1/* $OpenBSD: ikev2.h,v 1.35 2023/06/28 14:10:24 tobhe Exp $ */ 2 3/* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#ifndef IKED_IKEV2_H 21#define IKED_IKEV2_H 22 23#define IKEV2_VERSION 0x20 /* IKE version 2.0 */ 24#define IKEV1_VERSION 0x10 /* IKE version 1.0 */ 25 26#define IKEV2_KEYPAD "Key Pad for IKEv2" /* don't change! */ 27 28/* 29 * IKEv2 pseudo states 30 */ 31 32#define IKEV2_STATE_INIT 0 /* new IKE SA */ 33#define IKEV2_STATE_COOKIE 1 /* cookie requested */ 34#define IKEV2_STATE_SA_INIT 2 /* init IKE SA */ 35#define IKEV2_STATE_EAP 3 /* EAP requested */ 36#define IKEV2_STATE_EAP_SUCCESS 4 /* EAP succeeded */ 37#define IKEV2_STATE_AUTH_REQUEST 5 /* auth received */ 38#define IKEV2_STATE_AUTH_SUCCESS 6 /* authenticated */ 39#define IKEV2_STATE_VALID 7 /* authenticated AND validated certs */ 40#define IKEV2_STATE_EAP_VALID 8 /* EAP validated */ 41#define IKEV2_STATE_ESTABLISHED 9 /* active IKE SA */ 42#define IKEV2_STATE_CLOSING 10 /* expect delete for this SA */ 43#define IKEV2_STATE_CLOSED 11 /* delete this SA */ 44 45extern struct iked_constmap ikev2_state_map[]; 46 47/* 48 * "IKEv2 Parameters" based on the official RFC-based assignments by IANA 49 * (http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.txt) 50 */ 51 52/* 53 * IKEv2 definitions of the IKE header 54 */ 55 56/* IKEv2 exchange types */ 57#define IKEV2_EXCHANGE_IKE_SA_INIT 34 /* Initial Exchange */ 58#define IKEV2_EXCHANGE_IKE_AUTH 35 /* Authentication */ 59#define IKEV2_EXCHANGE_CREATE_CHILD_SA 36 /* Create Child SA */ 60#define IKEV2_EXCHANGE_INFORMATIONAL 37 /* Informational */ 61#define IKEV2_EXCHANGE_IKE_SESSION_RESUME 38 /* RFC5723 */ 62 63extern struct iked_constmap ikev2_exchange_map[]; 64 65/* IKEv2 message flags */ 66#define IKEV2_FLAG_INITIATOR 0x08 /* Sent by the initiator */ 67#define IKEV2_FLAG_OLDVERSION 0x10 /* Supports a higher IKE version */ 68#define IKEV2_FLAG_RESPONSE 0x20 /* Message is a response */ 69 70extern struct iked_constmap ikev2_flag_map[]; 71 72/* 73 * IKEv2 payloads 74 */ 75 76struct ikev2_payload { 77 uint8_t pld_nextpayload; /* Next payload type */ 78 uint8_t pld_reserved; /* Contains the critical bit */ 79 uint16_t pld_length; /* Payload length with header */ 80} __packed; 81 82struct ikev2_frag_payload { 83 uint16_t frag_num; /* current fragment message number */ 84 uint16_t frag_total; /* total number of fragment messages */ 85} __packed; 86 87#define IKEV2_CRITICAL_PAYLOAD 0x01 /* First bit in the reserved field */ 88 89/* IKEv2 payload types */ 90#define IKEV2_PAYLOAD_NONE 0 /* No payload */ 91#define IKEV2_PAYLOAD_SA 33 /* Security Association */ 92#define IKEV2_PAYLOAD_KE 34 /* Key Exchange */ 93#define IKEV2_PAYLOAD_IDi 35 /* Identification - Initiator */ 94#define IKEV2_PAYLOAD_IDr 36 /* Identification - Responder */ 95#define IKEV2_PAYLOAD_CERT 37 /* Certificate */ 96#define IKEV2_PAYLOAD_CERTREQ 38 /* Certificate Request */ 97#define IKEV2_PAYLOAD_AUTH 39 /* Authentication */ 98#define IKEV2_PAYLOAD_NONCE 40 /* Nonce */ 99#define IKEV2_PAYLOAD_NOTIFY 41 /* Notify */ 100#define IKEV2_PAYLOAD_DELETE 42 /* Delete */ 101#define IKEV2_PAYLOAD_VENDOR 43 /* Vendor ID */ 102#define IKEV2_PAYLOAD_TSi 44 /* Traffic Selector - Initiator */ 103#define IKEV2_PAYLOAD_TSr 45 /* Traffic Selector - Responder */ 104#define IKEV2_PAYLOAD_SK 46 /* Encrypted */ 105#define IKEV2_PAYLOAD_CP 47 /* Configuration Payload */ 106#define IKEV2_PAYLOAD_EAP 48 /* Extensible Authentication */ 107#define IKEV2_PAYLOAD_GSPM 49 /* RFC6467 Generic Secure Password */ 108#define IKEV2_PAYLOAD_SKF 53 /* RFC7383 Encrypted Fragment Payload */ 109 110extern struct iked_constmap ikev2_payload_map[]; 111 112/* 113 * SA payload 114 */ 115 116struct ikev2_sa_proposal { 117 uint8_t sap_more; /* Last proposal or more */ 118 uint8_t sap_reserved; /* Must be set to zero */ 119 uint16_t sap_length; /* Proposal length */ 120 uint8_t sap_proposalnr; /* Proposal number */ 121 uint8_t sap_protoid; /* Protocol Id */ 122 uint8_t sap_spisize; /* SPI size */ 123 uint8_t sap_transforms; /* Number of transforms */ 124 /* Followed by variable-length SPI */ 125 /* Followed by variable-length transforms */ 126} __packed; 127 128#define IKEV2_SAP_LAST 0 129#define IKEV2_SAP_MORE 2 130 131#define IKEV2_SAPROTO_NONE 0 /* None */ 132#define IKEV2_SAPROTO_IKE 1 /* IKEv2 */ 133#define IKEV2_SAPROTO_AH 2 /* AH */ 134#define IKEV2_SAPROTO_ESP 3 /* ESP */ 135#define IKEV2_SAPROTO_FC_ESP_HEADER 4 /* RFC4595 */ 136#define IKEV2_SAPROTO_FC_CT_AUTH 5 /* RFC4595 */ 137#define IKEV2_SAPROTO_IPCOMP 204 /* private, should be 4 */ 138 139extern struct iked_constmap ikev2_saproto_map[]; 140 141struct ikev2_transform { 142 uint8_t xfrm_more; /* Last transform or more */ 143 uint8_t xfrm_reserved; /* Must be set to zero */ 144 uint16_t xfrm_length; /* Transform length */ 145 uint8_t xfrm_type; /* Transform type */ 146 uint8_t xfrm_reserved1; /* Must be set to zero */ 147 uint16_t xfrm_id; /* Transform Id */ 148 /* Followed by variable-length transform attributes */ 149} __packed; 150 151#define IKEV2_XFORM_LAST 0 152#define IKEV2_XFORM_MORE 3 153 154#define IKEV2_XFORMTYPE_ENCR 1 /* Encryption */ 155#define IKEV2_XFORMTYPE_PRF 2 /* Pseudo-Random Function */ 156#define IKEV2_XFORMTYPE_INTEGR 3 /* Integrity Algorithm */ 157#define IKEV2_XFORMTYPE_DH 4 /* Diffie-Hellman Group */ 158#define IKEV2_XFORMTYPE_ESN 5 /* Extended Sequence Numbers */ 159#define