1 /*
2 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
3 *
4 * Permission to use, copy, modify, and distribute this software for any
5 * purpose with or without fee is hereby granted, provided that the above
6 * copyright notice and this permission notice appear in all copies.
7 *
8 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
9 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
10 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
11 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
12 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
13 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
14 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
15 *
16 * Copyright (c) 2017, Joyent, Inc.
17 */
18
19 #ifndef _IKEV2_H
20 #define _IKEV2_H
21
22 #include <inttypes.h>
23
24 #ifdef __cplusplus
25 extern "C" {
26 #endif
27
28 #define __packed __attribute__((packed))
29
30 #define IKEV2_VERSION 0x20 /* IKE version 2.0 */
31 #define IKEV2_KEYPAD "Key Pad for IKEv2" /* don't change! */
32
33 /*
34 * "IKEv2 Parameters" based on the official RFC-based assignments by IANA
35 * (http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.txt)
36 */
37
38 /*
39 * IKEv2 definitions of the IKE header
40 */
41
42 /* IKEv2 exchange types */
43 typedef enum ikev2_exch_e {
44 IKEV2_EXCH_IKE_SA_INIT = 34,
45 IKEV2_EXCH_IKE_AUTH = 35,
46 IKEV2_EXCH_CREATE_CHILD_SA = 36,
47 IKEV2_EXCH_INFORMATIONAL = 37,
48 IKEV2_EXCH_IKE_SESSION_RESUME = 38
49 } ikev2_exch_t;
50
51 /* IKEv2 message flags */
52 #define IKEV2_FLAG_INITIATOR 0x08 /* Sent by the initiator */
53 #define IKEV2_FLAG_VERSION 0x10 /* Supports a higher IKE version */
54 #define IKEV2_FLAG_RESPONSE 0x20 /* Message is a response */
55
56 /*
57 * IKEv2 payloads
58 */
59 struct ikev2_payload {
60 uint8_t pld_nextpayload; /* Next payload type */
61 uint8_t pld_reserved; /* Contains the critical bit */
62 uint16_t pld_length; /* Payload length with header */
63 } __packed;
64
65 #define IKEV2_CRITICAL_PAYLOAD 0x01 /* First bit in the reserved field */
66
67 /* IKEv2 payload types */
68 typedef enum ikev2_pay_type {
69 IKEV2_PAYLOAD_NONE = 0, /* No payload */
70 IKEV2_PAYLOAD_SA = 33, /* Security Association */
71 IKEV2_PAYLOAD_KE = 34, /* Key Exchange */
72 IKEV2_PAYLOAD_IDi = 35, /* Identification - Initiator */
73 IKEV2_PAYLOAD_IDr = 36, /* Identification - Responder */
74 IKEV2_PAYLOAD_CERT = 37, /* Certificate */
75 IKEV2_PAYLOAD_CERTREQ = 38, /* Certificate Request */
76 IKEV2_PAYLOAD_AUTH = 39, /* Authentication */
