1*a30a01d6Stobhe /* $OpenBSD: ikev2.h,v 1.35 2023/06/28 14:10:24 tobhe Exp $ */ 245ae9d61Sreyk 345ae9d61Sreyk /* 465c540d0Spatrick * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5fcebd35dSreyk * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 645ae9d61Sreyk * 745ae9d61Sreyk * Permission to use, copy, modify, and distribute this software for any 845ae9d61Sreyk * purpose with or without fee is hereby granted, provided that the above 945ae9d61Sreyk * copyright notice and this permission notice appear in all copies. 1045ae9d61Sreyk * 1145ae9d61Sreyk * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 1245ae9d61Sreyk * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 1345ae9d61Sreyk * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 1445ae9d61Sreyk * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 1545ae9d61Sreyk * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 1645ae9d61Sreyk * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 1745ae9d61Sreyk * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 1845ae9d61Sreyk */ 1945ae9d61Sreyk 20a3e464c5Sreyk #ifndef IKED_IKEV2_H 21a3e464c5Sreyk #define IKED_IKEV2_H 2245ae9d61Sreyk 2345ae9d61Sreyk #define IKEV2_VERSION 0x20 /* IKE version 2.0 */ 2445ae9d61Sreyk #define IKEV1_VERSION 0x10 /* IKE version 1.0 */ 2545ae9d61Sreyk 2645ae9d61Sreyk #define IKEV2_KEYPAD "Key Pad for IKEv2" /* don't change! */ 2745ae9d61Sreyk 2845ae9d61Sreyk /* 2945ae9d61Sreyk * IKEv2 pseudo states 3045ae9d61Sreyk */ 3145ae9d61Sreyk 3245ae9d61Sreyk #define IKEV2_STATE_INIT 0 /* new IKE SA */ 3345ae9d61Sreyk #define IKEV2_STATE_COOKIE 1 /* cookie requested */ 3445ae9d61Sreyk #define IKEV2_STATE_SA_INIT 2 /* init IKE SA */ 3545ae9d61Sreyk #define IKEV2_STATE_EAP 3 /* EAP requested */ 363e93108aSmikeb #define IKEV2_STATE_EAP_SUCCESS 4 /* EAP succeeded */ 373e93108aSmikeb #define IKEV2_STATE_AUTH_REQUEST 5 /* auth received */ 383e93108aSmikeb #define IKEV2_STATE_AUTH_SUCCESS 6 /* authenticated */ 393e93108aSmikeb #define IKEV2_STATE_VALID 7 /* authenticated AND validated certs */ 403e93108aSmikeb #define IKEV2_STATE_EAP_VALID 8 /* EAP validated */ 413e93108aSmikeb #define IKEV2_STATE_ESTABLISHED 9 /* active IKE SA */ 423e93108aSmikeb #define IKEV2_STATE_CLOSING 10 /* expect delete for this SA */ 433e93108aSmikeb #define IKEV2_STATE_CLOSED 11 /* delete this SA */ 4445ae9d61Sreyk 4545ae9d61Sreyk extern struct iked_constmap ikev2_state_map[]; 4645ae9d61Sreyk 4745ae9d61Sreyk /* 48b769f40dSreyk * "IKEv2 Parameters" based on the official RFC-based assignments by IANA 49b769f40dSreyk * (http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.txt) 50b769f40dSreyk */ 51b769f40dSreyk 52b769f40dSreyk /* 53fde46d6eSreyk * IKEv2 definitions of the IKE header 5445ae9d61Sreyk */ 5545ae9d61Sreyk 5645ae9d61Sreyk /* IKEv2 exchange types */ 5745ae9d61Sreyk #define IKEV2_EXCHANGE_IKE_SA_INIT 34 /* Initial Exchange */ 5845ae9d61Sreyk #define IKEV2_EXCHANGE_IKE_AUTH 35 /* Authentication */ 5945ae9d61Sreyk #define IKEV2_EXCHANGE_CREATE_CHILD_SA 36 /* Create Child SA */ 6045ae9d61Sreyk #define IKEV2_EXCHANGE_INFORMATIONAL 37 /* Informational */ 61b769f40dSreyk #define IKEV2_EXCHANGE_IKE_SESSION_RESUME 38 /* RFC5723 */ 6245ae9d61Sreyk 6345ae9d61Sreyk extern struct iked_constmap ikev2_exchange_map[]; 6445ae9d61Sreyk 6545ae9d61Sreyk /* IKEv2 message flags */ 6645ae9d61Sreyk #define IKEV2_FLAG_INITIATOR 0x08 /* Sent by the initiator */ 6745ae9d61Sreyk #define IKEV2_FLAG_OLDVERSION 0x10 /* Supports a higher IKE version */ 6845ae9d61Sreyk #define IKEV2_FLAG_RESPONSE 0x20 /* Message is a response */ 6945ae9d61Sreyk 7045ae9d61Sreyk extern struct iked_constmap ikev2_flag_map[]; 7145ae9d61Sreyk 7245ae9d61Sreyk /* 7345ae9d61Sreyk * IKEv2 payloads 7445ae9d61Sreyk */ 7545ae9d61Sreyk 7645ae9d61Sreyk struct