diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/ipsec.h')
-rw-r--r-- | keyexchange/isakmpd-20041012/ipsec.h | 173 |
1 files changed, 173 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/ipsec.h b/keyexchange/isakmpd-20041012/ipsec.h new file mode 100644 index 0000000..1b3c996 --- /dev/null +++ b/keyexchange/isakmpd-20041012/ipsec.h @@ -0,0 +1,173 @@ +/* $OpenBSD: ipsec.h,v 1.24 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $EOM: ipsec.h,v 1.42 2000/12/03 07:58:20 angelos Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 2001 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _IPSEC_H_ +#define _IPSEC_H_ + +#include <sys/queue.h> +#include <sys/types.h> +#include <netinet/in.h> + +#include "ipsec_doi.h" +#ifdef USE_ISAKMP_CFG +#include "isakmp_cfg.h" +#endif + +struct group; +struct hash; +struct ike_auth; +struct message; +struct proto; +struct sa; + +/* + * IPsec-specific data to be linked into the exchange struct. + * XXX Should probably be several different structs, one for each kind + * of exchange, i.e. phase 1, phase 2 and ISAKMP configuration parameters + * separated. + */ +struct ipsec_exch { + u_int flags; + struct hash *hash; + struct ike_auth *ike_auth; + struct group *group; + u_int16_t prf_type; + + /* 0 if no KEY_EXCH was proposed, 1 otherwise */ + u_int8_t pfs; + + /* + * A copy of the initiator SA payload body for later computation of + * hashes. Phase 1 only. + */ + size_t sa_i_b_len; + u_int8_t *sa_i_b; + + /* Diffie-Hellman values. */ + size_t g_x_len; + u_int8_t *g_xi; + u_int8_t *g_xr; + u_int8_t *g_xy; + + /* SKEYIDs. XXX Phase 1 only? */ + size_t skeyid_len; + u_int8_t *skeyid; + u_int8_t *skeyid_d; + u_int8_t *skeyid_a; + u_int8_t *skeyid_e; + + /* HASH_I & HASH_R. XXX Do these need to be saved here? */ + u_int8_t *hash_i; + u_int8_t *hash_r; + + /* KEYMAT */ + size_t keymat_len; + + /* Phase 2. */ + u_int8_t *id_ci; + size_t id_ci_sz; + u_int8_t *id_cr; + size_t id_cr_sz; + +#ifdef USE_ISAKMP_CFG + /* ISAKMP configuration mode parameters */ + u_int16_t cfg_id; + u_int16_t cfg_type; + LIST_HEAD(isakmp_cfg_attr_head, isakmp_cfg_attr) attrs; +#endif +}; + +#define IPSEC_EXCH_FLAG_NO_ID 1 + +struct ipsec_sa { + /* Phase 1. */ + u_int8_t hash; + size_t skeyid_len; + u_int8_t *skeyid_d; + u_int8_t *skeyid_a; + u_int16_t prf_type; + + /* Phase 2. */ + u_int16_t group_desc; + + /* Tunnel parameters. These are in network byte order. */ + struct sockaddr *src_net; + struct sockaddr *src_mask; + struct sockaddr *dst_net; + struct sockaddr *dst_mask; + u_int8_t tproto; + u_int16_t sport; + u_int16_t dport; +}; + +struct ipsec_proto { + /* Phase 2. */ + u_int16_t encap_mode; + u_int16_t auth; + u_int16_t keylen; + u_int16_t keyrounds; + + /* This is not negotiated, but rather configured. */ + int32_t replay_window; + + /* KEYMAT */ + u_int8_t *keymat[2]; +}; + +extern u_int8_t *ipsec_add_hash_payload(struct message *, size_t); +extern int ipsec_ah_keylength(struct proto *); +extern u_int8_t *ipsec_build_id(char *, size_t *); +extern int ipsec_decode_attribute(u_int16_t, u_int8_t *, u_int16_t, void *); +extern void ipsec_decode_transform(struct message *, struct sa *, + struct proto *, u_int8_t *); +extern int ipsec_esp_authkeylength(struct proto *); +extern int ipsec_esp_enckeylength(struct proto *); +extern int ipsec_fill_in_hash(struct message *); +extern int ipsec_gen_g_x(struct message *); +extern int ipsec_get_id(char *, int *, struct sockaddr **, + struct sockaddr **, u_int8_t *, u_int16_t *); +extern ssize_t ipsec_id_size(char *, u_int8_t *); +extern char *ipsec_id_string(u_int8_t *, size_t); +extern void ipsec_init(void); +extern int ipsec_initial_contact(struct message *); +extern int ipsec_is_attribute_incompatible(u_int16_t, u_int8_t *, + u_int16_t, void *); +extern int ipsec_keymat_length(struct proto *); +extern int ipsec_save_g_x(struct message *); +extern struct sa *ipsec_sa_lookup(struct sockaddr *, u_int32_t, u_int8_t); + +extern char *ipsec_decode_ids(char *, u_int8_t *, size_t, u_int8_t *, + size_t, int); +extern int ipsec_clone_id(u_int8_t **, size_t *, u_int8_t *, size_t); + +#endif /* _IPSEC_H_ */ |