77 IKEV2_PAYLOAD_NONCE = 40, /* Nonce */
78 IKEV2_PAYLOAD_NOTIFY = 41, /* Notify */
79 IKEV2_PAYLOAD_DELETE = 42, /* Delete */
80 IKEV2_PAYLOAD_VENDOR = 43, /* Vendor ID */
81 IKEV2_PAYLOAD_TSi = 44, /* Traffic Selector - Initiator */
82 IKEV2_PAYLOAD_TSr = 45, /* Traffic Selector - Responder */
83 IKEV2_PAYLOAD_SK = 46, /* Encrypted */
84 IKEV2_PAYLOAD_CP = 47, /* Configuration Payload */
85 IKEV2_PAYLOAD_EAP = 48, /* Extensible Authentication */
86 IKEV2_PAYLOAD_GSPM = 49 /* RFC6467 Generic Secure Password */
87 } ikev2_pay_type_t;
88
89 #define IKEV2_PAYLOAD_MIN IKEV2_PAYLOAD_SA
90 #define IKEV2_PAYLOAD_MAX IKEV2_PAYLOAD_GSPM
91 #define IKEV2_NUM_PAYLOADS (IKEV2_PAYLOAD_MAX - IKEV2_PAYLOAD_MIN + 1)
92 #define IKEV2_VALID_PAYLOAD(paytype) \
93 (((paytype) >= IKEV2_PAYLOAD_MIN) && ((paytype) <= IKEV2_PAYLOAD_MAX))
94
95 /*
96 * SA payload
97 */
98
99 struct ikev2_sa_proposal {
100 uint8_t proto_more; /* Last proposal or more */
101 uint8_t proto_reserved; /* Must be set to zero */
102 uint16_t proto_length; /* Proposal length */
103 uint8_t proto_proposalnr; /* Proposal number */
104 uint8_t proto_protoid; /* Protocol Id */
105 uint8_t proto_spisize; /* SPI size */
106 uint8_t proto_transforms; /* Number of transforms */
107 /* Followed by variable-length SPI */
108 /* Followed by variable-length transforms */
109 } __packed;
110
111 #define IKEV2_PROP_LAST 0
112 #define IKEV2_PROP_MORE 2
113
114 typedef enum ikev2_spi_proto_e {
115 IKEV2_PROTO_NONE = 0, /* None */
116 IKEV2_PROTO_IKE = 1, /* IKEv2 */
117 IKEV2_PROTO_AH = 2, /* AH */
118 IKEV2_PROTO_ESP = 3, /* ESP */
119 IKEV2_PROTO_FC_ESP_HEADER = 4, /* RFC4595 */
120 IKEV2_PROTO_FC_CT_AUTH = 5 /* RFC4595 */
121 } ikev2_spi_proto_t;
122
123 struct ikev2_transform {
124 uint8_t xf_more; /* Last transform or more */
125 uint8_t xf_reserved; /* Must be set to zero */
126 uint16_t xf_length; /* Transform length */
127 uint8_t xf_type; /* Transform type */
128 uint8_t xf_reserved1; /* Must be set to zero */
129 uint16_t xf_id; /* Transform Id */
130 /* Followed by variable-length transform attributes */
131 } __packed;
132
133 #define IKEV2_XF_LAST 0
134 #define IKEV2_XF_MORE 3
135
136 typedef enum ikev2_xf_type_e {
137 IKEV2_XF_ENCR = 1, /* Encryption */
138 IKEV2_XF_PRF = 2, /* Pseudo-Random Function */
139 IKEV2_XF_AUTH = 3, /* Integrity Algorithm */
140 IKEV2_XF_DH = 4, /* Diffie-Hellman Group */
141 IKEV2_XF_ESN = 5 /* Extended Sequence Numbers */
142 } ikev2_xf_type_t;
143 #define IKEV2_XF_MAX 6
