1 /* $OpenBSD: ike.h,v 1.5 2002/06/11 17:05:13 ho Exp $ */ 2 3 /* 4 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 5 * 6 * Redistribution and use in source and binary forms, with or without 7 * modification, are permitted provided that the following conditions 8 * are met: 9 * 1. Redistributions of source code must retain the above copyright 10 * notice, this list of conditions and the following disclaimer. 11 * 2. Redistributions in binary form must reproduce the above copyright 12 * notice, this list of conditions and the following disclaimer in the 13 * documentation and/or other materials provided with the distribution. 14 * 3. The name of the author may not be used to endorse or promote products 15 * derived from this software without specific prior written permission. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 #define ISAKMP_DOI 0 30 #define IPSEC_DOI 1 31 32 #define PROTO_ISAKMP 1 33 #define PROTO_IPSEC_AH 2 34 #define PROTO_IPSEC_ESP 3 35 #define PROTO_IPCOMP 4 36 37 #define IKE_ATTR_ENCRYPTION_ALGORITHM 1 38 #define IKE_ATTR_HASH_ALGORITHM 2 39 #define IKE_ATTR_AUTHENTICATION_METHOD 3 40 #define IKE_ATTR_GROUP_DESC 4 41 #define IKE_ATTR_GROUP_TYPE 5 42 #define IKE_ATTR_LIFE_TYPE 11 43 44 #define IKE_PROTO_INITIALIZER \ 45 { "RESERVED", "ISAKMP", "IPSEC_AH", "IPSEC_ESP", "IPCOMP", \ 46 } 47 48 #define IKE_ATTR_ENCRYPT_INITIALIZER \ 49 { "NONE", "DES_CBC", "IDEA_CBC", "BLOWFISH_CBC", \ 50 "RC5_R16_B64_CBC", "3DES_CBC", "CAST_CBC", "AES_CBC", \ 51 } 52 #define IKE_ATTR_HASH_INITIALIZER \ 53 { "NONE", "MD5", "SHA", "TIGER", \ 54 "SHA2_256", "SHA2_384", "SHA2_512", \ 55 } 56 #define IKE_ATTR_AUTH_INITIALIZER \ 57 { "NONE", "PRE_SHARED", "DSS", "RSA_SIG", \ 58 "RSA_ENC", "RSA_ENC_REV", \ 59 } 60 #define IKE_ATTR_GROUP_DESC_INITIALIZER \ 61 { "NONE", "MODP_768", "MODP_1024", \ 62 "E2CN_155", "E2CN_185", "MODP_1536", \ 63 } 64 #define IKE_ATTR_GROUP_INITIALIZER \ 65 { "NONE", "MODP", "ECP", "E2CN", \ 66 } 67 #define IKE_ATTR_SA_DURATION_INITIALIZER \ 68 { "NONE", "SECONDS", "KILOBYTES", \ 69 } 70 71 #define IKE_ATTR_INITIALIZER \ 72 { "NONE", /* 0 (not in RFC) */ \ 73 "ENCRYPTION_ALGORITHM", /* 1 */ \ 74 "HASH_ALGORITHM", /* 2 */ \ 75 "AUTHENTICATION_METHOD", /* 3 */ \ 76 "GROUP_DESCRIPTION", /* 4 */ \ 77 "GROUP_TYPE", /* 5 */ \ 78 "GROUP_PRIME", /* 6 */ \ 79 "GROUP_GENERATOR_1", /* 7 */ \ 80 "GROUP_GENERATOR_2", /* 8 */ \ 81 "GROUP_CURVE_1", /* 9 */ \ 82 "GROUP_CURVE_2", /* 10 */ \ 83 "LIFE_TYPE", /* 11 */ \ 84 "LIFE_DURATION", /* 12 */ \ 85 "PRF", /* 13 */ \ 86 "KEY_LENGTH", /* 14 */ \ 87 "FIELD_SIZE", /* 15 */ \ 88 "GROUP_ORDER", /* 16 */ \ 89 } 90 91 #define IKE_SITUATION_IDENTITY_ONLY 1 92 #define IKE_SITUATION_SECRECY 2 93 #define IKE_SITUATION_INTEGRITY 4 94 /* Mask is all the above, i.e 