src/sbin/iked/ikev2.h

/*	$OpenBSD: ikev2.h,v 1.35 2023/06/28 14:10:24 tobhe Exp $	*/

/*
 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de>
 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org>
 *
 * Permission to use, copy, modify, and distribute this software for any
 * purpose with or without fee is hereby granted, provided that the above
 * copyright notice and this permission notice appear in all copies.
 *
 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */

#ifndef IKED_IKEV2_H
#define IKED_IKEV2_H

#define IKEV2_VERSION		0x20	/* IKE version 2.0 */
#define IKEV1_VERSION		0x10	/* IKE version 1.0 */

#define IKEV2_KEYPAD		"Key Pad for IKEv2"	/* don't change! */

/*
 * IKEv2 pseudo states
 */

#define IKEV2_STATE_INIT		0	/* new IKE SA */
#define IKEV2_STATE_COOKIE		1	/* cookie requested */
#define IKEV2_STATE_SA_INIT		2	/* init IKE SA */
#define IKEV2_STATE_EAP			3	/* EAP requested */
#define IKEV2_STATE_EAP_SUCCESS		4	/* EAP succeeded */
#define IKEV2_STATE_AUTH_REQUEST	5	/* auth received */
#define IKEV2_STATE_AUTH_SUCCESS	6	/* authenticated */
#define IKEV2_STATE_VALID		7	/* authenticated AND validated certs */
#define IKEV2_STATE_EAP_VALID		8	/* EAP validated */
#define IKEV2_STATE_ESTABLISHED		9	/* active IKE SA */
#define IKEV2_STATE_CLOSING		10	/* expect delete for this SA */
#define IKEV2_STATE_CLOSED		11	/* delete this SA */

extern struct iked_constmap ikev2_state_map[];

/*
 * "IKEv2 Parameters" based on the official RFC-based assignments by IANA
 * (http://www.iana.org/assignments/ikev2-parameters/ikev2-parameters.txt)
 */

/*
 * IKEv2 definitions of the IKE header
 */

/* IKEv2 exchange types */
#define IKEV2_EXCHANGE_IKE_SA_INIT		34	/* Initial Exchange */
#define IKEV2_EXCHANGE_IKE_AUTH			35	/* Authentication */
#define IKEV2_EXCHANGE_CREATE_CHILD_SA		36	/* Create Child SA */
#define IKEV2_EXCHANGE_INFORMATIONAL		37	/* Informational */
#define IKEV2_EXCHANGE_IKE_SESSION_RESUME	38	/* RFC5723 */

extern struct iked_constmap ikev2_exchange_map[];

/* IKEv2 message flags */
#define IKEV2_FLAG_INITIATOR		0x08	/* Sent by the initiator */
#define IKEV2_FLAG_OLDVERSION		0x10	/* Supports a higher IKE version */
#define IKEV2_FLAG_RESPONSE		0x20	/* Message is a response */

extern struct iked_constmap ikev2_flag_map[];

/*
 * IKEv2 payloads
 */

struct ikev2_payload {
	uint8_t		 pld_nextpayload;	/* Next payload type */
	uint8_t		 pld_reserved;		/* Contains the critical bit */
	uint16_t	 pld_length;		/* Payload length with header */
} __packed;

struct ikev2_frag_payload {
	uint16_t	 frag_num;		/* current fragment message number */
	uint16_t	 frag_total;		/* total number of fragment messages */
} __packed;

#define IKEV2_CRITICAL_PAYLOAD	0x01	/* First bit in the reserved field */

/* IKEv2 payload types */
#define IKEV2_PAYLOAD_NONE	0	/* No payload */
#define IKEV2_PAYLOAD_SA	33	/* Security Association */
#define IKEV2_PAYLOAD_KE	34	/* Key Exchange */
#define IKEV2_PAYLOAD_IDi	35	/* Identification - Initiator */
#define IKEV2_PAYLOAD_IDr	36	/* Identification - Responder */
#define IKEV2_PAYLOAD_CERT	37	/* Certificate */
#define IKEV2_PAYLOAD_CERTREQ	38	/* Certificate Request */
#define IKEV2_PAYLOAD_AUTH	39	/* Authentication */
#define IKEV2_PAYLOAD_NONCE	40	/* Nonce */
#define IKEV2_PAYLOAD_NOTIFY	41	/* Notify */
#define IKEV2_PAYLOAD_DELETE	42	/* Delete */
#define IKEV2_PAYLOAD_VENDOR	43	/* Vendor ID */
#define IKEV2_PAYLOAD_TSi	44	/* Traffic Selector - Initiator */
#define IKEV2_PAYLOAD_TSr	45	/* Traffic Selector - Responder */
#define IKEV2_PAYLOAD_SK	46	/* Encrypted */
#define IKEV2_PAYLOAD_CP	47	/* Configuration Payload */
#define IKEV2_PAYLOAD_EAP	48	/* Extensible Authentication */
#define IKEV2_PAYLOAD_GSPM	49	/* RFC6467 Generic Secure Password */
#define IKEV2_PAYLOAD_SKF	53	/* RFC7383 Encrypted Fragment Payload */