144
145 typedef enum ikev2_encr_e {
146 IKEV2_ENCR_NONE = 0, /* None */
147 IKEV2_ENCR_DES_IV64 = 1, /* RFC1827 */
148 IKEV2_ENCR_DES = 2, /* RFC2405 */
149 IKEV2_ENCR_3DES = 3, /* RFC2451 */
150 IKEV2_ENCR_RC5 = 4, /* RFC2451 */
151 IKEV2_ENCR_IDEA = 5, /* RFC2451 */
152 IKEV2_ENCR_CAST = 6, /* RFC2451 */
153 IKEV2_ENCR_BLOWFISH = 7, /* RFC2451 */
154 IKEV2_ENCR_3IDEA = 8, /* RFC2451 */
155 IKEV2_ENCR_DES_IV32 = 9, /* DESIV32 */
156 IKEV2_ENCR_RC4 = 10, /* RFC2451 */
157 IKEV2_ENCR_NULL = 11, /* RFC2410 */
158 IKEV2_ENCR_AES_CBC = 12, /* RFC3602 */
159 IKEV2_ENCR_AES_CTR = 13, /* RFC3664 */
160 IKEV2_ENCR_AES_CCM_8 = 14, /* RFC5282 */
161 IKEV2_ENCR_AES_CCM_12 = 15, /* RFC5282 */
162 IKEV2_ENCR_AES_CCM_16 = 16, /* RFC5282 */
163 IKEV2_ENCR_AES_GCM_8 = 18, /* RFC5282 */
164 IKEV2_ENCR_AES_GCM_12 = 19, /* RFC5282 */
165 IKEV2_ENCR_AES_GCM_16 = 20, /* RFC5282 */
166 IKEV2_ENCR_NULL_AES_GMAC = 21, /* RFC4543 */
167 IKEV2_ENCR_XTS_AES = 22, /* IEEE P1619 */
168 IKEV2_ENCR_CAMELLIA_CBC = 23, /* RFC5529 */
169 IKEV2_ENCR_CAMELLIA_CTR = 24, /* RFC5529 */
170 IKEV2_ENCR_CAMELLIA_CCM_8 = 25, /* RFC5529 */
171 IKEV2_ENCR_CAMELLIA_CCM_12 = 26, /* RFC5529 */
172 IKEV2_ENCR_CAMELLIA_CCM_16 = 27, /* RFC5529 */
173 } ikev2_xf_encr_t;
174
175 #define IKEV2_IPCOMP_OUI 1 /* RFC5996 */
176 #define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */
177 #define IKEV2_IPCOMP_LZS 3 /* RFC2395 */
178 #define IKEV2_IPCOMP_LZJH 4 /* RFC3051 */
179
180 typedef enum ikev2_prf {
181 IKEV2_PRF_HMAC_MD5 = 1, /* RFC2104 */
182 IKEV2_PRF_HMAC_SHA1 = 2, /* RFC2104 */
183 IKEV2_PRF_HMAC_TIGER = 3, /* RFC2104 */
184 IKEV2_PRF_AES128_XCBC = 4, /* RFC3664 */
185 IKEV2_PRF_HMAC_SHA2_256 = 5, /* RFC4868 */
186 IKEV2_PRF_HMAC_SHA2_384 = 6, /* RFC4868 */
187 IKEV2_PRF_HMAC_SHA2_512 = 7, /* RFC4868 */
188 IKEV2_PRF_AES128_CMAC = 8 /* RFC4615 */
189 } ikev2_prf_t;
190
191 typedef enum ikev2_xf_auth_e {
192 IKEV2_XF_AUTH_NONE = 0, /* No Authentication */
193 IKEV2_XF_AUTH_HMAC_MD5_96 = 1, /* RFC2403 */
194 IKEV2_XF_AUTH_HMAC_SHA1_96 = 2, /* RFC2404 */
195 IKEV2_XF_AUTH_DES_MAC = 3, /* DES-MAC */
196 IKEV2_XF_AUTH_KPDK_MD5 = 4, /* RFC1826 */
197 IKEV2_XF_AUTH_AES_XCBC_96 = 5, /* RFC3566 */
198 IKEV2_XF_AUTH_HMAC_MD5_128 = 6, /* RFC4595 */
199 IKEV2_XF_AUTH_HMAC_SHA1_160 = 7, /* RFC4595 */
200 IKEV2_XF_AUTH_AES_CMAC_96 = 8, /* RFC4494 */
201 IKEV2_XF_AUTH_AES_128_GMAC = 9, /* RFC4543 */
202 IKEV2_XF_AUTH_AES_192_GMAC = 10, /* RFC4543 */
203 IKEV2_XF_AUTH_AES_256_GMAC = 11, /* RFC4543 */