1+2+4 = 7 */ 95 #define IKE_SITUATION_MASK 7 96 97 #define PAYLOAD_NONE 0 98 #define PAYLOAD_SA 1 99 #define PAYLOAD_PROPOSAL 2 100 #define PAYLOAD_TRANSFORM 3 101 #define PAYLOAD_KE 4 102 #define PAYLOAD_ID 5 103 #define PAYLOAD_CERT 6 104 #define PAYLOAD_CERTREQUEST 7 105 #define PAYLOAD_HASH 8 106 #define PAYLOAD_SIG 9 107 #define PAYLOAD_NONCE 10 108 #define PAYLOAD_NOTIFICATION 11 109 #define PAYLOAD_DELETE 12 110 #define PAYLOAD_VENDOR 13 111 #define PAYLOAD_ATTRIBUTE 14 112 113 #define IKE_PAYLOAD_TYPES_INITIALIZER \ 114 { "NONE", /* 0 */ \ 115 "SA", /* 1 */ \ 116 "PROPOSAL", /* 2 */ \ 117 "TRANSFORM", /* 3 */ \ 118 "KEY_EXCH", /* 4 */ \ 119 "ID", /* 5 */ \ 120 "CERT", /* 6 */ \ 121 "CERTREQUEST", /* 7 */ \ 122 "HASH", /* 8 */ \ 123 "SIG", /* 9 */ \ 124 "NONCE", /* 10 */ \ 125 "NOTIFICATION", /* 11 */ \ 126 "DELETE", /* 12 */ \ 127 "VENDOR", /* 13 */ \ 128 "ATTRIBUTE", /* 14 (ikecfg) */ \ 129 } 130 131 /* Exchange types */ 132 #define EXCHANGE_NONE 0 133 #define EXCHANGE_BASE 1 134 #define EXCHANGE_ID_PROT 2 135 #define EXCHANGE_AUTH_ONLY 3 136 #define EXCHANGE_AGGRESSIVE 4 137 #define EXCHANGE_INFO 5 138 #define EXCHANGE_TRANSACTION 6 139 #define EXCHANGE_QUICK_MODE 32 140 #define EXCHANGE_NEW_GROUP_MODE 33 141 142 /* Exchange types */ 143 #define IKE_EXCHANGE_TYPES_INITIALIZER \ 144 { "NONE", /* 0 */ \ 145 "BASE", /* 1 */ \ 146 "ID_PROT", /* 2 */ \ 147 "AUTH_ONLY", /* 3 */ \ 148 "AGGRESSIVE", /* 4 */ \ 149 "INFO", /* 5 */ \ 150 "TRANSACTION", /* 6 (ikecfg) */ \ 151 /* step up to type 32 with unknowns */ \ 152 "unknown", "unknown", "unknown", "unknown", \ 153 "unknown", "unknown", "unknown", "unknown", \ 154 "unknown", "unknown", "unknown", "unknown", \ 155 "unknown", "unknown", "unknown", "unknown", \ 156 "unknown", "unknown", "unknown", "unknown", \ 157 "unknown", "unknown", "unknown", "unknown", \ 158 "unknown", \ 159 "QUICK_MODE", /* 32 */ \ 160 "NEW_GROUP_MODE", /* 33 */ \ 161 } 162 163 #define FLAGS_ENCRYPTION 1 164 #define FLAGS_COMMIT 2 165 #define FLAGS_AUTH_ONLY 4 166 167 #define CERT_NONE 0 168 #define CERT_PKCS 1 169 #define CERT_PGP 2 170 #define CERT_DNS 3 171 #define CERT_X509_SIG 4 172 #define CERT_X509_KE 5 173 #define CERT_KERBEROS 6 174 #define CERT_CRL 7 175 #define CERT_ARL 8 176 #define CERT_SPKI 9 177 #define CERT_X509_ATTR 10 178 179 #define NOTIFY_INVALID_PAYLOAD_TYPE 1 180 #define NOTIFY_DOI_NOT_SUPPORTED 2 181 #define NOTIFY_SITUATION_NOT_SUPPORTED 3 182 #define NOTIFY_INVALID_COOKIE 4 183 #define NOTIFY_INVALID_MAJOR_VERSION 5 184 #define NOTIFY_INVALID_MINOR_VERSION 6 185 #define NOTIFY_INVALID_EXCHANGE_TYPE 7 186 #define NOTIFY_INVALID_FLAGS 8 187 #define NOTIFY_INVALID_MESSAGE_ID 9 188 #define NOTIFY_INVALID_PROTOCOL_ID 10 189 #define NOTIFY_INVALID_SPI 11 190 #define