1 /* $OpenBSD: ike.h,v 1.3 2001/04/10 16:10:21 ho Exp $ */ 2 3 #define ISAKMP_DOI 0 4 #define IPSEC_DOI 1 5 6 #define PROTO_ISAKMP 1 7 #define PROTO_IPSEC_AH 2 8 #define PROTO_IPSEC_ESP 3 9 #define PROTO_IPCOMP 4 10 11 #define IKE_ATTR_ENCRYPTION_ALGORITHM 1 12 #define IKE_ATTR_HASH_ALGORITHM 2 13 #define IKE_ATTR_AUTHENTICATION_METHOD 3 14 #define IKE_ATTR_GROUP_DESC 4 15 #define IKE_ATTR_GROUP_TYPE 5 16 #define IKE_ATTR_LIFE_TYPE 11 17 18 #define IKE_PROTO_INITIALIZER \ 19 { "RESERVED", "ISAKMP", "IPSEC_AH", "IPSEC_ESP", "IPCOMP", \ 20 } 21 22 #define IKE_ATTR_ENCRYPT_INITIALIZER \ 23 { "NONE", "DES_CBC", "IDEA_CBC", "BLOWFISH_CBC", \ 24 "RC5_R16_B64_CBC", "3DES_CBC", "CAST_CBC", "AES_CBC", \ 25 } 26 #define IKE_ATTR_HASH_INITIALIZER \ 27 { "NONE", "MD5", "SHA", "TIGER", \ 28 "SHA2_256", "SHA2_384", "SHA2_512", \ 29 } 30 #define IKE_ATTR_AUTH_INITIALIZER \ 31 { "NONE", "PRE_SHARED", "DSS", "RSA_SIG", \ 32 "RSA_ENC", "RSA_ENC_REV", \ 33 } 34 #define IKE_ATTR_GROUP_DESC_INITIALIZER \ 35 { "NONE", "MODP_768", "MODP_1024", \ 36 "E2CN_155", "E2CN_185", "MODP_1536", \ 37 } 38 #define IKE_ATTR_GROUP_INITIALIZER \ 39 { "NONE", "MODP", "ECP", "E2CN", \ 40 } 41 #define IKE_ATTR_SA_DURATION_INITIALIZER \ 42 { "NONE", "SECONDS", "KILOBYTES", \ 43 } 44 45 #define IKE_ATTR_INITIALIZER \ 46 { "NONE", /* 0 (not in RFC) */ \ 47 "ENCRYPTION_ALGORITHM", /* 1 */ \ 48 "HASH_ALGORITHM", /* 2 */ \ 49 "AUTHENTICATION_METHOD", /* 3 */ \ 50 "GROUP_DESCRIPTION", /* 4 */ \ 51 "GROUP_TYPE", /* 5 */ \ 52 "GROUP_PRIME", /* 6 */ \ 53 "GROUP_GENERATOR_1", /* 7 */ \ 54 "GROUP_GENERATOR_2", /* 8 */ \ 55 "GROUP_CURVE_1", /* 9 */ \ 56 "GROUP_CURVE_2", /* 10 */ \ 57 "LIFE_TYPE", /* 11 */ \ 58 "LIFE_DURATION", /* 12 */ \ 59 "PRF", /* 13 */ \ 60 "KEY_LENGTH", /* 14 */ \ 61 "FIELD_SIZE", /* 15 */ \ 62 "GROUP_ORDER", /* 16 */ \ 63 } 64 65 #define IKE_SITUATION_IDENTITY_ONLY 1 66 #define IKE_SITUATION_SECRECY 2 67 #define IKE_SITUATION_INTEGRITY 4 68 /* Mask is all the above, i.e 1+2+4 = 7 */ 69 #define IKE_SITUATION_MASK 7 70 71 #define PAYLOAD_NONE 0 72 #define PAYLOAD_SA 1 73 #define PAYLOAD_PROPOSAL 2 74 #define PAYLOAD_TRANSFORM 3 75 #define PAYLOAD_KE 4 76 #define PAYLOAD_ID 5 77 #define PAYLOAD_CERT 6 78 #define PAYLOAD_CERTREQUEST 7 79 #define PAYLOAD_HASH 8 80 #define PAYLOAD_SIG 9 81 #define PAYLOAD_NONCE 10 82 #define PAYLOAD_NOTIFICATION 11 83 #define PAYLOAD_DELETE 12 84 #define PAYLOAD_VENDOR 13 85 #define PAYLOAD_ATTRIBUTE 14 86 87 #define IKE_PAYLOAD_TYPES_INITIALIZER \ 88 { "NONE", /* 0 */ \ 89 "SA", /* 1 */ \ 90 "PROPOSAL", /* 