204 IKEV2_XF_AUTH_HMAC_SHA2_256_128 = 12, /* RFC4868 */
205 IKEV2_XF_AUTH_HMAC_SHA2_384_192 = 13, /* RFC4868 */
206 IKEV2_XF_AUTH_HMAC_SHA2_512_256 = 14 /* RFC4868 */
207 } ikev2_xf_auth_t;
208
209 typedef enum ikev2_dh {
210 IKEV2_DH_NONE = 0, /* No DH */
211 IKEV2_DH_MODP_768 = 1, /* DH Group 1 */
212 IKEV2_DH_MODP_1024 = 2, /* DH Group 2 */
213 IKEV2_DH_EC2N_155 = 3, /* DH Group 3 */
214 IKEV2_DH_EC2N_185 = 4, /* DH Group 3 */
215 IKEV2_DH_MODP_1536 = 5, /* DH Group 5 */
216 IKEV2_DH_MODP_2048 = 14, /* DH Group 14 */
217 IKEV2_DH_MODP_3072 = 15, /* DH Group 15 */
218 IKEV2_DH_MODP_4096 = 16, /* DH Group 16 */
219 IKEV2_DH_MODP_6144 = 17, /* DH Group 17 */
220 IKEV2_DH_MODP_8192 = 18, /* DH Group 18 */
221 IKEV2_DH_ECP_256 = 19, /* DH Group 19 */
222 IKEV2_DH_ECP_384 = 20, /* DH Group 20 */
223 IKEV2_DH_ECP_521 = 21, /* DH Group 21 */
224 IKEV2_DH_MODP_1024_160 = 22, /* DH Group 22 */
225 IKEV2_DH_MODP_2048_224 = 23, /* DH Group 23 */
226 IKEV2_DH_MODP_2048_256 = 24, /* DH Group 24 */
227 IKEV2_DH_ECP_192 = 25, /* DH Group 25 */
228 IKEV2_DH_ECP_224 = 26, /* DH Group 26 */
229 IKEV2_DH_BRAINPOOL_P224R1 = 27, /* DH Group 27 */
230 IKEV2_DH_BRAINPOOL_P256R1 = 28, /* DH Group 28 */
231 IKEV2_DH_BRAINPOOL_P384R1 = 29, /* DH Group 29 */
232 IKEV2_DH_BRAINPOOL_P512R1 = 30 /* DH Group 30 */
233 } ikev2_dh_t;
234 #define IKEV2_DH_MAX 31
235
236 #define IKEV2_XFORMESN_NONE 0 /* No ESN */
237 #define IKEV2_XFORMESN_ESN 1 /* ESN */
238
239 struct ikev2_attribute {
240 uint16_t attr_type; /* Attribute type */
241 uint16_t attr_length; /* Attribute length or value */
242 /* Followed by variable length (TLV) */
243 } __packed;
244
245 #define IKEV2_ATTRAF_TLV 0x0000 /* Type-Length-Value format */
246 #define IKEV2_ATTRAF_TV 0x8000 /* Type-Value format */
247
248 typedef enum ikev2_xf_attr_type {
249 IKEV2_XF_ATTR_KEYLEN = 14 /* Key length */
250 } ikev2_xf_attr_type_t;
251
252 /*
253 * KE Payload
254 */
255 struct ikev2_ke {
256 uint16_t kex_dhgroup; /* DH Group # */
257 uint16_t kex_reserved; /* Reserved */
258 } __packed;
259
260 /*
261 * N payload
262 */
263 struct ikev2_notify {
264 uint8_t n_protoid; /* Protocol Id */
265 uint8_t n_spisize; /* SPI size */
266 uint16_t n_type; /* Notify message type */
267 /* Followed by variable length SPI */
268 /* Followed by variable length notification data */
269 } __packed;
270
271 /*
272 * NOTIFY types. We don't support all of these, however for observability
273 * and debugging purposes, we try to maintain a list of all known values.