NOTIFY_INVALID_TRANSFORM_ID 12 191 #define NOTIFY_ATTRIBUTES_NOT_SUPPORTED 13 192 #define NOTIFY_NO_PROPOSAL_CHOSEN 14 193 #define NOTIFY_BAD_PROPOSAL_SYNTAX 15 194 #define NOTIFY_PAYLOAD_MALFORMED 16 195 #define NOTIFY_INVALID_KEY_INFORMATION 17 196 #define NOTIFY_INVALID_ID_INFORMATION 18 197 #define NOTIFY_INVALID_CERT_ENCODING 19 198 #define NOTIFY_INVALID_CERTIFICATE 20 199 #define NOTIFY_CERT_TYPE_UNSUPPORTED 21 200 #define NOTIFY_INVALID_CERT_AUTHORITY 22 201 #define NOTIFY_INVALID_HASH_INFORMATION 23 202 #define NOTIFY_AUTHENTICATION_FAILED 24 203 #define NOTIFY_INVALID_SIGNATURE 25 204 #define NOTIFY_ADDRESS_NOTIFICATION 26 205 #define NOTIFY_NOTIFY_SA_LIFETIME 27 206 #define NOTIFY_CERTIFICATE_UNAVAILABLE 28 207 #define NOTIFY_UNSUPPORTED_EXCHANGE_TYPE 29 208 #define NOTIFY_UNEQUAL_PAYLOAD_LENGTHS 30 209 210 #define IKE_NOTIFY_TYPES_INITIALIZER \ 211 { "", \ 212 "INVALID PAYLOAD TYPE", \ 213 "DOI NOT SUPPORTED", \ 214 "SITUATION NOT SUPPORTED", \ 215 "INVALID COOKIE", \ 216 "INVALID MAJOR VERSION", \ 217 "INVALID MINOR VERSION", \ 218 "INVALID EXCHANGE TYPE", \ 219 "INVALID FLAGS", \ 220 "INVALID MESSAGE ID", \ 221 "INVALID PROTOCOL ID", \ 222 "INVALID SPI", \ 223 "INVALID TRANSFORM ID", \ 224 "ATTRIBUTES NOT SUPPORTED", \ 225 "NO PROPOSAL CHOSEN", \ 226 "BAD PROPOSAL SYNTAX", \ 227 "PAYLOAD MALFORMED", \ 228 "INVALID KEY INFORMATION", \ 229 "INVALID ID INFORMATION", \ 230 "INVALID CERT ENCODING", \ 231 "INVALID CERTIFICATE", \ 232 "CERT TYPE UNSUPPORTED", \ 233 "INVALID CERT AUTHORITY", \ 234 "INVALID HASH INFORMATION", \ 235 "AUTHENTICATION FAILED", \ 236 "INVALID SIGNATURE", \ 237 "ADDRESS NOTIFICATION", \ 238 "NOTIFY SA LIFETIME", \ 239 "CERTIFICATE UNAVAILABLE", \ 240 "UNSUPPORTED EXCHANGE TYPE", \ 241 "UNEQUAL PAYLOAD LENGTHS", \ 242 } 243 244 /* RFC 2407, 4.6.3 */ 245 #define NOTIFY_IPSEC_RESPONDER_LIFETIME 24576 246 #define NOTIFY_IPSEC_REPLAY_STATUS 24577 247 #define NOTIFY_IPSEC_INITIAL_CONTACT 24578 248 249 #define IPSEC_ID_RESERVED 0 250 #define IPSEC_ID_IPV4_ADDR 1 251 #define IPSEC_ID_FQDN 2 252 #define IPSEC_ID_USER_FQDN 3 253 #define IPSEC_ID_IPV4_ADDR_SUBNET 4 254 #define IPSEC_ID_IPV6_ADDR 5 255 #define IPSEC_ID_IPV6_ADDR_SUBNET 6 256 #define IPSEC_ID_IPV4_ADDR_RANGE 7 257 #define IPSEC_ID_IPV6_ADDR_RANGE 8 258 #define IPSEC_ID_DER_ASN1_DN 9 259 #define IPSEC_ID_DER_ASN1_GN 10 260 #define IPSEC_ID_KEY_ID 11 261 262 #define IPSEC_ID_TYPE_INITIALIZER \ 263 { "RESERVED", \ 264 "IPV4_ADDR", \ 265 "FQDN", \ 266 "USER_FQDN", \ 267 "IPV4_ADDR_SUBNET", \ 268 "IPV6_ADDR", \ 269 "IPV6_ADDR_SUBNET", \ 270 "IPV4_ADDR_RANGE", \ 271 "IPV6_ADDR_RANGE", \ 272 "DER_ASN1_DN", \ 273 "DER_ASN1_GN", \ 274 "KEY_ID", \ 275 } 276 277 #define IPSEC_ATTR_SA_LIFE_TYPE 1 278 #define IPSEC_ATTR_SA_LIFE_DURATION 2 