/*
* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
* All rights reserved.
- *
+ *
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
- *
+ *
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
-/* YIPS @(#)$Id: isakmp.h,v 1.1 1999-10-30 05:11:09 itojun Exp $ */
+/* YIPS @(#)$Id: isakmp.h,v 1.12 2007-11-24 18:13:33 mcr Exp $ */
/* refer to RFC 2408 */
#define ISAKMP_TIMER_DEFAULT 10 /* seconds */
#define ISAKMP_TRY_DEFAULT 3 /* times */
-/* 3.1 ISAKMP Header Format
+/* 3.1 ISAKMP Header Format (IKEv1 and IKEv2)
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Initiator !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp {
- cookie_t i_ck; /* Initiator Cookie */
- cookie_t r_ck; /* Responder Cookie */
- u_int8_t np; /* Next Payload Type */
-#if BYTE_ORDER == LITTLE_ENDIAN
- u_int8_t v_min:4, /* MnVer */
- v_maj:4; /* MjVer */
-#else
- u_int8_t v_maj:4, /* MnVer */
- v_min:4; /* MjVer */
-#endif
- u_int8_t etype; /* Exchange Type */
- u_int8_t flags; /* Flags */
- msgid_t msgid;
- u_int32_t len; /* Length */
+ cookie_t i_ck; /* Initiator Cookie */
+ cookie_t r_ck; /* Responder Cookie */
+ u_int8_t np; /* Next Payload Type */
+ u_int8_t vers;
+#define ISAKMP_VERS_MAJOR 0xf0
+#define ISAKMP_VERS_MAJOR_SHIFT 4
+#define ISAKMP_VERS_MINOR 0x0f
+#define ISAKMP_VERS_MINOR_SHIFT 0
+ u_int8_t etype; /* Exchange Type */
+ u_int8_t flags; /* Flags */
+ msgid_t msgid;
+ u_int32_t len; /* Length */
};
/* Next Payload Type */
#define ISAKMP_NPTYPE_N 11 /* Notification */
#define ISAKMP_NPTYPE_D 12 /* Delete */
#define ISAKMP_NPTYPE_VID 13 /* Vendor ID */
+#define ISAKMP_NPTYPE_v2E 46 /* v2 Encrypted payload */
+
+#define IKEv1_MAJOR_VERSION 1
+#define IKEv1_MINOR_VERSION 0
-#define ISAKMP_MAJOR_VERSION 1
-#define ISAKMP_MINOR_VERSION 0
+#define IKEv2_MAJOR_VERSION 2
+#define IKEv2_MINOR_VERSION 0
/* Exchange Type */
#define ISAKMP_ETYPE_NONE 0 /* NONE */
/* Flags */
#define ISAKMP_FLAG_E 0x01 /* Encryption Bit */
#define ISAKMP_FLAG_C 0x02 /* Commit Bit */
+#define ISAKMP_FLAG_extra 0x04
+
+/* IKEv2 */
+#define ISAKMP_FLAG_I (1 << 3) /* (I)nitiator */
+#define ISAKMP_FLAG_V (1 << 4) /* (V)ersion */
+#define ISAKMP_FLAG_R (1 << 5) /* (R)esponse */
+
/* 3.2 Payload Generic Header
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
*/
struct isakmp_gen {
u_int8_t np; /* Next Payload */
- u_int8_t reserved; /* RESERVED, unused, must set to 0 */
+ u_int8_t critical; /* bit 7 - critical, rest is RESERVED */
u_int16_t len; /* Payload Length */
};
message of a Base Exchange (see Section 4.4) and the value "0" in the
first message of an Identity Protect Exchange (see Section 4.5).
*/
-struct isakmp_pl_sa {
+struct ikev1_pl_sa {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int32_t sit; /* Situation */
last within the security association proposal, then this field will
be 0.
*/
-struct isakmp_pl_p {
+struct ikev1_pl_p {
struct isakmp_gen h;
u_int8_t p_no; /* Proposal # */
u_int8_t prot_id; /* Protocol */
then this field will be 3. If the current Transform payload is the
last within the proposal, then this field will be 0.