IKEV2_XFORMTYPE_MAX 6 160 161extern struct iked_constmap ikev2_xformtype_map[]; 162 163#define IKEV2_XFORMENCR_NONE 0 /* None */ 164#define IKEV2_XFORMENCR_DES_IV64 1 /* RFC1827 */ 165#define IKEV2_XFORMENCR_DES 2 /* RFC2405 */ 166#define IKEV2_XFORMENCR_3DES 3 /* RFC2451 */ 167#define IKEV2_XFORMENCR_RC5 4 /* RFC2451 */ 168#define IKEV2_XFORMENCR_IDEA 5 /* RFC2451 */ 169#define IKEV2_XFORMENCR_CAST 6 /* RFC2451 */ 170#define IKEV2_XFORMENCR_BLOWFISH 7 /* RFC2451 */ 171#define IKEV2_XFORMENCR_3IDEA 8 /* RFC2451 */ 172#define IKEV2_XFORMENCR_DES_IV32 9 /* DESIV32 */ 173#define IKEV2_XFORMENCR_RC4 10 /* RFC2451 */ 174#define IKEV2_XFORMENCR_NULL 11 /* RFC2410 */ 175#define IKEV2_XFORMENCR_AES_CBC 12 /* RFC3602 */ 176#define IKEV2_XFORMENCR_AES_CTR 13 /* RFC3664 */ 177#define IKEV2_XFORMENCR_AES_CCM_8 14 /* RFC5282 */ 178#define IKEV2_XFORMENCR_AES_CCM_12 15 /* RFC5282 */ 179#define IKEV2_XFORMENCR_AES_CCM_16 16 /* RFC5282 */ 180#define IKEV2_XFORMENCR_AES_GCM_8 18 /* RFC5282 */ 181#define IKEV2_XFORMENCR_AES_GCM_12 19 /* RFC5282 */ 182#define IKEV2_XFORMENCR_AES_GCM_16 20 /* RFC5282 */ 183#define IKEV2_XFORMENCR_NULL_AES_GMAC 21 /* RFC4543 */ 184#define IKEV2_XFORMENCR_XTS_AES 22 /* IEEE P1619 */ 185#define IKEV2_XFORMENCR_CAMELLIA_CBC 23 /* RFC5529 */ 186#define IKEV2_XFORMENCR_CAMELLIA_CTR 24 /* RFC5529 */ 187#define IKEV2_XFORMENCR_CAMELLIA_CCM_8 25 /* RFC5529 */ 188#define IKEV2_XFORMENCR_CAMELLIA_CCM_12 26 /* RFC5529 */ 189#define IKEV2_XFORMENCR_CAMELLIA_CCM_16 27 /* RFC5529 */ 190#define IKEV2_XFORMENCR_CHACHA20_POLY1305 28 /* RFC7634 */ 191 192extern struct iked_constmap ikev2_xformencr_map[]; 193 194#define IKEV2_IPCOMP_OUI 1 /* UNSPECIFIED */ 195#define IKEV2_IPCOMP_DEFLATE 2 /* RFC2394 */ 196#define IKEV2_IPCOMP_LZS 3 /* RFC2395 */ 197#define IKEV2_IPCOMP_LZJH 4 /* RFC3051 */ 198 199extern struct iked_constmap ikev2_ipcomp_map[]; 200 201#define IKEV2_XFORMPRF_HMAC_MD5 1 /* RFC2104 */ 202#define IKEV2_XFORMPRF_HMAC_SHA1 2 /* RFC2104 */ 203#define IKEV2_XFORMPRF_HMAC_TIGER 3 /* RFC2104 */ 204#define IKEV2_XFORMPRF_AES128_XCBC 4 /* RFC3664 */ 205#define IKEV2_XFORMPRF_HMAC_SHA2_256 5 /* RFC4868 */ 206#define IKEV2_XFORMPRF_HMAC_SHA2_384 6 /* RFC4868 */ 207#define IKEV2_XFORMPRF_HMAC_SHA2_512 7 /* RFC4868 */ 208#define IKEV2_XFORMPRF_AES128_CMAC 8 /* RFC4615 */ 209 210extern struct iked_constmap ikev2_xformprf_map[]; 211 212#define IKEV2_XFORMAUTH_NONE 0 /* No Authentication */ 213#define IKEV2_XFORMAUTH_HMAC_MD5_96 1 /* RFC2403 */ 214#define IKEV2_XFORMAUTH_HMAC_SHA1_96 2 /* RFC2404 */ 215#define IKEV2_XFORMAUTH_DES_MAC 3 /* DES-MAC */ 216#define IKEV2_XFORMAUTH_KPDK_MD5 4 /* RFC1826 */ 217#define IKEV2_XFORMAUTH_AES_XCBC_96 5 /* RFC3566 */ 218#define