274 */
275 typedef enum ikev2_notify_type {
276 IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD = 1, /* RFC4306 */
277 IKEV2_N_INVALID_IKE_SPI = 4, /* RFC4306 */
278 IKEV2_N_INVALID_MAJOR_VERSION = 5, /* RFC4306 */
279 IKEV2_N_INVALID_SYNTAX = 7, /* RFC4306 */
280 IKEV2_N_INVALID_MESSAGE_ID = 9, /* RFC4306 */
281 IKEV2_N_INVALID_SPI = 11, /* RFC4306 */
282 IKEV2_N_NO_PROPOSAL_CHOSEN = 14, /* RFC4306 */
283 IKEV2_N_INVALID_KE_PAYLOAD = 17, /* RFC4306 */
284 IKEV2_N_AUTHENTICATION_FAILED = 24, /* RFC4306 */
285 IKEV2_N_SINGLE_PAIR_REQUIRED = 34, /* RFC4306 */
286 IKEV2_N_NO_ADDITIONAL_SAS = 35, /* RFC4306 */
287 IKEV2_N_INTERNAL_ADDRESS_FAILURE = 36, /* RFC4306 */
288 IKEV2_N_FAILED_CP_REQUIRED = 37, /* RFC4306 */
289 IKEV2_N_TS_UNACCEPTABLE = 38, /* RFC4306 */
290 IKEV2_N_INVALID_SELECTORS = 39, /* RFC4306 */
291 IKEV2_N_UNACCEPTABLE_ADDRESSES = 40, /* RFC4555 */
292 IKEV2_N_UNEXPECTED_NAT_DETECTED = 41, /* RFC4555 */
293 IKEV2_N_USE_ASSIGNED_HoA = 42, /* RFC5026 */
294 IKEV2_N_TEMPORARY_FAILURE = 43, /* RFC5996 */
295 IKEV2_N_CHILD_SA_NOT_FOUND = 44, /* RFC5996 */
296 IKEV2_N_INITIAL_CONTACT = 16384, /* RFC4306 */
297 IKEV2_N_SET_WINDOW_SIZE = 16385, /* RFC4306 */
298 IKEV2_N_ADDITIONAL_TS_POSSIBLE = 16386, /* RFC4306 */
299 IKEV2_N_IPCOMP_SUPPORTED = 16387, /* RFC4306 */
300 IKEV2_N_NAT_DETECTION_SOURCE_IP = 16388, /* RFC4306 */
301 IKEV2_N_NAT_DETECTION_DESTINATION_IP = 16389, /* RFC4306 */
302 IKEV2_N_COOKIE = 16390, /* RFC4306 */
303 IKEV2_N_USE_TRANSPORT_MODE = 16391, /* RFC4306 */
304 IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED = 16392, /* RFC4306 */
305 IKEV2_N_REKEY_SA = 16393, /* RFC4306 */
306 IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED = 16394, /* RFC4306 */
307 IKEV2_N_NON_FIRST_FRAGMENTS_ALSO = 16395, /* RFC4306 */
308 IKEV2_N_MOBIKE_SUPPORTED = 16396, /* RFC4555 */
309 IKEV2_N_ADDITIONAL_IP4_ADDRESS = 16397, /* RFC4555 */
310 IKEV2_N_ADDITIONAL_IP6_ADDRESS = 16398, /* RFC4555 */
311 IKEV2_N_NO_ADDITIONAL_ADDRESSES = 16399, /* RFC4555 */
312 IKEV2_N_UPDATE_SA_ADDRESSES = 16400, /* RFC4555 */
313 IKEV2_N_COOKIE2 = 16401, /* RFC4555 */
314 IKEV2_N_NO_NATS_ALLOWED = 16402, /* RFC4555 */
315 IKEV2_N_AUTH_LIFETIME = 16403, /* RFC4478 */
316 IKEV2_N_MULTIPLE_AUTH_SUPPORTED = 16404, /* RFC4739 */
317 IKEV2_N_ANOTHER_AUTH_FOLLOWS = 16405, /* RFC4739 */