*/
-struct isakmp_pl_t {
+struct ikev1_pl_t {
struct isakmp_gen h;
u_int8_t t_no; /* Transform # */
u_int8_t t_id; /* Transform-Id */
};
/* 3.7 Key Exchange Payload */
-struct isakmp_pl_ke {
+struct ikev1_pl_ke {
struct isakmp_gen h;
/* Key Exchange Data */
};
/* 3.8 Identification Payload */
/* MUST NOT to be used, because of being defined in ipsec-doi. */
-struct isakmp_pl_id {
+struct ikev1_pl_id {
struct isakmp_gen h;
union {
u_int8_t id_type; /* ID Type */
};
/* 3.9 Certificate Payload */
-struct isakmp_pl_cert {
+struct ikev1_pl_cert {
struct isakmp_gen h;
u_int8_t encode; /* Cert Encoding */
char cert; /* Certificate Data */
#define ISAKMP_CERT_SPKI 9
/* 3.10 Certificate Request Payload */
-struct isakmp_pl_cr {
+struct ikev1_pl_cr {
struct isakmp_gen h;
u_int8_t num_cert; /* # Cert. Types */
/*
/* 3.11 Hash Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_hash {
+struct ikev1_pl_hash {
struct isakmp_gen h;
/* Hash Data */
};
/* 3.12 Signature Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_sig {
+struct ikev1_pl_sig {
struct isakmp_gen h;
/* Signature Data */
};
/* 3.13 Nonce Payload */
/* may not be used, because of having only data. */
-struct isakmp_pl_nonce {
+struct ikev1_pl_nonce {
struct isakmp_gen h;
/* Nonce Data */
};
/* 3.14 Notification Payload */
-struct isakmp_pl_n {
+struct ikev1_pl_n {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t prot_id; /* Protocol-ID */
#define ISAKMP_LOG_RETRY_LIMIT_REACHED 65530
/* 3.15 Delete Payload */
-struct isakmp_pl_d {
+struct ikev1_pl_d {
struct isakmp_gen h;
u_int32_t doi; /* Domain of Interpretation */
u_int8_t prot_id; /* Protocol-Id */
};
\f
-struct isakmp_ph1tab {
- struct isakmp_ph1 *head;
- struct isakmp_ph1 *tail;
+struct ikev1_ph1tab {
+ struct ikev1_ph1 *head;
+ struct ikev1_ph1 *tail;
int len;
};
struct isakmp_ph2tab {
- struct isakmp_ph2 *head;
- struct isakmp_ph2 *tail;
+ struct ikev1_ph2 *head;
+ struct ikev1_ph2 *tail;
int len;
};
-#if 0
-/* isakmp status structure */
-struct isakmp_ph1 {
- isakmp_index index;
- u_int8_t dir; /* INITIATOR or RESPONDER */
- u_int16_t status; /* status of this SA */
- u_int16_t etype;
- u_int32_t doi;
- u_int32_t sit;
- vchar_t *dhp; /* DH; prime, static value */
- vchar_t *dhpriv; /* DH; private value */
- vchar_t *dhpub; /* DH; public value */
- vchar_t *dhpub_p; /* DH; partner's public value */
- vchar_t *dhgxy; /* DH; shared secret */
- vchar_t *nonce; /* nonce value */
- vchar_t *nonce_p; /* partner's nonce value */
- vchar_t *skeyid; /* SKEYID */
- vchar_t *skeyid_d; /* SKEYID_d */
- vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
- vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
- vchar_t *key; /* cipher key */
- vchar_t *hash; /* HASH minus general header */
- vchar_t *iv; /* IV */
- vchar_t *ive; /* new IV to encrypt next packet */
- vchar_t *ivd; /* new IV to decrypt next packet */
- vchar_t *sa; /* SA minus general header including p,t.*/
- vchar_t *id; /* ID minus general header */
- vchar_t *id_p; /* partner's ID minus general header */
- struct sockaddr *local; /* pointer to the my sockaddr */
- struct sockaddr *remote; /* partner's sockaddr */
- struct oakley_sa *isa; /* Is it good that caddr_t ? */
- struct sched *sc; /* back pointer to the record in schedule
- used to resend. */
- struct isakmp_ph1 *next;
- struct isakmp_ph1 *prev;
- struct isakmp_conf *cfp; /* pointer to isakmp configuration */
- struct isakmp_ph2tab ph2tab; /* list on negotiating Phase 2 */
- u_int32_t msgid2; /* XXX: msgid counter for Phase 2 */
-};
-
-struct isakmp_ph2 {
- msgid_t msgid;
- u_int8_t dir; /* INITIATOR or RESPONDER */
- u_int16_t status; /* status of this SA */
- vchar_t *dhp; /* DH; prime, static value */
- vchar_t *dhpriv; /* DH; private value */
- vchar_t *dhpub; /* DH; public value */
- vchar_t *dhpub_p; /* DH; partner's public value */
- vchar_t *dhgxy; /* DH; shared secret */
- vchar_t *id; /* ID */
- vchar_t *id_p; /* ID for peer */
- vchar_t *nonce; /* nonce value in phase 2 */
- vchar_t *nonce_p; /* partner's nonce value in phase 2 */
- vchar_t *hash; /* HASH2 minus general header */
- vchar_t *iv; /* IV for Phase 2 */
- vchar_t *ive; /* new IV to encrypt next packet */
- vchar_t *ivd; /* new IV to decrypt next packet */
- struct isakmp_ph1 *ph1; /* back pointer to isakmp status */
- struct sched *sc; /* back pointer to the schedule using resend */
- struct pfkey_st *pst; /* pointer to the pfkey status record.