IKEV2_XFORMAUTH_HMAC_MD5_128 6 /* RFC4595 */ 219#define IKEV2_XFORMAUTH_HMAC_SHA1_160 7 /* RFC4595 */ 220#define IKEV2_XFORMAUTH_AES_CMAC_96 8 /* RFC4494 */ 221#define IKEV2_XFORMAUTH_AES_128_GMAC 9 /* RFC4543 */ 222#define IKEV2_XFORMAUTH_AES_192_GMAC 10 /* RFC4543 */ 223#define IKEV2_XFORMAUTH_AES_256_GMAC 11 /* RFC4543 */ 224#define IKEV2_XFORMAUTH_HMAC_SHA2_256_128 12 /* RFC4868 */ 225#define IKEV2_XFORMAUTH_HMAC_SHA2_384_192 13 /* RFC4868 */ 226#define IKEV2_XFORMAUTH_HMAC_SHA2_512_256 14 /* RFC4868 */ 227 228/* Placeholders for AEAD ciphers (only used internally) */ 229#define IKEV2_XFORMAUTH_AES_GCM_8 2018 /* internal */ 230#define IKEV2_XFORMAUTH_AES_GCM_12 2019 /* internal */ 231#define IKEV2_XFORMAUTH_AES_GCM_16 2020 /* internal */ 232 233extern struct iked_constmap ikev2_xformauth_map[]; 234 235#define IKEV2_XFORMDH_NONE 0 /* No DH */ 236#define IKEV2_XFORMDH_MODP_768 1 /* DH Group 1 */ 237#define IKEV2_XFORMDH_MODP_1024 2 /* DH Group 2 */ 238#define IKEV2_XFORMDH_MODP_1536 5 /* DH Group 5 */ 239#define IKEV2_XFORMDH_MODP_2048 14 /* DH Group 14 */ 240#define IKEV2_XFORMDH_MODP_3072 15 /* DH Group 15 */ 241#define IKEV2_XFORMDH_MODP_4096 16 /* DH Group 16 */ 242#define IKEV2_XFORMDH_MODP_6144 17 /* DH Group 17 */ 243#define IKEV2_XFORMDH_MODP_8192 18 /* DH Group 18 */ 244#define IKEV2_XFORMDH_ECP_256 19 /* RFC5114 */ 245#define IKEV2_XFORMDH_ECP_384 20 /* RFC5114 */ 246#define IKEV2_XFORMDH_ECP_521 21 /* RFC5114 */ 247#define IKEV2_XFORMDH_ECP_192 25 /* RFC5114 */ 248#define IKEV2_XFORMDH_ECP_224 26 /* RFC5114 */ 249#define IKEV2_XFORMDH_BRAINPOOL_P224R1 27 /* RFC6954 */ 250#define IKEV2_XFORMDH_BRAINPOOL_P256R1 28 /* RFC6954 */ 251#define IKEV2_XFORMDH_BRAINPOOL_P384R1 29 /* RFC6954 */ 252#define IKEV2_XFORMDH_BRAINPOOL_P512R1 30 /* RFC6954 */ 253#define IKEV2_XFORMDH_CURVE25519 31 /* RFC8031 */ 254#define IKEV2_XFORMDH_X_SNTRUP761X25519 1035 /* private */ 255 256extern struct iked_constmap ikev2_xformdh_map[]; 257 258#define IKEV2_IPV4_OVERHEAD (20 + 8 + 28) /* IPv4 + UDP + IKE_HDR*/ 259#define IKEV2_MAXLEN_IPV4_FRAG (576 - IKEV2_IPV4_OVERHEAD) 260#define IKEV2_IPV6_OVERHEAD (40 + 8 + 28) /* IPv6 + UDP + IKE_HDR*/ 261#define IKEV2_MAXLEN_IPV6_FRAG (1280 - IKEV2_IPV6_OVERHEAD) 262 263#define IKEV2_MAXNUM_TSS 255 /* 8 bit Number of TSs field */ 264 265#define IKEV2_XFORMESN_NONE 0 /* No ESN */ 266#define IKEV2_XFORMESN_ESN 1 /* ESN */ 267 268extern struct iked_constmap ikev2_xformesn_map[]; 269 270struct ikev2_attribute { 271 uint16_t attr_type; /* Attribute type */ 272 uint16_t attr_length; /* Attribute length or value */ 273 /* Followed by variable length (TLV) */ 274} __packed; 275 276#define IKEV2_ATTRAF_TLV 0x0000 /* Type-Length-Value