318 IKEV2_N_REDIRECT_SUPPORTED = 16406, /* RFC5685 */
319 IKEV2_N_REDIRECT = 16407, /* RFC5685 */
320 IKEV2_N_REDIRECTED_FROM = 16408, /* RFC5685 */
321 IKEV2_N_TICKET_LT_OPAQUE = 16409, /* RFC5723 */
322 IKEV2_N_TICKET_REQUEST = 16410, /* RFC5723 */
323 IKEV2_N_TICKET_ACK = 16411, /* RFC5723 */
324 IKEV2_N_TICKET_NACK = 16412, /* RFC5723 */
325 IKEV2_N_TICKET_OPAQUE = 16413, /* RFC5723 */
326 IKEV2_N_LINK_ID = 16414, /* RFC5739 */
327 IKEV2_N_USE_WESP_MODE = 16415,
328 /* RFC-ietf-ipsecme-traffic-visibility-12.txt */
329 IKEV2_N_ROHC_SUPPORTED = 16416,
330 /* RFC-ietf-rohc-ikev2-extensions-hcoipsec-12.txt */
331 IKEV2_N_EAP_ONLY_AUTHENTICATION = 16417, /* RFC5998 */
332 IKEV2_N_CHILDLESS_IKEV2_SUPPORTED = 16418, /* RFC6023 */
333 IKEV2_N_QUICK_CRASH_DETECTION = 16419, /* RFC6290 */
334 IKEV2_N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED = 16420, /* RFC6311 */
335 IKEV2_N_IPSEC_REPLAY_CTR_SYNC_SUPPORTED = 16421, /* RFC6311 */
336 IKEV2_N_IKEV2_MESSAGE_ID_SYNC = 16422, /* RFC6311 */
337 IKEV2_N_IPSEC_REPLAY_CTR_SYNC = 16423, /* RFC6311 */
338 IKEV2_N_SECURE_PASSWORD_METHODS = 16424, /* RFC6467 */
339 IKEV2_N_PSK_PERSIST = 16425, /* RFC6631 */
340 IKEV2_N_PSK_CONFIRM = 16426, /* RFC6631 */
341 IKEV2_N_ERX_SUPPORTED = 16427, /* RFC6867 */
342 IKEV2_N_IFOM_CAPABILITY = 16428 /* OA3GPP */
343 } ikev2_notify_type_t;
344
345 /*
346 * DELETE payload
347 */
348 struct ikev2_delete {
349 uint8_t del_protoid; /* Protocol Id */
350 uint8_t del_spisize; /* SPI size */
351 uint16_t del_nspi; /* Number of SPIs */
352 /* Followed by variable length SPIs */
353 } __packed;
354
355 /*
356 * ID payload
357 */
358 struct ikev2_id {
359 uint8_t id_type; /* Id type */
360 uint8_t id_reserved[3]; /* Reserved */
361 /* Followed by the identification data */
362 } __packed;
363
364 typedef enum ikev2_id_type {
365 IKEV2_ID_IPV4_ADDR = 1, /* RFC7296 */
366 IKEV2_ID_FQDN = 2, /* RFC7296 */
367 IKEV2_ID_RFC822_ADDR = 3, /* RFC7296 */
368 IKEV2_ID_IPV6_ADDR = 5, /* RFC7296 */
369 IKEV2_ID_DER_ASN1_DN = 9, /* RFC7296 */
370 IKEV2_ID_DER_ASN1_GN = 10, /* RFC7296 */
371 IKEV2_ID_KEY_ID = 11, /* RFC7296 */
372 IKEV2_ID_FC_NAME = 12 /* RFC4595 */
373 } ikev2_id_type_t;
374
375 /*
376 * CERT/CERTREQ payloads
377 */
378 typedef enum ikev2_cert {
379 IKEV2_CERT_NONE = 0, /* None */