ikev2_payload { 77d09d3a7dSreyk uint8_t pld_nextpayload; /* Next payload type */ 78d09d3a7dSreyk uint8_t pld_reserved; /* Contains the critical bit */ 79d09d3a7dSreyk uint16_t pld_length; /* Payload length with header */ 8045ae9d61Sreyk } __packed; 8145ae9d61Sreyk 8265c540d0Spatrick struct ikev2_frag_payload { 8365c540d0Spatrick uint16_t frag_num; /* current fragment message number */ 8465c540d0Spatrick uint16_t frag_total; /* total number of fragment messages */ 8565c540d0Spatrick } __packed; 8665c540d0Spatrick 8745ae9d61Sreyk #define IKEV2_CRITICAL_PAYLOAD 0x01 /* First bit in the reserved field */ 8845ae9d61Sreyk 8945ae9d61Sreyk /* IKEv2 payload types */ 9045ae9d61Sreyk #define IKEV2_PAYLOAD_NONE 0 /* No payload */ 9145ae9d61Sreyk #define IKEV2_PAYLOAD_SA 33 /* Security Association */ 9245ae9d61Sreyk #define IKEV2_PAYLOAD_KE 34 /* Key Exchange */ 9345ae9d61Sreyk #define IKEV2_PAYLOAD_IDi 35 /* Identification - Initiator */ 9445ae9d61Sreyk #define IKEV2_PAYLOAD_IDr 36 /* Identification - Responder */ 9545ae9d61Sreyk #define IKEV2_PAYLOAD_CERT 37 /* Certificate */ 9645ae9d61Sreyk #define IKEV2_PAYLOAD_CERTREQ 38 /* Certificate Request */ 9745ae9d61Sreyk #define IKEV2_PAYLOAD_AUTH 39 /* Authentication */ 9845ae9d61Sreyk #define IKEV2_PAYLOAD_NONCE 40 /* Nonce */ 9945ae9d61Sreyk #define IKEV2_PAYLOAD_NOTIFY 41 /* Notify */ 10045ae9d61Sreyk #define IKEV2_PAYLOAD_DELETE 42 /* Delete */ 10145ae9d61Sreyk #define IKEV2_PAYLOAD_VENDOR 43 /* Vendor ID */ 10245ae9d61Sreyk #define IKEV2_PAYLOAD_TSi 44 /* Traffic Selector - Initiator */ 10345ae9d61Sreyk #define IKEV2_PAYLOAD_TSr 45 /* Traffic Selector - Responder */ 104f9b88c7aSmikeb #define IKEV2_PAYLOAD_SK 46 /* Encrypted */ 10545ae9d61Sreyk #define IKEV2_PAYLOAD_CP 47 /* Configuration Payload */ 10645ae9d61Sreyk #define IKEV2_PAYLOAD_EAP 48 /* Extensible Authentication */ 107b769f40dSreyk #define IKEV2_PAYLOAD_GSPM 49 /* RFC6467 Generic Secure Password */ 10865c540d0Spatrick #define IKEV2_PAYLOAD_SKF 53 /* RFC7383 Encrypted Fragment Payload */ 10945ae9d61Sreyk 11045ae9d61Sreyk extern struct iked_constmap ikev2_payload_map[]; 11145ae9d61Sreyk 11245ae9d61Sreyk /* 11345ae9d61Sreyk * SA payload 11445ae9d61Sreyk */ 11545ae9d61Sreyk 11645ae9d61Sreyk struct ikev2_sa_proposal { 117d09d3a7dSreyk uint8_t sap_more; /* Last proposal or more */ 118d09d3a7dSreyk uint8_t sap_reserved; /* Must be set to zero */ 119d09d3a7dSreyk uint16_t sap_length; /* Proposal length */ 120d09d3a7dSreyk uint8_t sap_proposalnr; /* Proposal number */ 121d09d3a7dSreyk uint8_t sap_protoid; /* Protocol Id */ 122d09d3a7dSreyk uint8_t sap_spisize; /* SPI size */ 123d09d3a7dSreyk uint8_t sap_transforms; /* Number of transforms */ 12445ae9d61Sreyk /* Followed by variable-length SPI */ 12545ae9d61Sreyk /* Followed by variable-length transforms */ 12645ae9d61Sreyk } __packed; 12745ae9d61Sreyk 12845ae9d61Sreyk #define IKEV2_SAP_LAST 0 12945ae9d61Sreyk #define IKEV2_SAP_MORE 2 13045ae9d61Sreyk 1318192e8b6Sreyk #define IKEV2_SAPROTO_NONE 0 /* None */ 13245ae9d61Sreyk #define IKEV2_SAPROTO_IKE 1 /* IKEv2 */ 13345ae9d61Sreyk #define IKEV2_SAPROTO_AH 2 /* AH */ 13445ae9d61Sreyk #define IKEV2_SAPROTO_ESP 3 /* ESP */ 135b769f40dSreyk #define IKEV2_SAPROTO_FC_ESP_HEADER 4 /* RFC4595 */ 136b769f40dSreyk #define IKEV2_SAPROTO_FC_CT_AUTH 5 /* RFC4595 */ 13703f6ad09Smarkus #define IKEV2_SAPROTO_IPCOMP 204 /* private, should be 4 */ 13845ae9d61Sreyk 13945ae9d61Sreyk extern struct iked_constmap ikev2_saproto_map[]; 14045ae9d61Sreyk 14145ae9d61Sreyk struct ikev2_transform { 142d09d3a7dSreyk uint8_t xfrm_more; /* Last transform or more */ 143d09d3a7dSreyk uint8_t xfrm_reserved; /* Must be set to zero */ 144d09d3a7dSreyk uint16_t xfrm_length; /* Transform length */ 145d09d3a7dSreyk uint8_t xfrm_type; /* Transform type */ 