- is only used by initiator. */
- u_int8_t proxy; /* is proxy or not ?. */
- vchar_t *sa; /* SA payload */
- struct ipsec_sa *isa; /* values of SA to use, same SA in use. */
- struct isakmp_ph2 *next;
- struct isakmp_ph2 *prev;
-};
-#endif
-
#define EXCHANGE_PROXY 1
#define EXCHANGE_MYSELF 0
#define PFS_NEED 1
#define PFS_NONEED 0
+/* IKEv2 (RFC4306) */
+
+/* 3.3 Security Association Payload -- generic header */
+/* 3.3.1. Proposal Substructure */
+struct ikev2_p {
+ struct isakmp_gen h;
+ u_int8_t p_no; /* Proposal # */
+ u_int8_t prot_id; /* Protocol */
+ u_int8_t spi_size; /* SPI Size */
+ u_int8_t num_t; /* Number of Transforms */
+};
+
+/* 3.3.2. Transform Substructure */
+struct ikev2_t {
+ struct isakmp_gen h;
+ u_int8_t t_type; /* Transform Type (ENCR,PRF,INTEG,etc.*/
+ u_int8_t res2; /* reserved byte */
+ u_int16_t t_id; /* Transform ID */
+};
+
+enum ikev2_t_type {
+ IV2_T_ENCR = 1,
+ IV2_T_PRF = 2,
+ IV2_T_INTEG= 3,
+ IV2_T_DH = 4,
+ IV2_T_ESN = 5,
+};
+
+/* 3.4. Key Exchange Payload */
+struct ikev2_ke {
+ struct isakmp_gen h;
+ u_int16_t ke_group;
+ u_int16_t ke_res1;
+ /* KE data */
+};
+
+
+/* 3.5. Identification Payloads */
+enum ikev2_id_type {
+ ID_IPV4_ADDR=1,
+ ID_FQDN=2,
+ ID_RFC822_ADDR=3,
+ ID_IPV6_ADDR=5,
+ ID_DER_ASN1_DN=9,
+ ID_DER_ASN1_GN=10,
+ ID_KEY_ID=11,
+};
+struct ikev2_id {
+ struct isakmp_gen h;
+ u_int8_t type; /* ID type */
+ u_int8_t res1;
+ u_int16_t res2;
+ /* SPI */
+ /* Notification Data */
+};
+
+/* 3.10 Notification Payload */
+struct ikev2_n {
+ struct isakmp_gen h;
+ u_int8_t prot_id; /* Protocol-ID */
+ u_int8_t spi_size; /* SPI Size */
+ u_int16_t type; /* Notify Message Type */
+};
+
+enum ikev2_n_type {
+ IV2_NOTIFY_UNSUPPORTED_CRITICAL_PAYLOAD = 1,
+ IV2_NOTIFY_INVALID_IKE_SPI = 4,
+ IV2_NOTIFY_INVALID_MAJOR_VERSION = 5,
+ IV2_NOTIFY_INVALID_SYNTAX = 7,
+ IV2_NOTIFY_INVALID_MESSAGE_ID = 9,
+ IV2_NOTIFY_INVALID_SPI =11,
+ IV2_NOTIFY_NO_PROPOSAL_CHOSEN =14,
+ IV2_NOTIFY_INVALID_KE_PAYLOAD =17,
+ IV2_NOTIFY_AUTHENTICATION_FAILED =24,
+ IV2_NOTIFY_SINGLE_PAIR_REQUIRED =34,
+ IV2_NOTIFY_NO_ADDITIONAL_SAS =35,
+ IV2_NOTIFY_INTERNAL_ADDRESS_FAILURE =36,
+ IV2_NOTIFY_FAILED_CP_REQUIRED =37,
+ IV2_NOTIFY_INVALID_SELECTORS =39,
+ IV2_NOTIFY_INITIAL_CONTACT =16384,
+ IV2_NOTIFY_SET_WINDOW_SIZE =16385,
+ IV2_NOTIFY_ADDITIONAL_TS_POSSIBLE =16386,
+ IV2_NOTIFY_IPCOMP_SUPPORTED =16387,
+ IV2_NOTIFY_NAT_DETECTION_SOURCE_IP =16388,
+ IV2_NOTIFY_NAT_DETECTION_DESTINATION_IP =16389,
+ IV2_NOTIFY_COOKIE =16390,
+ IV2_NOTIFY_USE_TRANSPORT_MODE =16391,
+ IV2_NOTIFY_HTTP_CERT_LOOKUP_SUPPORTED =16392,
+ IV2_NOTIFY_REKEY_SA =16393,
+ IV2_NOTIFY_ESP_TFC_PADDING_NOT_SUPPORTED =16394,
+ IV2_NOTIFY_NON_FIRST_FRAGMENTS_ALSO =16395
+};
+
+struct notify_messages {
+ u_int16_t type;
+ char *msg;
+};
+
+/* 3.8 Notification Payload */
+struct ikev2_auth {
+ struct isakmp_gen h;
+ u_int8_t auth_method; /* Protocol-ID */
+ u_int8_t reserved[3];
+ /* authentication data */
+};
+
+enum ikev2_auth_type {
+ IV2_RSA_SIG = 1,
+ IV2_SHARED = 2,
+ IV2_DSS_SIG = 3,
+};
+
#endif /* !defined(_ISAKMP_H_) */
projects / tcpdump / blobdiff