_MODECFG_ATTRIB_CISCO_DO_PFS,
411 	ISAKMP_MODECFG_ATTRIB_CISCO_FW_TYPE,
412 	ISAKMP_MODECFG_ATTRIB_CISCO_BACKUP_SERVER,
413 	ISAKMP_MODECFG_ATTRIB_CISCO_DDNS_HOSTNAME,
414 	ISAKMP_XAUTH_ATTRIB_CISCOEXT_VENDOR = 0x7d88 /* strange cisco things ... need docs! */
415 };
416 
417 #endif
418