format */ 277#define IKEV2_ATTRAF_TV 0x8000 /* Type-Value format */ 278 279#define IKEV2_ATTRTYPE_KEY_LENGTH 14 /* Key length */ 280 281extern struct iked_constmap ikev2_attrtype_map[]; 282 283/* 284 * KE Payload 285 */ 286 287struct ikev2_keyexchange { 288 uint16_t kex_dhgroup; /* DH Group # */ 289 uint16_t kex_reserved; /* Reserved */ 290} __packed; 291 292/* 293 * N payload 294 */ 295 296struct ikev2_notify { 297 uint8_t n_protoid; /* Protocol Id */ 298 uint8_t n_spisize; /* SPI size */ 299 uint16_t n_type; /* Notify message type */ 300 /* Followed by variable length SPI */ 301 /* Followed by variable length notification data */ 302} __packed; 303 304#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD 1 /* RFC7296 */ 305#define IKEV2_N_INVALID_IKE_SPI 4 /* RFC7296 */ 306#define IKEV2_N_INVALID_MAJOR_VERSION 5 /* RFC7296 */ 307#define IKEV2_N_INVALID_SYNTAX 7 /* RFC7296 */ 308#define IKEV2_N_INVALID_MESSAGE_ID 9 /* RFC7296 */ 309#define IKEV2_N_INVALID_SPI 11 /* RFC7296 */ 310#define IKEV2_N_NO_PROPOSAL_CHOSEN 14 /* RFC7296 */ 311#define IKEV2_N_INVALID_KE_PAYLOAD 17 /* RFC7296 */ 312#define IKEV2_N_AUTHENTICATION_FAILED 24 /* RFC7296 */ 313#define IKEV2_N_SINGLE_PAIR_REQUIRED 34 /* RFC7296 */ 314#define IKEV2_N_NO_ADDITIONAL_SAS 35 /* RFC7296 */ 315#define IKEV2_N_INTERNAL_ADDRESS_FAILURE 36 /* RFC7296 */ 316#define IKEV2_N_FAILED_CP_REQUIRED 37 /* RFC7296 */ 317#define IKEV2_N_TS_UNACCEPTABLE 38 /* RFC7296 */ 318#define IKEV2_N_INVALID_SELECTORS 39 /* RFC7296 */ 319#define IKEV2_N_UNACCEPTABLE_ADDRESSES 40 /* RFC4555 */ 320#define IKEV2_N_UNEXPECTED_NAT_DETECTED 41 /* RFC4555 */ 321#define IKEV2_N_USE_ASSIGNED_HoA 42 /* RFC5026 */ 322#define IKEV2_N_TEMPORARY_FAILURE 43 /* RFC7296 */ 323#define IKEV2_N_CHILD_SA_NOT_FOUND 44 /* RFC7296 */ 324#define IKEV2_N_INITIAL_CONTACT 16384 /* RFC7296 */ 325#define IKEV2_N_SET_WINDOW_SIZE 16385 /* RFC7296 */ 326#define IKEV2_N_ADDITIONAL_TS_POSSIBLE 16386 /* RFC7296 */ 327#define IKEV2_N_IPCOMP_SUPPORTED 16387 /* RFC7296 */ 328#define IKEV2_N_NAT_DETECTION_SOURCE_IP 16388 /* RFC7296 */ 329#define IKEV2_N_NAT_DETECTION_DESTINATION_IP 16389 /* RFC7296 */ 330#define IKEV2_N_COOKIE 16390 /* RFC7296 */ 331#define IKEV2_N_USE_TRANSPORT_MODE 16391 /* RFC7296 */ 332#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED 16392 /* RFC7296 */ 333#define IKEV2_N_REKEY_SA 16393 /* RFC7296 */ 334#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED 16394 /* RFC7296 */ 335#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO 16395 /* RFC7296 */ 336#define IKEV2_N_MOBIKE_SUPPORTED 16396 /* RFC4555 */ 337#define IKEV2_N_ADDITIONAL_IP4_ADDRESS 16397 /* RFC4555 */ 338#define IKEV2_N_ADDITIONAL_IP6_ADDRESS 16398 /* RFC4555 */ 339#define IKEV2_N_NO_ADDITIONAL_ADDRESSES 16399 /* RFC4555 */ 340#define IKEV2_N_UPDATE_SA_ADDRESSES 16400 /* RFC4555 */ 341#define IKEV2_N_COOKIE2 16401 /* RFC4555 */ 342#define IKEV2_N_NO_NATS_ALLOWED 16402 /* RFC4555 */ 343#define IKEV2_N_AUTH_LIFETIME 16403 /* RFC4478 */ 344#define IKEV2_N_MULTIPLE_AUTH_SUPPORTED 16404 /* RFC4739 */ 345#define IKEV2_N_ANOTHER_AUTH_FOLLOWS 16405 /* RFC4739 */ 346#define IKEV2_N_REDIRECT_SUPPORTED 16406 /* RFC5685 */ 347#define IKEV2_N_REDIRECT 16407 /* RFC5685 */ 348#define IKEV2_N_REDIRECTED_FROM 16408 /* RFC5685 */ 349#define IKEV2_N_TICKET_LT_OPAQUE 16409 /* RFC5723 */ 350#define IKEV2_N_TICKET_REQUEST 16410 /* RFC5723 */ 351#define IKEV2_N_TICKET_ACK 16411 /* RFC5723 */ 352#define IKEV2_N_TICKET_NACK 16412 /* RFC5723 */ 353#define IKEV2_N_TICKET_OPAQUE 16413 /* RFC5723 */ 354#define IKEV2_N_LINK_ID 16414 /* RFC5739 */ 355#define IKEV2_N_USE_WESP_MODE 16415 /* RFC5415 */ 356#define IKEV2_N_ROHC_SUPPORTED 16416 /* RFC5857 */ 357#define IKEV2_N_EAP_ONLY_AUTHENTICATION 16417 /* RFC5998 */ 358#define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED 16418 /* RFC6023 */ 359#define IKEV2_N_QUICK_CRASH_DETECTION 16419 /* RFC6290 */ 360#define IKEV2_N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED 16420 /* RFC6311 */ 361#define IKEV2_N_IPSEC_REPLAY_CTR_SYNC_SUPPORTED 16421 /* RFC6311 */ 362#define IKEV2_N_IKEV2_MESSAGE_ID_SYNC 16422 /* RFC6311 */ 363#define IKEV2_N_IPSEC_REPLAY_CTR_SYNC 16423 /* RFC6311 */ 364#define IKEV2_N_SECURE_PASSWORD_METHODS 16424 /* RFC6467 */ 365#define IKEV2_N_PSK_PERSIST 16425 /* RFC6631 */ 366#define IKEV2_N_PSK_CONFIRM 16426 /* RFC6631 */ 367#define IKEV2_N_ERX_SUPPORTED 16427 /* RFC6867 */ 368#define IKEV2_N_IFOM_CAPABILITY 16428 /* OA3GPP */ 369#define IKEV2_N_FRAGMENTATION_SUPPORTED 16430 /* RFC7383 */ 370#define IKEV2_N_SIGNATURE_HASH_ALGORITHMS 16431 /* RFC7427 */ 371 372extern struct iked_constmap ikev2_n_map[]; 373 374/* 375 * DELETE payload 376 */ 377 378struct ikev2_delete { 379 uint8_t del_protoid; /* Protocol Id */ 380 uint8_t del_spisize; /* SPI size */ 381 uint16_t del_nspi; /* Number of SPIs */ 382 /* Followed by variable length SPIs */ 383} __packed; 384 385/* 386 * ID payload 387 */ 388 389struct ikev2_id { 390 uint8_t id_type; /* Id type */ 391 uint8_t id_reserved[3]; /* Reserved */ 392 /* Followed by the identification data */ 393} __packed; 394 395#define IKEV2_ID_NONE 0 /* No ID */ 396#define IKEV2_ID_IPV4 1 /* RFC7296 (ID_IPV4_ADDR) */ 397#define IKEV2_ID_FQDN 2 /* RFC7296 */ 398#define IKEV2_ID_UFQDN 3 /* RFC7296 (ID_RFC822_ADDR) */ 399#define IKEV2_ID_IPV6 5 /* RFC7296 (ID_IPV6_ADDR) */ 400#define IKEV2_ID_ASN1_DN 9 /* RFC7296 */ 401#define IKEV2_ID_ASN1_GN 