2 */ \ 91 "TRANSFORM", /* 3 */ \ 92 "KEY_EXCH", /* 4 */ \ 93 "ID", /* 5 */ \ 94 "CERT", /* 6 */ \ 95 "CERTREQUEST", /* 7 */ \ 96 "HASH", /* 8 */ \ 97 "SIG", /* 9 */ \ 98 "NONCE", /* 10 */ \ 99 "NOTIFICATION", /* 11 */ \ 100 "DELETE", /* 12 */ \ 101 "VENDOR", /* 13 */ \ 102 "ATTRIBUTE", /* 14 (ikecfg) */ \ 103 } 104 105 /* Exchange types */ 106 #define EXCHANGE_NONE 0 107 #define EXCHANGE_BASE 1 108 #define EXCHANGE_ID_PROT 2 109 #define EXCHANGE_AUTH_ONLY 3 110 #define EXCHANGE_AGGRESSIVE 4 111 #define EXCHANGE_INFO 5 112 #define EXCHANGE_TRANSACTION 6 113 #define EXCHANGE_QUICK_MODE 32 114 #define EXCHANGE_NEW_GROUP_MODE 33 115 116 /* Exchange types */ 117 #define IKE_EXCHANGE_TYPES_INITIALIZER \ 118 { "NONE", /* 0 */ \ 119 "BASE", /* 1 */ \ 120 "ID_PROT", /* 2 */ \ 121 "AUTH_ONLY", /* 3 */ \ 122 "AGGRESSIVE", /* 4 */ \ 123 "INFO", /* 5 */ \ 124 "TRANSACTION", /* 6 (ikecfg) */ \ 125 /* step up to type 32 with unknowns */ \ 126 "unknown", "unknown", "unknown", "unknown", \ 127 "unknown", "unknown", "unknown", "unknown", \ 128 "unknown", "unknown", "unknown", "unknown", \ 129 "unknown", "unknown", "unknown", "unknown", \ 130 "unknown", "unknown", "unknown", "unknown", \ 131 "unknown", "unknown", "unknown", "unknown", \ 132 "unknown", \ 133 "QUICK_MODE", /* 32 */ \ 134 "NEW_GROUP_MODE", /* 33 */ \ 135 } 136 137 #define FLAGS_ENCRYPTION 1 138 #define FLAGS_COMMIT 2 139 #define FLAGS_AUTH_ONLY 4 140 141 #define CERT_NONE 0 142 #define CERT_PKCS 1 143 #define CERT_PGP 2 144 #define CERT_DNS 3 145 #define CERT_X509_SIG 4 146 #define CERT_X509_KE 5 147 #define CERT_KERBEROS 6 148 #define CERT_CRL 7 149 #define CERT_ARL 8 150 #define CERT_SPKI 9 151 #define CERT_X509_ATTR 10 152 153 #define NOTIFY_INVALID_PAYLOAD_TYPE 1 154 #define NOTIFY_DOI_NOT_SUPPORTED 2 155 #define NOTIFY_SITUATION_NOT_SUPPORTED 3 156 #define NOTIFY_INVALID_COOKIE 4 157 #define NOTIFY_INVALID_MAJOR_VERSION 5 158 #define NOTIFY_INVALID_MINOR_VERSION 6 159 #define NOTIFY_INVALID_EXCHANGE_TYPE 7 160 #define NOTIFY_INVALID_FLAGS 8 161 #define NOTIFY_INVALID_MESSAGE_ID 9 162 #define NOTIFY_INVALID_PROTOCOL_ID 10 163 #define NOTIFY_INVALID_SPI 11 164 #define NOTIFY_INVALID_TRANSFORM_ID 12 165 #define NOTIFY_ATTRIBUTES_NOT_SUPPORTED 13 166 #define NOTIFY_NO_PROPOSAL_CHOSEN 14 167 #define NOTIFY_BAD_PROPOSAL_SYNTAX 15 168 #define NOTIFY_PAYLOAD_MALFORMED 16 169 #define NOTIFY_INVALID_KEY_INFORMATION 17 170 #define NOTIFY_INVALID_ID_INFORMATION 18 171 #define NOTIFY_INVALID_CERT_ENCODING 19 172 #define NOTIFY_INVALID_CERTIFICATE 20 173 #define NOTIFY_CERT_TYPE_UNSUPPORTED 21 174 #define NOTIFY_INVALID_CERT_AUTHORITY 22 175 #define NOTIFY_INVALID_HASH_INFORMATION 23 176 #define NOTIFY_AUTHENTICATION_FAILED 24 177 #define NOTIFY_INVALID_SIGNATURE 25 178 #define NOTIFY_ADDRESS_NOTIFICATION 26 179 #define NOTIFY_NOTIFY_SA_LIFETIME 27 180 #define NOTIFY_CERTIFICATE_UNAVAILABLE 28 181 #define NOTIFY_UNSUPPORTED_EXCHANGE_TYPE 29 182 #define NOTIFY_UNEQUAL_PAYLOAD_LENGTHS 30 183 184 #define IKE_NOTIFY_TYPES_INITIALIZER \ 185 { "", \ 186 "INVALID PAYLOAD TYPE", \ 187 "DOI NOT SUPPORTED", \ 188 "SITUATION NOT SUPPORTED", \ 189 "INVALID COOKIE", \ 190 "INVALID MAJOR VERSION", \ 191 "INVALID MINOR VERSION", \ 192 "INVALID EXCHANGE TYPE", \ 193 "INVALID FLAGS", \ 194 "INVALID MESSAGE ID", \ 195 "INVALID PROTOCOL ID", \ 196 "INVALID SPI", \ 197 "INVALID TRANSFORM ID", \ 198 "ATTRIBUTES NOT SUPPORTED", \ 199 "NO PROPOSAL CHOSEN", \ 200 "BAD PROPOSAL SYNTAX", \ 201 "PAYLOAD MALFORMED", \ 202 "INVALID KEY INFORMATION", \ 203 "INVALID ID INFORMATION", \ 204 "INVALID CERT ENCODING", \ 205 "INVALID CERTIFICATE", \ 206 "CERT TYPE UNSUPPORTED", \ 207 "INVALID CERT AUTHORITY", \ 208 "INVALID HASH INFORMATION", \ 209 "AUTHENTICATION FAILED", \ 210 "INVALID SIGNATURE", \ 211 "ADDRESS NOTIFICATION", \ 212 "NOTIFY SA LIFETIME", \ 213 "CERTIFICATE UNAVAILABLE", \ 214 "UNSUPPORTED EXCHANGE TYPE", \ 215 "UNEQUAL PAYLOAD LENGTHS", \ 216 } 217 218 /* RFC 2407, 4.6.3 */ 219 #define NOTIFY_IPSEC_RESPONDER_LIFETIME 24576 220 #define NOTIFY_IPSEC_REPLAY_STATUS 24577 221 #define NOTIFY_IPSEC_INITIAL_CONTACT 24578 222 223 #define IPSEC_ID_RESERVED 0 224 #define IPSEC_ID_IPV4_ADDR 1 225 #define IPSEC_ID_FQDN 2 226 #define IPSEC_ID_USER_FQDN 3 227 #define IPSEC_ID_IPV4_ADDR_SUBNET 4 228 #define IPSEC_ID_IPV6_ADDR 5 229 #define IPSEC_ID_IPV6_ADDR_SUBNET 6 230 #define IPSEC_ID_IPV4_ADDR_RANGE 7 231 #define IPSEC_ID_IPV6_ADDR_RANGE 8 232 #define IPSEC_ID_DER_ASN1_DN 9 233 #define IPSEC_ID_DER_ASN1_GN 10 234 #define IPSEC_ID_KEY_ID 11 235 236 #define IPSEC_ID_TYPE_INITIALIZER \ 237 { "RESERVED", \ 238 "IPV4_ADDR", \ 239 "FQDN", \ 240 "USER_FQDN", \ 241 "IPV4_ADDR_SUBNET", \ 242 "IPV6_ADDR", \ 243 "IPV6_ADDR_SUBNET", \ 244 "IPV4_ADDR_RANGE", \ 245 "IPV6_ADDR_RANGE", \ 246 "DER_ASN1_DN", \ 247 "DER_ASN1_GN", \ 248 "KEY_ID", \ 249 } 250 251 #define IPSEC_ATTR_SA_LIFE_TYPE 1 252 #define IPSEC_ATTR_SA_LIFE_DURATION 2 253 #define IPSEC_ATTR_GROUP_DESCRIPTION 3 254 #define IPSEC_ATTR_ENCAPSULATION_MODE 4 255 #define IPSEC_ATTR_AUTHENTICATION_ALGORITHM 5 256 #define IPSEC_ATTR_KEY_LENGTH 