380 IKEV2_CERT_X509_PKCS7 = 1, /* RFC4306 */
381 IKEV2_CERT_PGP = 2, /* RFC4306 */
382 IKEV2_CERT_DNS_SIGNED_KEY = 3, /* RFC4306 */
383 IKEV2_CERT_X509_CERT = 4, /* RFC4306 */
384 IKEV2_CERT_KERBEROS_TOKEN = 6, /* RFC4306 */
385 IKEV2_CERT_CRL = 7, /* RFC4306 */
386 IKEV2_CERT_ARL = 8, /* RFC4306 */
387 IKEV2_CERT_SPKI = 9, /* RFC4306 */
388 IKEV2_CERT_X509_ATTR = 10, /* RFC4306 */
389 IKEV2_CERT_RSA_KEY = 11, /* RFC4306 */
390 IKEV2_CERT_HASHURL_X509 = 12, /* RFC4306 */
391 IKEV2_CERT_HASHURL_X509_BUNDLE = 13, /* RFC4306 */
392 IKEV2_CERT_OCSP = 14 /* RFC4806 */
393 } ikev2_cert_t;
394
395 /*
396 * TSi/TSr payloads
397 */
398 struct ikev2_tsp {
399 uint8_t tsp_count; /* Number of TSs */
400 uint8_t tsp_reserved[3]; /* Reserved */
401 /* Followed by the traffic selectors */
402 } __packed;
403
404 struct ikev2_ts {
405 uint8_t ts_type; /* TS type */
406 uint8_t ts_protoid; /* Protocol Id */
407 uint16_t ts_length; /* Length */
408 uint16_t ts_startport; /* Start port */
409 uint16_t ts_endport; /* End port */
410 } __packed;
411
412 typedef enum ikev2_ts_type {
413 IKEV2_TS_IPV4_ADDR_RANGE = 7, /* RFC4306 */
414 IKEV2_TS_IPV6_ADDR_RANGE = 8, /* RFC4306 */
415 IKEV2_TS_FC_ADDR_RANGE = 9 /* RFC4595 */
416 } ikev2_ts_type_t;
417
418 /*
419 * AUTH payload
420 */
421 struct ikev2_auth {
422 uint8_t auth_method; /* Signature type */
423 uint8_t auth_reserved[3]; /* Reserved */
424 /* Followed by the signature */
425 } __packed;
426
427 typedef enum ikev2_auth_type {
428 IKEV2_AUTH_NONE = 0, /* None */
429 IKEV2_AUTH_RSA_SIG = 1, /* RFC4306 */
430 IKEV2_AUTH_SHARED_KEY_MIC = 2, /* RFC4306 */
431 IKEV2_AUTH_DSS_SIG = 3, /* RFC4306 */
432 IKEV2_AUTH_ECDSA_256 = 9, /* RFC4754 */
433 IKEV2_AUTH_ECDSA_384 = 10, /* RFC4754 */
434 IKEV2_AUTH_ECDSA_512 = 11, /* RFC4754 */
435 IKEV2_AUTH_GSPM = 12 /* RFC6467 */
436 } ikev2_auth_type_t;
437
438 /*
439 * CP payload
440 */
441 struct ikev2_cp {
442 uint8_t cp_type;
443 uint8_t cp_reserved[3];
444 /* Followed by the attributes */
445 } __packed;
446
447 typedef enum ikev2_cfg_type {
448 IKEV2_CP_REQUEST = 1, /* CFG-Request */
449 IKEV2_CP_REPLY = 2, /* CFG-Reply */
450 IKEV2_CP_SET = 3, /* CFG-SET */
451 IKEV2_CP_ACK = 4 /* CFG-ACK */
452 } ikev2_cfg_type_t;
453
454 struct ikev2_cfg {
455 uint16_t cfg_type; /* first bit must be set to zero */