10 /* RFC7296 */ 402#define IKEV2_ID_KEY_ID 11 /* RFC7296 */ 403#define IKEV2_ID_FC_NAME 12 /* RFC4595 */ 404 405extern struct iked_constmap ikev2_id_map[]; 406 407/* 408 * CERT/CERTREQ payloads 409 */ 410 411struct ikev2_cert { 412 uint8_t cert_type; /* Encoding */ 413 /* Followed by the certificate data */ 414} __packed; 415 416#define IKEV2_CERT_NONE 0 /* None */ 417#define IKEV2_CERT_X509_PKCS7 1 /* UNSPECIFIED */ 418#define IKEV2_CERT_PGP 2 /* UNSPECIFIED */ 419#define IKEV2_CERT_DNS_SIGNED_KEY 3 /* UNSPECIFIED */ 420#define IKEV2_CERT_X509_CERT 4 /* RFC7296 */ 421#define IKEV2_CERT_KERBEROS_TOKEN 6 /* UNSPECIFIED */ 422#define IKEV2_CERT_CRL 7 /* RFC7296 */ 423#define IKEV2_CERT_ARL 8 /* UNSPECIFIED */ 424#define IKEV2_CERT_SPKI 9 /* UNSPECIFIED */ 425#define IKEV2_CERT_X509_ATTR 10 /* UNSPECIFIED */ 426#define IKEV2_CERT_RSA_KEY 11 /* RFC7296 */ 427#define IKEV2_CERT_HASHURL_X509 12 /* RFC7296 */ 428#define IKEV2_CERT_HASHURL_X509_BUNDLE 13 /* RFC7296 */ 429#define IKEV2_CERT_OCSP 14 /* RFC4806 */ 430/* 431 * As of November 2014, work was still in progress to add a more generic 432 * format for raw public keys (RFC7296), so we use a number in IANA's private 433 * use range (201-255, same RFC) for ECDSA. 434 */ 435#define IKEV2_CERT_ECDSA 201 /* Private */ 436#define IKEV2_CERT_BUNDLE 254 /* Private */ 437 438extern struct iked_constmap ikev2_cert_map[]; 439 440/* 441 * TSi/TSr payloads 442 */ 443 444struct ikev2_tsp { 445 uint8_t tsp_count; /* Number of TSs */ 446 uint8_t tsp_reserved[3]; /* Reserved */ 447 /* Followed by the traffic selectors */ 448} __packed; 449 450struct ikev2_ts { 451 uint8_t ts_type; /* TS type */ 452 uint8_t ts_protoid; /* Protocol Id */ 453 uint16_t ts_length; /* Length */ 454 uint16_t ts_startport; /* Start port */ 455 uint16_t ts_endport; /* End port */ 456} __packed; 457 458#define IKEV2_TS_IPV4_ADDR_RANGE 7 /* RFC7296 */ 459#define IKEV2_TS_IPV6_ADDR_RANGE 8 /* RFC7296 */ 460#define IKEV2_TS_FC_ADDR_RANGE 9 /* RFC4595 */ 461 462extern struct iked_constmap ikev2_ts_map[]; 463 464/* 465 * AUTH payload 466 */ 467 468struct ikev2_auth { 469 uint8_t auth_method; /* Signature type */ 470 uint8_t auth_reserved[3]; /* Reserved */ 471 /* Followed by the signature */ 472} __packed; 473 474#define IKEV2_AUTH_NONE 0 /* None */ 475#define IKEV2_AUTH_RSA_SIG 1 /* RFC7296 */ 476#define IKEV2_AUTH_SHARED_KEY_MIC 2 /* RFC7296 */ 477#define IKEV2_AUTH_DSS_SIG 3 /* RFC7296 */ 478#define IKEV2_AUTH_ECDSA_256 9 /* RFC4754 */ 479#define IKEV2_AUTH_ECDSA_384 10 /* RFC4754 */ 480#define IKEV2_AUTH_ECDSA_521 11 /* RFC4754 */ 481#define IKEV2_AUTH_GSPM 12 /* RFC6467 */ 482#define IKEV2_AUTH_NULL 13 /* RFC7619 */ 483#define IKEV2_AUTH_SIG 