279 #define IPSEC_ATTR_GROUP_DESCRIPTION 3 280 #define IPSEC_ATTR_ENCAPSULATION_MODE 4 281 #define IPSEC_ATTR_AUTHENTICATION_ALGORITHM 5 282 #define IPSEC_ATTR_KEY_LENGTH 6 283 #define IPSEC_ATTR_KEY_ROUNDS 7 284 #define IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE 8 285 #define IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM 9 286 287 #define IPSEC_ATTR_INITIALIZER \ 288 { "NONE", "LIFE_TYPE", "LIFE_DURATION", \ 289 "GROUP_DESCRIPTION", "ENCAPSULATION_MODE", \ 290 "AUTHENTICATION_ALGORITHM", "KEY_LENGTH", \ 291 "KEY_ROUNDS", "COMPRESS_DICTIONARY_SIZE", \ 292 "COMPRESS_PRIVATE_ALGORITHM", \ 293 } 294 295 #define IPSEC_ATTR_DURATION_INITIALIZER \ 296 { "NONE", "SECONDS", "KILOBYTES", \ 297 } 298 #define IPSEC_ATTR_ENCAP_INITIALIZER \ 299 { "NONE", "TUNNEL", "TRANSPORT", \ 300 } 301 #define IPSEC_ATTR_AUTH_INITIALIZER \ 302 { "NONE", "HMAC_MD5", "HMAC_SHA", "DES_MAC", "KPDK", \ 303 "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", \ 304 "HMAC_RIPEMD", \ 305 } 306 #define IPSEC_AH_INITIALIZER \ 307 { "NONE", "MD5", "SHA", "DES", "SHA2_256", "SHA2_384", \ 308 "SHA2_512", "RIPEMD", \ 309 } 310 #define IPSEC_ESP_INITIALIZER \ 311 { "NONE", "DEV_IV64", "DES", "3DES", "RC5", "IDEA", \ 312 "CAST", "BLOWFISH", "3IDEA", "DES_IV32", "RC4", \ 313 "NULL", "AES", \ 314 } 315 #define IPCOMP_INITIALIZER \ 316 { "NONE", "OUI", "DEFLATE", "LZS", "V42BIS", \ 317 } 318 319 /* 320 * IKE mode config. 321 */ 322 323 #define IKE_CFG_ATTRIBUTE_TYPE_INITIALIZER \ 324 { "RESERVED", "CFG_REQUEST", "CFG_REPLY", \ 325 "CFG_SET", "CFG_ACK", \ 326 } 327 328 #define IKE_CFG_ATTR_INTERNAL_IP4_ADDRESS 1 329 #define IKE_CFG_ATTR_INTERNAL_IP4_NETMASK 2 330 #define IKE_CFG_ATTR_INTERNAL_IP4_DNS 3 331 #define IKE_CFG_ATTR_INTERNAL_IP4_NBNS 4 332 #define IKE_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY 5 333 #define IKE_CFG_ATTR_INTERNAL_IP4_DHCP 6 334 #define IKE_CFG_ATTR_APPLICATION_VERSION 7 335 #define IKE_CFG_ATTR_INTERNAL_IP6_ADDRESS 8 336 #define IKE_CFG_ATTR_INTERNAL_IP6_NETMASK 9 337 #define IKE_CFG_ATTR_INTERNAL_IP6_DNS 10 338 #define IKE_CFG_ATTR_INTERNAL_IP6_NBNS 11 339 #define IKE_CFG_ATTR_INTERNAL_IP6_DHCP 12 340 #define IKE_CFG_ATTR_INTERNAL_IP4_SUBNET 13 341 #define IKE_CFG_ATTR_SUPPORTED_ATTRIBUTES 14 342 #define IKE_CFG_ATTR_INTERNAL_IP6_SUBNET 15 343 344 #define IKE_CFG_ATTRIBUTE_INITIALIZER \ 345 { "RESERVED", "INTERNAL_IP4_ADDRESS", \ 346 "INTERNAL_IP4_NETMASK", "INTERNAL_IP4_DNS", \ 347 "INTERNAL_IP4_NBNS", "INTERNAL_ADDRESS_EXPIRY", \ 348 "INTERNAL_IP4_DHCP", "APPLICATION_VERSION", \ 349 "INTERNAL_IP6_ADDRESS", "INTERNAL_IP6_NETMASK", \ 350 "INTERNAL_IP6_DNS", "INTERNAL_IP6_NBNS", \ 351 "INTERNAL_IP6_DHCP", "INTERNAL_IP4_SUBNET", \ 352 "SUPPORTED_ATTRIBUTES", "INTERNAL_IP6_SUBNET", \ 353 } 354