456 uint16_t cfg_length;
457 /* Followed by variable-length data */
458 } __packed;
459
460 typedef enum ikev2_cfg_attr_type {
461 IKEV2_CFG_INTERNAL_IP4_ADDRESS = 1, /* RFC5996 */
462 IKEV2_CFG_INTERNAL_IP4_NETMASK = 2, /* RFC5996 */
463 IKEV2_CFG_INTERNAL_IP4_DNS = 3, /* RFC5996 */
464 IKEV2_CFG_INTERNAL_IP4_NBNS = 4, /* RFC5996 */
465 IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY = 5, /* RFC4306 */
466 IKEV2_CFG_INTERNAL_IP4_DHCP = 6, /* RFC5996 */
467 IKEV2_CFG_APPLICATION_VERSION = 7, /* RFC5996 */
468 IKEV2_CFG_INTERNAL_IP6_ADDRESS = 8, /* RFC5996 */
469 IKEV2_CFG_INTERNAL_IP6_DNS = 10, /* RFC5996 */
470 IKEV2_CFG_INTERNAL_IP6_NBNS = 11, /* RFC4306 */
471 IKEV2_CFG_INTERNAL_IP6_DHCP = 12, /* RFC5996 */
472 IKEV2_CFG_INTERNAL_IP4_SUBNET = 13, /* RFC5996 */
473 IKEV2_CFG_SUPPORTED_ATTRIBUTES = 14, /* RFC5996 */
474 IKEV2_CFG_INTERNAL_IP6_SUBNET = 15, /* RFC5996 */
475 IKEV2_CFG_MIP6_HOME_PREFIX = 16, /* RFC5026 */
476 IKEV2_CFG_INTERNAL_IP6_LINK = 17, /* RFC5739 */
477 IKEV2_CFG_INTERNAL_IP6_PREFIX = 18, /* RFC5739 */
478 IKEV2_CFG_HOME_AGENT_ADDRESS = 19,
479 /* BEGIN CSTYLED */
480 /* http://www.3gpp.org/ftp/Specs/html-info/24302.htm */
481 /* END CSTYLED */
482 IKEV2_CFG_INTERNAL_IP4_SERVER = 23456, /* MS-IKEE */
483 IKEV2_CFG_INTERNAL_IP6_SERVER = 23457 /* MS-IKEE */
484 } ikev2_cfg_attr_type_t;
485
486 /* MD5 sum of "ILLUMOS_1 2017/08/21 29.718 -95.390" */
487 #define VENDOR_STR_ILLUMOS_1 "6a3b8d3af106854d3a2c56c50df729cf"
488
489 /* The vendor types + versions we recognize */
490 typedef enum vendor {
491 VENDOR_UNKNOWN = 0,
492 VENDOR_ILLUMOS_1 = 1
493 } vendor_t;
494
495 typedef struct ikev2_payload ikev2_payload_t;
496 typedef struct ikev2_sa_proposal ikev2_sa_proposal_t;
497 typedef struct ikev2_transform ikev2_transform_t;
498 typedef struct ikev2_attribute ikev2_attribute_t;
499 typedef struct ikev2_ke ikev2_ke_t;
500 typedef struct ikev2_notify ikev2_notify_t;
501 typedef struct ikev2_delete ikev2_delete_t;
502 typedef struct ikev2_id ikev2_id_t;
503 typedef struct ikev2_tsp ikev2_tsp_t;
504 typedef struct ikev2_ts ikev2_ts_t;
505 typedef struct ikev2_auth ikev2_auth_t;
506 typedef struct ikev2_cp ikev2_cp_t;
507 typedef struct ikev2_cfg ikev2_cfg_t;
508
509 #ifdef __cplusplus
510 }
511 #endif
512
513 #endif /* _IKEV2_H */