extern struct iked_constmap ikev2_payload_map[];

/*
 * SA payload
 */

struct ikev2_sa_proposal {
	uint8_t		 sap_more;		/* Last proposal or more */
	uint8_t		 sap_reserved;		/* Must be set to zero */
	uint16_t	 sap_length;		/* Proposal length */
	uint8_t		 sap_proposalnr;	/* Proposal number */
	uint8_t		 sap_protoid;		/* Protocol Id */
	uint8_t		 sap_spisize;		/* SPI size */
	uint8_t		 sap_transforms;	/* Number of transforms */
	/* Followed by variable-length SPI */
	/* Followed by variable-length transforms */
} __packed;

#define IKEV2_SAP_LAST	0
#define IKEV2_SAP_MORE	2

#define IKEV2_SAPROTO_NONE		0	/* None */
#define IKEV2_SAPROTO_IKE		1	/* IKEv2 */
#define IKEV2_SAPROTO_AH		2	/* AH */
#define IKEV2_SAPROTO_ESP		3	/* ESP */
#define IKEV2_SAPROTO_FC_ESP_HEADER	4	/* RFC4595 */
#define IKEV2_SAPROTO_FC_CT_AUTH	5	/* RFC4595 */
#define IKEV2_SAPROTO_IPCOMP		204	/* private, should be 4 */

extern struct iked_constmap ikev2_saproto_map[];

struct ikev2_transform {
	uint8_t		xfrm_more;		/* Last transform or more */
	uint8_t		xfrm_reserved;		/* Must be set to zero */
	uint16_t	xfrm_length;		/* Transform length */
	uint8_t		xfrm_type;		/* Transform type */
	uint8_t		xfrm_reserved1;		/* Must be set to zero */
	uint16_t	xfrm_id;		/* Transform Id */
	/* Followed by variable-length transform attributes */
} __packed;

#define IKEV2_XFORM_LAST		0
#define IKEV2_XFORM_MORE		3

#define IKEV2_XFORMTYPE_ENCR		1	/* Encryption */
#define IKEV2_XFORMTYPE_PRF		2	/* Pseudo-Random Function */
#define IKEV2_XFORMTYPE_INTEGR		3	/* Integrity Algorithm */
#define IKEV2_XFORMTYPE_DH		4	/* Diffie-Hellman Group */
#define IKEV2_XFORMTYPE_ESN		5	/* Extended Sequence Numbers */
#define IKEV2_XFORMTYPE_MAX		6

extern struct iked_constmap ikev2_xformtype_map[];