14 /* RFC7427 */ 484#define IKEV2_AUTH_SIG_ANY 255 /* Internal (any signature) */ 485/* 486 * AUTH_SIG also serves as an indication that a given policy has 487 * been configured to accept RSA or ECDSA payloads, as long as it 488 * successfully authenticates against a configured CA. 489 */ 490 491extern struct iked_constmap ikev2_auth_map[]; 492 493/* Notifications used together with IKEV2_AUTH_SIG */ 494 495#define IKEV2_SIGHASH_RESERVED 0 /* RFC7427 */ 496#define IKEV2_SIGHASH_SHA1 1 /* RFC7427 */ 497#define IKEV2_SIGHASH_SHA2_256 2 /* RFC7427 */ 498#define IKEV2_SIGHASH_SHA2_384 3 /* RFC7427 */ 499#define IKEV2_SIGHASH_SHA2_512 4 /* RFC7427 */ 500 501extern struct iked_constmap ikev2_sighash_map[]; 502 503/* 504 * CP payload 505 */ 506 507struct ikev2_cp { 508 uint8_t cp_type; 509 uint8_t cp_reserved[3]; 510 /* Followed by the attributes */ 511} __packed; 512 513#define IKEV2_CP_REQUEST 1 /* CFG-Request */ 514#define IKEV2_CP_REPLY 2 /* CFG-Reply */ 515#define IKEV2_CP_SET 3 /* CFG-SET */ 516#define IKEV2_CP_ACK 4 /* CFG-ACK */ 517 518extern struct iked_constmap ikev2_cp_map[]; 519 520struct ikev2_cfg { 521 uint16_t cfg_type; /* first bit must be set to zero */ 522 uint16_t cfg_length; 523 /* Followed by variable-length data */ 524} __packed; 525 526#define IKEV2_CFG_INTERNAL_IP4_ADDRESS 1 /* RFC7296 */ 527#define IKEV2_CFG_INTERNAL_IP4_NETMASK 2 /* RFC7296 */ 528#define IKEV2_CFG_INTERNAL_IP4_DNS 3 /* RFC7296 */ 529#define IKEV2_CFG_INTERNAL_IP4_NBNS 4 /* RFC7296 */ 530#define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY 5 /* RFC4306 */ 531#define IKEV2_CFG_INTERNAL_IP4_DHCP 6 /* RFC7296 */ 532#define IKEV2_CFG_APPLICATION_VERSION 7 /* RFC7296 */ 533#define IKEV2_CFG_INTERNAL_IP6_ADDRESS 8 /* RFC7296 */ 534#define IKEV2_CFG_INTERNAL_IP6_DNS 10 /* RFC7296 */ 535#define IKEV2_CFG_INTERNAL_IP6_NBNS 11 /* RFC4306 */ 536#define IKEV2_CFG_INTERNAL_IP6_DHCP 12 /* RFC7296 */ 537#define IKEV2_CFG_INTERNAL_IP4_SUBNET 13 /* RFC7296 */ 538#define IKEV2_CFG_SUPPORTED_ATTRIBUTES 14 /* RFC7296 */ 539#define IKEV2_CFG_INTERNAL_IP6_SUBNET 15 /* RFC7296 */ 540#define IKEV2_CFG_MIP6_HOME_PREFIX 16 /* RFC5026 */ 541#define IKEV2_CFG_INTERNAL_IP6_LINK 17 /* RFC5739 */ 542#define IKEV2_CFG_INTERNAL_IP6_PREFIX 18 /* RFC5739 */ 543#define IKEV2_CFG_HOME_AGENT_ADDRESS 19 /* http://www.3gpp.org/ftp/Specs/html-info/24302.htm */ 544#define IKEV2_CFG_INTERNAL_IP4_SERVER 23456 /* MS-IKEE */ 545#define IKEV2_CFG_INTERNAL_IP6_SERVER 23457 /* MS-IKEE */ 546 547extern struct iked_constmap ikev2_cfg_map[]; 548 549/* IKEv1 payload types */ 550#define IKEV1_PAYLOAD_NONE 0 /* No payload */ 551#define IKEV1_PAYLOAD_PROPOSAL 2 /* Proposal */ 552 553#endif /* IKED_IKEV2_H */ 554