1 /* $OpenBSD: ipsec.h,v 1.18 2001/07/01 20:43:39 niklas Exp $ */ 2 /* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2001 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. All advertising materials mentioning features or use of this software 18 * must display the following acknowledgement: 19 * This product includes software developed by Ericsson Radio Systems. 20 * 4. The name of the author may not be used to endorse or promote products 21 * derived from this software without specific prior written permission. 22 * 23 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 24 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 25 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 26 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 27 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 28 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 29 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 30 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 31 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 32 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 33 */ 34 35 /* 36 * This code was written under funding by Ericsson Radio Systems. 37 */ 38 39 #ifndef _IPSEC_H_ 40 #define _IPSEC_H_ 41 42 #include <sys/queue.h> 43 #include <sys/types.h> 44 #include <netinet/in.h> 45 46 #include "ipsec_doi.h" 47 #ifdef USE_ISAKMP_CFG 48 #include "isakmp_cfg.h" 49 #endif 50 51 struct group; 52 struct hash; 53 struct ike_auth; 54 struct message; 55 struct proto; 56 struct sa; 57 58 /* 59 * IPsec-specific data to be linked into the exchange struct. 60 * XXX Should probably be several different structs, one for each kind 61 * of exchange, i.e. phase 1, phase 2 and ISAKMP configuration parameters 62 * separated. 63 */ 64 struct ipsec_exch { 65 u_int flags; 66 struct hash *hash; 67 struct ike_auth *ike_auth; 68 struct group *group; 69 u_int16_t prf_type; 70 71 /* 0 if no KEY_EXCH was proposed, 1 otherwise */ 72 u_int8_t pfs; 73 74 /* 75 * A copy of the initiator SA payload body for later computation of hashes. 76 * Phase 1 only. 77 */ 78 size_t sa_i_b_len; 79 u_int8_t *sa_i_b; 80 81 /* Diffie-Hellman values. */ 82 size_t g_x_len; 83 u_int8_t *g_xi; 84 u_int8_t *g_xr; 85 u_int8_t* g_xy; 86 87 /* SKEYIDs. XXX Phase 1 only? */ 88 size_t skeyid_len; 89 u_int8_t *skeyid; 90 u_int8_t *skeyid_d; 91 u_int8_t *skeyid_a; 92 u_int8_t *skeyid_e; 93 94 /* HASH_I & HASH_R. XXX Do these need to be saved here? */ 95 u_int8_t *hash_i; 96 u_int8_t *hash_r; 97 98 /* KEYMAT */ 99 size_t keymat_len; 100 101 /* Phase 2. */ 102 u_int8_t *id_ci; 103 size_t id_ci_sz; 104 u_int8_t *id_cr; 105 size_t id_cr_sz; 106 107 #ifdef USE_ISAKMP_CFG 108 /* ISAKMP configuration mode parameters */ 109 u_int16_t cfg_id; 110 LIST_HEAD (, isakmp_cfg_attr) attrs; 111 #endif 112 }; 113 114 #define IPSEC_EXCH_FLAG_NO_ID 1 115 116 struct ipsec_sa { 117 /* Phase 1. */ 118 u_int8_t hash; 119 size_t skeyid_len; 120 u_int8_t *skeyid_d; 121 u_int8_t *skeyid_a; 122 u_int16_t prf_type; 123 124 /* Phase 2. */ 125 u_int16_t group_desc; 126 127 /* Tunnel parameters. These are in network byte order. */ 128 struct sockaddr *src_net; 129 struct sockaddr *src_mask; 130 struct sockaddr *dst_net; 131 struct sockaddr *dst_mask; 132 u_int8_t tproto; 133 u_int16_t sport; 134 u_int16_t dport; 135 }; 136 137 struct ipsec_proto { 138 /* Phase 2. */ 139 u_int16_t encap_mode; 140 u_int16_t auth; 141 u_int16_t keylen; 142 u_int16_t keyrounds; 143 144 /* This is not negotiated, but rather configured. */ 145 int32_t replay_window; 146 147 /* KEYMAT */ 148 u_int8_t *keymat[2]; 149 }; 150 151 extern u_int8_t *ipsec_add_hash_payload (struct message *msg, size_t); 152 extern int ipsec_ah_keylength (struct proto *); 153 extern u_int8_t *ipsec_build_id (char *, size_t *); 154 extern int ipsec_decode_attribute (u_int16_t, u_int8_t *, u_int16_t, void *); 155 extern void ipsec_decode_transform (struct message *, struct sa *, 156 struct proto *, u_int8_t *); 157 extern int ipsec_esp_authkeylength (struct proto *); 158 extern int ipsec_esp_enckeylength (struct proto *); 159 extern int ipsec_fill_in_hash (struct message *msg); 160 extern int ipsec_gen_g_x (struct message *); 161 extern int ipsec_get_id (char *, int *, struct sockaddr **, 162 struct sockaddr **, u_int8_t *, u_int16_t *); 163 extern ssize_t ipsec_id_size (char *, u_int8_t *); 164 extern void ipsec_init (void); 165 extern int ipsec_initial_contact (struct message *msg); 166 extern int ipsec_is_attribute_incompatible (u_int16_t, u_int8_t *, u_int16_t, 167 void *); 168 extern int ipsec_keymat_length (struct proto *); 169 extern int ipsec_save_g_x (struct message *); 170 extern struct sa *ipsec_sa_lookup (struct sockaddr *, u_int32_t, u_int8_t); 171 172 extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, size_t, 173 int); 174 extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t); 175 176 #endif /* _IPSEC_H_ */ 177