146d09d3a7dSreyk uint8_t xfrm_reserved1; /* Must be set to zero */ 147d09d3a7dSreyk uint16_t xfrm_id; /* Transform Id */ 14845ae9d61Sreyk /* Followed by variable-length transform attributes */ 14945ae9d61Sreyk } __packed; 15045ae9d61Sreyk 15145ae9d61Sreyk #define IKEV2_XFORM_LAST 0 15245ae9d61Sreyk #define IKEV2_XFORM_MORE 3 15345ae9d61Sreyk 15445ae9d61Sreyk #define IKEV2_XFORMTYPE_ENCR 1 /* Encryption */ 15545ae9d61Sreyk #define IKEV2_XFORMTYPE_PRF 2 /* Pseudo-Random Function */ 15645ae9d61Sreyk #define IKEV2_XFORMTYPE_INTEGR 3 /* Integrity Algorithm */ 15745ae9d61Sreyk #define IKEV2_XFORMTYPE_DH 4 /* Diffie-Hellman Group */ 15845ae9d61Sreyk #define IKEV2_XFORMTYPE_ESN 5 /* Extended Sequence Numbers */ 15945ae9d61Sreyk #define IKEV2_XFORMTYPE_MAX 6 16045ae9d61Sreyk 16145ae9d61Sreyk extern struct iked_constmap ikev2_xformtype_map[]; 16245ae9d61Sreyk 16345ae9d61Sreyk #define IKEV2_XFORMENCR_NONE 0 /* None */ 16445ae9d61Sreyk #define IKEV2_XFORMENCR_DES_IV64 1 /* RFC1827 */ 16545ae9d61Sreyk #define IKEV2_XFORMENCR_DES 2 /* RFC2405 */ 16645ae9d61Sreyk #define IKEV2_XFORMENCR_3DES 3 /* RFC2451 */ 16745ae9d61Sreyk #define IKEV2_XFORMENCR_RC5 4 /* RFC2451 */ 16845ae9d61Sreyk #define IKEV2_XFORMENCR_IDEA 5 /* RFC2451 */ 16945ae9d61Sreyk #define IKEV2_XFORMENCR_CAST 6 /* RFC2451 */ 17045ae9d61Sreyk #define IKEV2_XFORMENCR_BLOWFISH 7 /* RFC2451 */ 17145ae9d61Sreyk #define IKEV2_XFORMENCR_3IDEA 8 /* RFC2451 */ 17245ae9d61Sreyk #define IKEV2_XFORMENCR_DES_IV32 9 /* DESIV32 */ 17345ae9d61Sreyk #define IKEV2_XFORMENCR_RC4 10 /* RFC2451 */ 17445ae9d61Sreyk #define IKEV2_XFORMENCR_NULL 11 /* RFC2410 */ 17545ae9d61Sreyk #define IKEV2_XFORMENCR_AES_CBC 12 /* RFC3602 */ 17645ae9d61Sreyk #define IKEV2_XFORMENCR_AES_CTR 13 /* RFC3664 */ 17745ae9d61Sreyk #define IKEV2_XFORMENCR_AES_CCM_8 14 /* RFC5282 */ 17845ae9d61Sreyk #define IKEV2_XFORMENCR_AES_CCM_12 15 /* RFC5282 */ 17945ae9d61Sreyk #define IKEV2_XFORMENCR_AES_CCM_16 16 /* RFC5282 */ 18045ae9d61Sreyk #define IKEV2_XFORMENCR_AES_GCM_8 18 /* RFC5282 */ 18145ae9d61Sreyk #define IKEV2_XFORMENCR_AES_GCM_12 19 /* RFC5282 */ 18245ae9d61Sreyk #define IKEV2_XFORMENCR_AES_GCM_16 20 /* RFC5282 */ 18345ae9d61Sreyk #define IKEV2_XFORMENCR_NULL_AES_GMAC 21 /* RFC4543 */ 18445ae9d61Sreyk #define IKEV2_XFORMENCR_XTS_AES 22 /* IEEE P1619 */ 18545ae9d61Sreyk #define IKEV2_XFORMENCR_CAMELLIA_CBC 23 /* RFC5529 */ 18645ae9d61Sreyk #define IKEV2_XFORMENCR_CAMELLIA_CTR 24 /* RFC5529 */ 18745ae9d61Sreyk #define IKEV2_XFORMENCR_CAMELLIA_CCM_8 25 /* RFC5529 */ 18845ae9d61Sreyk #define IKEV2_XFORMENCR_CAMELLIA_CCM_12 26 /* RFC5529 */ 18945ae9d61Sreyk #define IKEV2_XFORMENCR_CAMELLIA_CCM_16 27 /* RFC5529 */ 190337772d2Sreyk #define IKEV2_XFORMENCR_CHACHA20_POLY1305 28 /* RFC7634 */ 19145ae9d61Sreyk 19245ae9d61Sreyk extern struct iked_constmap ikev2_xformencr_map[]; 19345ae9d61Sreyk 194930d718fSsthen #define IKEV2_IPCOMP_OUI 1 /* UNSPECIFIED */ 195b769f40dSreyk #define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */ 196b769f40dSreyk #define IKEV2_IPCOMP_LZS 3 /* RFC2395 */ 197b769f40dSreyk #define IKEV2_IPCOMP_LZJH 4 /* RFC3051 */ 198b769f40dSreyk 199b769f40dSreyk extern struct iked_constmap ikev2_ipcomp_map[]; 200b769f40dSreyk 20145ae9d61Sreyk #define IKEV2_XFORMPRF_HMAC_MD5 1 /* RFC2104 */ 20245ae9d61Sreyk #define IKEV2_XFORMPRF_HMAC_SHA1 2 /* RFC2104 */ 20345ae9d61Sreyk #define IKEV2_XFORMPRF_HMAC_TIGER 3 /* RFC2104 */ 20445ae9d61Sreyk #define IKEV2_XFORMPRF_AES128_XCBC 4 /* RFC3664 */ 20545ae9d61Sreyk #define IKEV2_XFORMPRF_HMAC_SHA2_256 5 /* RFC4868 */ 20645ae9d61Sreyk #define IKEV2_XFORMPRF_HMAC_SHA2_384 6 /* RFC4868 */ 20745ae9d61Sreyk #define IKEV2_XFORMPRF_HMAC_SHA2_512 7 /* RFC4868 */ 20845ae9d61Sreyk #define IKEV2_XFORMPRF_AES128_CMAC 8 /* RFC4615 */ 20945ae9d61Sreyk 21045ae9d61Sreyk extern