6 257 #define IPSEC_ATTR_KEY_ROUNDS 7 258 #define IPSEC_ATTR_COMPRESS_DICTIONARY_SIZE 8 259 #define IPSEC_ATTR_COMPRESS_PRIVATE_ALGORITHM 9 260 261 #define IPSEC_ATTR_INITIALIZER \ 262 { "NONE", "LIFE_TYPE", "LIFE_DURATION", \ 263 "GROUP_DESCRIPTION", "ENCAPSULATION_MODE", \ 264 "AUTHENTICATION_ALGORITHM", "KEY_LENGTH", \ 265 "KEY_ROUNDS", "COMPRESS_DICTIONARY_SIZE", \ 266 "COMPRESS_PRIVATE_ALGORITHM", \ 267 } 268 269 #define IPSEC_ATTR_DURATION_INITIALIZER \ 270 { "NONE", "SECONDS", "KILOBYTES", \ 271 } 272 #define IPSEC_ATTR_ENCAP_INITIALIZER \ 273 { "NONE", "TUNNEL", "TRANSPORT", \ 274 } 275 #define IPSEC_ATTR_AUTH_INITIALIZER \ 276 { "NONE", "HMAC_MD5", "HMAC_SHA", "DES_MAC", "KPDK", \ 277 "HMAC_SHA2_256", "HMAC_SHA2_384", "HMAC_SHA2_512", \ 278 "HMAC_RIPEMD", \ 279 } 280 #define IPSEC_AH_INITIALIZER \ 281 { "NONE", "MD5", "SHA", "DES", "SHA2_256", "SHA2_384", \ 282 "SHA2_512", "RIPEMD", \ 283 } 284 #define IPSEC_ESP_INITIALIZER \ 285 { "NONE", "DEV_IV64", "DES", "3DES", "RC5", "IDEA", \ 286 "CAST", "BLOWFISH", "3IDEA", "DES_IV32", "RC4", \ 287 "NULL", "AES", \ 288 } 289 #define IPSEC_ATTR_IPCOMP_INITIALIZER \ 290 { "NONE", "OUI", "DEFLATE", "LZS", "V42BIS", \ 291 } 292 293 /* 294 * IKE mode config. 295 */ 296 297 #define IKE_CFG_ATTRIBUTE_TYPE_INITIALIZER \ 298 { "RESERVED", "CFG_REQUEST", "CFG_REPLY", \ 299 "CFG_SET", "CFG_ACK", \ 300 } 301 302 #define IKE_CFG_ATTR_INTERNAL_IP4_ADDRESS 1 303 #define IKE_CFG_ATTR_INTERNAL_IP4_NETMASK 2 304 #define IKE_CFG_ATTR_INTERNAL_IP4_DNS 3 305 #define IKE_CFG_ATTR_INTERNAL_IP4_NBNS 4 306 #define IKE_CFG_ATTR_INTERNAL_ADDRESS_EXPIRY 5 307 #define IKE_CFG_ATTR_INTERNAL_IP4_DHCP 6 308 #define IKE_CFG_ATTR_APPLICATION_VERSION 7 309 #define IKE_CFG_ATTR_INTERNAL_IP6_ADDRESS 8 310 #define IKE_CFG_ATTR_INTERNAL_IP6_NETMASK 9 311 #define IKE_CFG_ATTR_INTERNAL_IP6_DNS 10 312 #define IKE_CFG_ATTR_INTERNAL_IP6_NBNS 11 313 #define IKE_CFG_ATTR_INTERNAL_IP6_DHCP 12 314 #define IKE_CFG_ATTR_INTERNAL_IP4_SUBNET 13 315 #define IKE_CFG_ATTR_SUPPORTED_ATTRIBUTES 14 316 #define IKE_CFG_ATTR_INTERNAL_IP6_SUBNET 15 317 318 #define IKE_CFG_ATTRIBUTE_INITIALIZER \ 319 { "RESERVED", "INTERNAL_IP4_ADDRESS", \ 320 "INTERNAL_IP4_NETMASK", "INTERNAL_IP4_DNS", \ 321 "INTERNAL_IP4_NBNS", "INTERNAL_ADDRESS_EXPIRY", \ 322 "INTERNAL_IP4_DHCP", "APPLICATION_VERSION", \ 323 "INTERNAL_IP6_ADDRESS", "INTERNAL_IP6_NETMASK", \ 324 "INTERNAL_IP6_DNS", "INTERNAL_IP6_NBNS", \ 325 "INTERNAL_IP6_DHCP", "INTERNAL_IP4_SUBNET", \ 326 "SUPPORTED_ATTRIBUTES", "INTERNAL_IP6_SUBNET", \ 327 } 328