struct iked_constmap ikev2_xformprf_map[]; 21145ae9d61Sreyk 21245ae9d61Sreyk #define IKEV2_XFORMAUTH_NONE 0 /* No Authentication */ 21345ae9d61Sreyk #define IKEV2_XFORMAUTH_HMAC_MD5_96 1 /* RFC2403 */ 21445ae9d61Sreyk #define IKEV2_XFORMAUTH_HMAC_SHA1_96 2 /* RFC2404 */ 21545ae9d61Sreyk #define IKEV2_XFORMAUTH_DES_MAC 3 /* DES-MAC */ 21645ae9d61Sreyk #define IKEV2_XFORMAUTH_KPDK_MD5 4 /* RFC1826 */ 21745ae9d61Sreyk #define IKEV2_XFORMAUTH_AES_XCBC_96 5 /* RFC3566 */ 21845ae9d61Sreyk #define IKEV2_XFORMAUTH_HMAC_MD5_128 6 /* RFC4595 */ 21945ae9d61Sreyk #define IKEV2_XFORMAUTH_HMAC_SHA1_160 7 /* RFC4595 */ 22045ae9d61Sreyk #define IKEV2_XFORMAUTH_AES_CMAC_96 8 /* RFC4494 */ 22145ae9d61Sreyk #define IKEV2_XFORMAUTH_AES_128_GMAC 9 /* RFC4543 */ 22245ae9d61Sreyk #define IKEV2_XFORMAUTH_AES_192_GMAC 10 /* RFC4543 */ 22345ae9d61Sreyk #define IKEV2_XFORMAUTH_AES_256_GMAC 11 /* RFC4543 */ 22445ae9d61Sreyk #define IKEV2_XFORMAUTH_HMAC_SHA2_256_128 12 /* RFC4868 */ 22545ae9d61Sreyk #define IKEV2_XFORMAUTH_HMAC_SHA2_384_192 13 /* RFC4868 */ 22645ae9d61Sreyk #define IKEV2_XFORMAUTH_HMAC_SHA2_512_256 14 /* RFC4868 */ 22745ae9d61Sreyk 22815863c3aStobhe /* Placeholders for AEAD ciphers (only used internally) */ 22915863c3aStobhe #define IKEV2_XFORMAUTH_AES_GCM_8 2018 /* internal */ 23015863c3aStobhe #define IKEV2_XFORMAUTH_AES_GCM_12 2019 /* internal */ 23115863c3aStobhe #define IKEV2_XFORMAUTH_AES_GCM_16 2020 /* internal */ 23215863c3aStobhe 23345ae9d61Sreyk extern struct iked_constmap ikev2_xformauth_map[]; 23445ae9d61Sreyk 23545ae9d61Sreyk #define IKEV2_XFORMDH_NONE 0 /* No DH */ 23645ae9d61Sreyk #define IKEV2_XFORMDH_MODP_768 1 /* DH Group 1 */ 23745ae9d61Sreyk #define IKEV2_XFORMDH_MODP_1024 2 /* DH Group 2 */ 23845ae9d61Sreyk #define IKEV2_XFORMDH_MODP_1536 5 /* DH Group 5 */ 23945ae9d61Sreyk #define IKEV2_XFORMDH_MODP_2048 14 /* DH Group 14 */ 24045ae9d61Sreyk #define IKEV2_XFORMDH_MODP_3072 15 /* DH Group 15 */ 24145ae9d61Sreyk #define IKEV2_XFORMDH_MODP_4096 16 /* DH Group 16 */ 24245ae9d61Sreyk #define IKEV2_XFORMDH_MODP_6144 17 /* DH Group 17 */ 24345ae9d61Sreyk #define IKEV2_XFORMDH_MODP_8192 18 /* DH Group 18 */ 244337280ecSsthen #define IKEV2_XFORMDH_ECP_256 19 /* RFC5114 */ 245337280ecSsthen #define IKEV2_XFORMDH_ECP_384 20 /* RFC5114 */ 246337280ecSsthen #define IKEV2_XFORMDH_ECP_521 21 /* RFC5114 */ 247337280ecSsthen #define IKEV2_XFORMDH_ECP_192 25 /* RFC5114 */ 248337280ecSsthen #define IKEV2_XFORMDH_ECP_224 26 /* RFC5114 */ 249337280ecSsthen #define IKEV2_XFORMDH_BRAINPOOL_P224R1 27 /* RFC6954 */ 250337280ecSsthen #define IKEV2_XFORMDH_BRAINPOOL_P256R1 28 /* RFC6954 */ 251337280ecSsthen #define IKEV2_XFORMDH_BRAINPOOL_P384R1 29 /* RFC6954 */ 252337280ecSsthen #define IKEV2_XFORMDH_BRAINPOOL_P512R1 30 /* RFC6954 */ 253337280ecSsthen #define IKEV2_XFORMDH_CURVE25519 31 /* RFC8031 */ 2549b50bc25Stobhe #define IKEV2_XFORMDH_X_SNTRUP761X25519 1035 /* private */ 25545ae9d61Sreyk 25645ae9d61Sreyk extern struct iked_constmap ikev2_xformdh_map[]; 25745ae9d61Sreyk 25865c540d0Spatrick #define IKEV2_IPV4_OVERHEAD (20 + 8 + 28) /* IPv4 + UDP + IKE_HDR*/ 25965c540d0Spatrick #define IKEV2_MAXLEN_IPV4_FRAG (576 - IKEV2_IPV4_OVERHEAD) 26065c540d0Spatrick #define IKEV2_IPV6_OVERHEAD (40 + 8 + 28) /* IPv6 + UDP + IKE_HDR*/ 26165c540d0Spatrick #define IKEV2_MAXLEN_IPV6_FRAG (1280 - IKEV2_IPV6_OVERHEAD) 26265c540d0Spatrick 2631f864a9aStobhe #define IKEV2_MAXNUM_TSS 255 /* 8 bit Number of TSs field */ 2641f864a9aStobhe 26545ae9d61Sreyk #define IKEV2_XFORMESN_NONE 0 /* No ESN */ 26645ae9d61Sreyk #define IKEV2_XFORMESN_ESN 1 /* ESN */ 26745ae9d61Sreyk 26845ae9d61Sreyk extern struct iked_constmap ikev2_xformesn_map[]; 26945ae9d61Sreyk 27045ae9d61Sreyk struct ikev2_attribute { 271d09d3a7dSreyk uint16_t attr_type; /* Attribute type */ 272d09d3a7dSreyk uint16_t attr_length; /* Attribute length or value */ 27345ae9d61Sreyk /* Followed by variable length (TLV) */ 27445ae9d61Sreyk } __packed; 27545ae9d61Sreyk 27645ae9d61Sreyk #define IKEV2_ATTRAF_TLV 0x0000 /* Type-Length-Value format */ 27745ae9d61Sreyk #define IKEV2_ATTRAF_TV 0x8000 /* Type-Value format */ 27845ae9d61Sreyk 27945ae9d61Sreyk #define IKEV2_ATTRTYPE_KEY_LENGTH 14 /* Key length */ 28045ae9d61Sreyk 28145ae9d61Sreyk extern struct iked_constmap ikev2_attrtype_map[]; 28245ae9d61Sreyk 28345ae9d61Sreyk /* 28445ae9d61Sreyk * KE Payload 28545ae9d61Sreyk */ 28645ae9d61Sreyk 28745ae9d61Sreyk struct ikev2_keyexchange { 288d09d3a7dSreyk uint16_t kex_dhgroup; /* DH Group # */ 289d09d3a7dSreyk uint16_t kex_reserved; /* Reserved */ 29045ae9d61Sreyk } __packed; 29145ae9d61Sreyk 29245ae9d61Sreyk /* 29345ae9d61Sreyk * N payload 29445ae9d61Sreyk */ 29545ae9d61Sreyk 29645ae9d61Sreyk struct ikev2_notify { 297d09d3a7dSreyk uint8_t n_protoid; /* Protocol Id */ 298d09d3a7dSreyk uint8_t n_spisize; /* SPI size */ 299d09d3a7dSreyk uint16_t n_type; /* Notify message type */ 30045ae9d61Sreyk /* Followed by variable length SPI */ 30145ae9d61Sreyk /* Followed by variable length notification data */ 30245ae9d61Sreyk } __packed; 30345ae9d61Sreyk 304930d718fSsthen #define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC7296 */ 305930d718fSsthen #define IKEV2_N_INVALID_IKE_SPI 4 /* RFC7296 */ 306930d718fSsthen #define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC7296 */ 307930d718fSsthen #define IKEV2_N_INVALID_SYNTAX 7 /* RFC7296 */ 308930d718fSsthen #define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC7296 */ 309930d718fSsthen #define IKEV2_N_INVALID_SPI 11 /* RFC7296 */ 310930d718fSsthen #define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC7296 */ 311930d718fSsthen #define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC7296 */ 312930d718fSsthen #define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC7296 */ 313930d718fSsthen #define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC7296 */ 314930d718fSsthen #define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC7296 */ 315930d718fSsthen #define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC7296 */ 316930d718fSsthen #define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC7296 */ 317930d718fSsthen #define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC7296 */ 318930d718fSsthen #define IKEV2_N_INVALID_SELECTORS 39 /* RFC7296 */ 31945ae9d61Sreyk #define IKEV2_N_UNACCEPTABLE_ADDRESSES 40 /* RFC4555 */ 32045ae9d61Sreyk #define IKEV2_N_UNEXPECTED_NAT_DETECTED 41 /* RFC4555 */ 32145ae9d61Sreyk #define IKEV2_N_USE_ASSIGNED_HoA 42 /* RFC5026 */ 322930d718fSsthen #define IKEV2_N_TEMPORARY_FAILURE 43 /* RFC7296 */ 323930d718fSsthen #define IKEV2_N_CHILD_SA_NOT_FOUND 44 /* RFC7296 */ 324930d718fSsthen #define IKEV2_N_INITIAL_CONTACT 16384 /* RFC7296 */ 325930d718fSsthen #define IKEV2_N_SET_WINDOW_SIZE 16385 /* RFC7296 */ 326930d718fSsthen #define IKEV2_N_ADDITIONAL_TS_POSSIBLE 16386 /* RFC7296 */ 327930d718fSsthen #define IKEV2_N_IPCOMP_SUPPORTED 16387 /* RFC7296 */ 328930d718fSsthen #define IKEV2_N_NAT_DETECTION_SOURCE_IP 16388 /* RFC7296 */ 329930d718fSsthen #define IKEV2_N_NAT_DETECTION_DESTINATION_IP 16389 /* RFC7296 */ 330930d718fSsthen #define IKEV2_N_COOKIE 16390 /* RFC7296 */ 331930d718fSsthen #define IKEV2_N_USE_TRANSPORT_MODE 16391 /* RFC7296 */ 332930d718fSsthen #define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED 16392 /* RFC7296 */ 333930d718fSsthen #define IKEV2_N_REKEY_SA 16393 /* RFC7296 */ 334930d718fSsthen #define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED 16394 /* RFC7296 */ 335930d718fSsthen #define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO 16395 /* RFC7296 */ 33645ae9d61Sreyk #define IKEV2_N_MOBIKE_SUPPORTED 16396 /* RFC4555 */ 33745ae9d61Sreyk #define IKEV2_N_ADDITIONAL_IP4_ADDRESS 16397 /* RFC4555 */ 33845ae9d61Sreyk #define IKEV2_N_ADDITIONAL_IP6_ADDRESS 16398 /* RFC4555 */ 33945ae9d61Sreyk #define IKEV2_N_NO_ADDITIONAL_ADDRESSES 16399 /* RFC4555 */ 34045ae9d61Sreyk #define IKEV2_N_UPDATE_SA_ADDRESSES 16400 /* RFC4555 */ 34145ae9d61Sreyk #define IKEV2_N_COOKIE2 16401 /* RFC4555 */ 34245ae9d61Sreyk #define IKEV2_N_NO_NATS_ALLOWED 16402 /* RFC4555 */ 34345ae9d61Sreyk #define IKEV2_N_AUTH_LIFETIME 16403 /* RFC4478 */ 34445ae9d61Sreyk #define IKEV2_N_MULTIPLE_AUTH_SUPPORTED 16404 /* RFC4739 */ 34545ae9d61Sreyk #define IKEV2_N_ANOTHER_AUTH_FOLLOWS 16405 /* RFC4739 */ 34645ae9d61Sreyk #define IKEV2_N_REDIRECT_SUPPORTED 16406 /* RFC5685 */ 34745ae9d61Sreyk #define IKEV2_N_REDIRECT 16407 /* RFC5685 */ 34845ae9d61Sreyk #define IKEV2_N_REDIRECTED_FROM 16408 /* RFC5685 */ 34945ae9d61Sreyk #define IKEV2_N_TICKET_LT_OPAQUE 16409 /* RFC5723 */ 35045ae9d61Sreyk #define IKEV2_N_TICKET_REQUEST 16410 /* RFC5723 */ 35145ae9d61Sreyk #define IKEV2_N_TICKET_ACK 16411 /* RFC5723 */ 35245ae9d61Sreyk #define IKEV2_N_TICKET_NACK 16412 /* RFC5723 */ 35345ae9d61Sreyk #define IKEV2_N_TICKET_OPAQUE 16413 /* RFC5723 */ 35445ae9d61Sreyk #define IKEV2_N_LINK_ID 16414 /* RFC5739 */ 355930d718fSsthen #define IKEV2_N_USE_WESP_MODE 16415 /* RFC5415 */ 356930d718fSsthen #define IKEV2_N_ROHC_SUPPORTED 16416 /* RFC5857 */ 357b769f40dSreyk #define IKEV2_N_EAP_ONLY_AUTHENTICATION 16417 /* RFC5998 */ 358b769f40dSreyk #define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED 16418 /* RFC6023 */ 359b769f40dSreyk #define IKEV2_N_QUICK_CRASH_DETECTION 16419 /* RFC6290 */ 360b769f40dSreyk #define IKEV2_N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED 16420 /* RFC6311 */ 361b769f40dSreyk #define IKEV2_N_IPSEC_REPLAY_CTR_SYNC_SUPPORTED 16421 /* RFC6311 */ 362b769f40dSreyk #define IKEV2_N_IKEV2_MESSAGE_ID_SYNC 16422 /* RFC6311 */ 363b769f40dSreyk #define IKEV2_N_IPSEC_REPLAY_CTR_SYNC 16423 /* RFC6311 */ 364b769f40dSreyk #define IKEV2_N_SECURE_PASSWORD_METHODS 16424 /* RFC6467 */ 365b769f40dSreyk #define IKEV2_N_PSK_PERSIST 16425 /* RFC6631 */ 366b769f40dSreyk #define IKEV2_N_PSK_CONFIRM 16426 /* RFC6631 */ 367b769f40dSreyk #define IKEV2_N_ERX_SUPPORTED 16427 /* RFC6867 */ 368b769f40dSreyk #define IKEV2_N_IFOM_CAPABILITY 16428 /* OA3GPP */ 36944e31c43Smikeb #define IKEV2_N_FRAGMENTATION_SUPPORTED 16430 /* RFC7383 */ 37048b975e3Smarkus #define IKEV2_N_SIGNATURE_HASH_ALGORITHMS 16431 /* RFC7427 */ 37145ae9d61Sreyk 37245ae9d61Sreyk extern struct iked_constmap ikev2_n_map[]; 37345ae9d61Sreyk 37445ae9d61Sreyk /* 37545ae9d61Sreyk * DELETE payload 37645ae9d61Sreyk */ 37745ae9d61Sreyk 37845ae9d61Sreyk struct ikev2_delete { 379d09d3a7dSreyk uint8_t del_protoid; /* Protocol Id */ 380d09d3a7dSreyk uint8_t del_spisize; /* SPI size */ 381d09d3a7dSreyk uint16_t del_nspi; /* Number of SPIs */ 38245ae9d61Sreyk /* Followed by variable length SPIs */ 38345ae9d61Sreyk } __packed; 38445ae9d61Sreyk 38545ae9d61Sreyk /* 38645ae9d61Sreyk * ID payload 38745ae9d61Sreyk */ 38845ae9d61Sreyk 38945ae9d61Sreyk struct ikev2_id { 390d09d3a7dSreyk uint8_t id_type; /* Id type */ 391d09d3a7dSreyk uint8_t id_reserved[3]; /* Reserved */ 39245ae9d61Sreyk /* Followed by the identification data */ 39345ae9d61Sreyk } __packed; 39445ae9d61Sreyk 39545ae9d61Sreyk #define IKEV2_ID_NONE 0 /* No ID */ 396930d718fSsthen #define IKEV2_ID_IPV4 1 /* RFC7296 (ID_IPV4_ADDR) */ 397930d718fSsthen #define IKEV2_ID_FQDN 2 /* RFC7296 */ 398930d718fSsthen #define IKEV2_ID_UFQDN 3 /* RFC7296 (ID_RFC822_ADDR) */ 399930d718fSsthen #define IKEV2_ID_IPV6 5 /* RFC7296 (ID_IPV6_ADDR) */ 400930d718fSsthen #define IKEV2_ID_ASN1_DN 9 /* RFC7296 */ 401930d718fSsthen #define IKEV2_ID_ASN1_GN 10 /* RFC7296 */ 402930d718fSsthen #define IKEV2_ID_KEY_ID 11 /* RFC7296 */ 40345ae9d61Sreyk #define IKEV2_ID_FC_NAME 12 /* RFC4595 */ 40445ae9d61Sreyk 40545ae9d61Sreyk extern struct iked_constmap ikev2_id_map[]; 40645ae9d61Sreyk 40745ae9d61Sreyk /* 40845ae9d61Sreyk * CERT/CERTREQ payloads 40945ae9d61Sreyk */ 41045ae9d61Sreyk 41145ae9d61Sreyk struct ikev2_cert { 412d09d3a7dSreyk uint8_t cert_type; /* Encoding */ 41345ae9d61Sreyk /* Followed by the certificate data */ 41445ae9d61Sreyk } __packed; 41545ae9d61Sreyk 41645ae9d61Sreyk #define IKEV2_CERT_NONE 0 /* None */ 417930d718fSsthen #define IKEV2_CERT_X509_PKCS7 1 /* UNSPECIFIED */ 418930d718fSsthen #define IKEV2_CERT_PGP 2 /* UNSPECIFIED */ 419930d718fSsthen #define IKEV2_CERT_DNS_SIGNED_KEY 3 /* UNSPECIFIED */ 420930d718fSsthen #define IKEV2_CERT_X509_CERT 4 /* RFC7296 */ 421930d718fSsthen #define IKEV2_CERT_KERBEROS_TOKEN 6 /* UNSPECIFIED */ 422930d718fSsthen #define IKEV2_CERT_CRL 7 /* RFC7296 */ 423930d718fSsthen #define IKEV2_CERT_ARL 8 /* UNSPECIFIED */ 424930d718fSsthen #define IKEV2_CERT_SPKI 9 /* UNSPECIFIED */ 425930d718fSsthen #define IKEV2_CERT_X509_ATTR 10 /* UNSPECIFIED */ 426930d718fSsthen #define IKEV2_CERT_RSA_KEY 11 /* RFC7296 */ 427930d718fSsthen #define IKEV2_CERT_HASHURL_X509 12 /* RFC7296 */ 428930d718fSsthen #define IKEV2_CERT_HASHURL_X509_BUNDLE 13 /* RFC7296 */ 42945ae9d61Sreyk #define IKEV2_CERT_OCSP 14 /* RFC4806 */ 4305e4d3a37Sreyk /* 4315e4d3a37Sreyk * As of November 2014, work was still in progress to add a more generic 4325e4d3a37Sreyk * format for raw public keys (RFC7296), so we use a number in IANA's private 4335e4d3a37Sreyk * use range (201-255, same RFC) for ECDSA. 4345e4d3a37Sreyk */ 4355e4d3a37Sreyk #define IKEV2_CERT_ECDSA 201 /* Private */ 436*a30a01d6Stobhe #define IKEV2_CERT_BUNDLE 254 /* Private */ 43745ae9d61Sreyk 43845ae9d61Sreyk extern struct iked_constmap ikev2_cert_map[]; 43945ae9d61Sreyk 44045ae9d61Sreyk /* 44145ae9d61Sreyk * TSi/TSr payloads 44245ae9d61Sreyk */ 44345ae9d61Sreyk 44445ae9d61Sreyk struct ikev2_tsp { 445d09d3a7dSreyk uint8_t tsp_count; /* Number of TSs */ 446d09d3a7dSreyk uint8_t tsp_reserved[3]; /* Reserved */ 44745ae9d61Sreyk /* Followed by the traffic selectors */ 44845ae9d61Sreyk } __packed; 44945ae9d61Sreyk 45045ae9d61Sreyk struct ikev2_ts { 451d09d3a7dSreyk uint8_t ts_type; /* TS type */ 452d09d3a7dSreyk uint8_t ts_protoid; /* Protocol Id */ 453d09d3a7dSreyk uint16_t ts_length; /* Length */ 454d09d3a7dSreyk uint16_t ts_startport; /* Start port */ 455d09d3a7dSreyk uint16_t ts_endport; /* End port */ 45645ae9d61Sreyk } __packed; 45745ae9d61Sreyk 458930d718fSsthen #define IKEV2_TS_IPV4_ADDR_RANGE 7 /* RFC7296 */ 459930d718fSsthen #define IKEV2_TS_IPV6_ADDR_RANGE 8 /* RFC7296 */ 46045ae9d61Sreyk #define IKEV2_TS_FC_ADDR_RANGE 9 /* RFC4595 */ 46145ae9d61Sreyk 46245ae9d61Sreyk extern struct iked_constmap ikev2_ts_map[]; 46345ae9d61Sreyk 46445ae9d61Sreyk /* 46545ae9d61Sreyk * AUTH payload 46645ae9d61Sreyk */ 46745ae9d61Sreyk 46845ae9d61Sreyk struct ikev2_auth { 469d09d3a7dSreyk uint8_t auth_method; /* Signature type */ 470d09d3a7dSreyk uint8_t auth_reserved[3]; /* Reserved */ 47145ae9d61Sreyk /* Followed by the signature */ 47245ae9d61Sreyk } __packed; 47345ae9d61Sreyk 47445ae9d61Sreyk #define IKEV2_AUTH_NONE 0 /* None */ 475930d718fSsthen #define IKEV2_AUTH_RSA_SIG 1 /* RFC7296 */ 476930d718fSsthen #define IKEV2_AUTH_SHARED_KEY_MIC 2 /* RFC7296 */ 477930d718fSsthen #define IKEV2_AUTH_DSS_SIG 3 /* RFC7296 */ 47845ae9d61Sreyk #define IKEV2_AUTH_ECDSA_256 9 /* RFC4754 */ 47945ae9d61Sreyk #define IKEV2_AUTH_ECDSA_384 10 /* RFC4754 */ 480ada108cbSnaddy #define IKEV2_AUTH_ECDSA_521 11 /* RFC4754 */ 481b769f40dSreyk #define IKEV2_AUTH_GSPM 12 /* RFC6467 */ 482337772d2Sreyk #define IKEV2_AUTH_NULL 13 /* RFC7619 */ 48348b975e3Smarkus #define IKEV2_AUTH_SIG 14 /* RFC7427 */ 4845e4d3a37Sreyk #define IKEV2_AUTH_SIG_ANY 255 /* Internal (any signature) */ 4855e4d3a37Sreyk /* 4865e4d3a37Sreyk * AUTH_SIG also serves as an indication that a given policy has 4875e4d3a37Sreyk * been configured to accept RSA or ECDSA payloads, as long as it 4885e4d3a37Sreyk * successfully authenticates against a configured CA. 4895e4d3a37Sreyk */ 49045ae9d61Sreyk 49145ae9d61Sreyk extern struct iked_constmap ikev2_auth_map[]; 49245ae9d61Sreyk 49348b975e3Smarkus /* Notifications used together with IKEV2_AUTH_SIG */ 49448b975e3Smarkus 49548b975e3Smarkus #define IKEV2_SIGHASH_RESERVED 0 /* RFC7427 */ 49648b975e3Smarkus #define IKEV2_SIGHASH_SHA1 1 /* RFC7427 */ 49748b975e3Smarkus #define IKEV2_SIGHASH_SHA2_256 2 /* RFC7427 */ 49848b975e3Smarkus #define IKEV2_SIGHASH_SHA2_384 3 /* RFC7427 */ 49948b975e3Smarkus #define IKEV2_SIGHASH_SHA2_512 4 /* RFC7427 */ 50048b975e3Smarkus 50148b975e3Smarkus extern struct iked_constmap ikev2_sighash_map[]; 50248b975e3Smarkus 50345ae9d61Sreyk /* 50445ae9d61Sreyk * CP payload 50545ae9d61Sreyk */ 50645ae9d61Sreyk 50745ae9d61Sreyk struct ikev2_cp { 508d09d3a7dSreyk uint8_t cp_type; 509d09d3a7dSreyk uint8_t cp_reserved[3]; 51045ae9d61Sreyk /* Followed by the attributes */ 51145ae9d61Sreyk } __packed; 51245ae9d61Sreyk 51345ae9d61Sreyk #define IKEV2_CP_REQUEST 1 /* CFG-Request */ 51445ae9d61Sreyk #define IKEV2_CP_REPLY 2 /* CFG-Reply */ 51545ae9d61Sreyk #define IKEV2_CP_SET 3 /* CFG-SET */ 51645ae9d61Sreyk #define IKEV2_CP_ACK 4 /* CFG-ACK */ 51745ae9d61Sreyk 51845ae9d61Sreyk extern struct iked_constmap ikev2_cp_map[]; 51945ae9d61Sreyk 52045ae9d61Sreyk struct ikev2_cfg { 521d09d3a7dSreyk uint16_t cfg_type; /* first bit must be set to zero */ 522d09d3a7dSreyk uint16_t cfg_length; 52345ae9d61Sreyk /* Followed by variable-length data */ 52445ae9d61Sreyk } __packed; 52545ae9d61Sreyk 526930d718fSsthen #define IKEV2_CFG_INTERNAL_IP4_ADDRESS 1 /* RFC7296 */ 527930d718fSsthen #define IKEV2_CFG_INTERNAL_IP4_NETMASK 2 /* RFC7296 */ 528930d718fSsthen #define IKEV2_CFG_INTERNAL_IP4_DNS 3 /* RFC7296 */ 529930d718fSsthen #define IKEV2_CFG_INTERNAL_IP4_NBNS 4 /* RFC7296 */ 53045ae9d61Sreyk #define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY 5 /* RFC4306 */ 531930d718fSsthen #define IKEV2_CFG_INTERNAL_IP4_DHCP 6 /* RFC7296 */ 532930d718fSsthen #define IKEV2_CFG_APPLICATION_VERSION 7 /* RFC7296 */ 533930d718fSsthen #define IKEV2_CFG_INTERNAL_IP6_ADDRESS 8 /* RFC7296 */ 534930d718fSsthen #define IKEV2_CFG_INTERNAL_IP6_DNS 10 /* RFC7296 */ 53545ae9d61Sreyk #define IKEV2_CFG_INTERNAL_IP6_NBNS 11 /* RFC4306 */ 536930d718fSsthen #define IKEV2_CFG_INTERNAL_IP6_DHCP 12 /* RFC7296 */ 537930d718fSsthen #define IKEV2_CFG_INTERNAL_IP4_SUBNET 13 /* RFC7296 */ 538930d718fSsthen #define IKEV2_CFG_SUPPORTED_ATTRIBUTES 14 /* RFC7296 */ 539930d718fSsthen #define IKEV2_CFG_INTERNAL_IP6_SUBNET 15 /* RFC7296 */ 540b769f40dSreyk #define IKEV2_CFG_MIP6_HOME_PREFIX 16 /* RFC5026 */ 541b769f40dSreyk #define IKEV2_CFG_INTERNAL_IP6_LINK 17 /* RFC5739 */ 542b769f40dSreyk #define IKEV2_CFG_INTERNAL_IP6_PREFIX 18 /* RFC5739 */ 543b769f40dSreyk #define IKEV2_CFG_HOME_AGENT_ADDRESS 19 /* http://www.3gpp.org/ftp/Specs/html-info/24302.htm */ 54445ae9d61Sreyk #define IKEV2_CFG_INTERNAL_IP4_SERVER 23456 /* MS-IKEE */ 54545ae9d61Sreyk #define IKEV2_CFG_INTERNAL_IP6_SERVER 23457 /* MS-IKEE */ 54645ae9d61Sreyk 54745ae9d61Sreyk extern struct iked_constmap ikev2_cfg_map[]; 54845ae9d61Sreyk 549ce6ce0cbSpatrick /* IKEv1 payload types */ 550ce6ce0cbSpatrick #define IKEV1_PAYLOAD_NONE 0 /* No payload */ 551ce6ce0cbSpatrick #define IKEV1_PAYLOAD_PROPOSAL 2 /* Proposal */ 552ce6ce0cbSpatrick 553a3e464c5Sreyk #endif /* IKED_IKEV2_H */ 554