#define IKEV2_XFORMENCR_NONE		0	/* None */
#define IKEV2_XFORMENCR_DES_IV64	1	/* RFC1827 */
#define IKEV2_XFORMENCR_DES		2	/* RFC2405 */
#define IKEV2_XFORMENCR_3DES		3	/* RFC2451 */
#define IKEV2_XFORMENCR_RC5		4	/* RFC2451 */
#define IKEV2_XFORMENCR_IDEA		5	/* RFC2451 */
#define IKEV2_XFORMENCR_CAST		6	/* RFC2451 */
#define IKEV2_XFORMENCR_BLOWFISH	7	/* RFC2451 */
#define IKEV2_XFORMENCR_3IDEA		8	/* RFC2451 */
#define IKEV2_XFORMENCR_DES_IV32	9	/* DESIV32 */
#define IKEV2_XFORMENCR_RC4		10	/* RFC2451 */
#define IKEV2_XFORMENCR_NULL		11	/* RFC2410 */
#define IKEV2_XFORMENCR_AES_CBC		12	/* RFC3602 */
#define IKEV2_XFORMENCR_AES_CTR		13	/* RFC3664 */
#define IKEV2_XFORMENCR_AES_CCM_8	14	/* RFC5282 */
#define IKEV2_XFORMENCR_AES_CCM_12	15	/* RFC5282 */
#define IKEV2_XFORMENCR_AES_CCM_16	16	/* RFC5282 */
#define IKEV2_XFORMENCR_AES_GCM_8	18	/* RFC5282 */
#define IKEV2_XFORMENCR_AES_GCM_12	19	/* RFC5282 */
#define IKEV2_XFORMENCR_AES_GCM_16	20	/* RFC5282 */
#define IKEV2_XFORMENCR_NULL_AES_GMAC	21	/* RFC4543 */
#define IKEV2_XFORMENCR_XTS_AES		22	/* IEEE P1619 */
#define IKEV2_XFORMENCR_CAMELLIA_CBC	23	/* RFC5529 */
#define IKEV2_XFORMENCR_CAMELLIA_CTR	24	/* RFC5529 */
#define IKEV2_XFORMENCR_CAMELLIA_CCM_8	25	/* RFC5529 */
#define IKEV2_XFORMENCR_CAMELLIA_CCM_12	26	/* RFC5529 */
#define IKEV2_XFORMENCR_CAMELLIA_CCM_16	27	/* RFC5529 */
#define IKEV2_XFORMENCR_CHACHA20_POLY1305 28	/* RFC7634 */

extern struct iked_constmap ikev2_xformencr_map[];

#define IKEV2_IPCOMP_OUI		1	/* UNSPECIFIED */
#define IKEV2_IPCOMP_DEFLATE		2	/* RFC2394 */
#define IKEV2_IPCOMP_LZS		3	/* RFC2395 */
#define IKEV2_IPCOMP_LZJH		4	/* RFC3051 */

extern struct iked_constmap ikev2_ipcomp_map[];

#define IKEV2_XFORMPRF_HMAC_MD5		1	/* RFC2104 */
#define IKEV2_XFORMPRF_HMAC_SHA1	2	/* RFC2104 */
#define IKEV2_XFORMPRF_HMAC_TIGER	3	/* RFC2104 */
#define IKEV2_XFORMPRF_AES128_XCBC	4	/* RFC3664 */
#define IKEV2_XFORMPRF_HMAC_SHA2_256	5	/* RFC4868 */
#define IKEV2_XFORMPRF_HMAC_SHA2_384	6	/* RFC4868 */
#define IKEV2_XFORMPRF_HMAC_SHA2_512	7	/* RFC4868 */
#define IKEV2_XFORMPRF_AES128_CMAC	8	/* RFC4615 */

extern struct iked_constmap ikev2_xformprf_map[];

#define IKEV2_XFORMAUTH_NONE		0	/* No Authentication */
#define IKEV2_XFORMAUTH_HMAC_MD5_96	1	/* RFC2403 */
#define IKEV2_XFORMAUTH_HMAC_SHA1_96	2	/* RFC2404 */
#define IKEV2_XFORMAUTH_DES_MAC		3	/* DES-MAC */
#define IKEV2_XFORMAUTH_KPDK_MD5	4	/* RFC1826 */
#define IKEV2_XFORMAUTH_AES_XCBC_96	5	/* RFC3566 */
#define IKEV2_XFORMAUTH_HMAC_MD5_128	6	/* RFC4595 */
#define IKEV2_XFORMAUTH_HMAC_SHA1_160	7	/* RFC4595 */
#define IKEV2_XFORMAUTH_AES_CMAC_96	8	/* RFC4494 */
#define IKEV2_XFORMAUTH_AES_128_GMAC	9	/* RFC4543 */
#define IKEV2_XFORMAUTH_AES_192_GMAC	10	/* RFC4543 */
#define IKEV2_XFORMAUTH_AES_256_GMAC	11	/* RFC4543 */
#define IKEV2_XFORMAUTH_HMAC_SHA2_256_128 12	/* RFC4868 */
#define IKEV2_XFORMAUTH_HMAC_SHA2_384_192 13	/* RFC4868 */
#define IKEV2_XFORMAUTH_HMAC_SHA2_512_256 14	/* RFC4868 */

/* Placeholders for AEAD ciphers (only used internally) */
#define IKEV2_XFORMAUTH_AES_GCM_8	2018	/* internal */
#define IKEV2_XFORMAUTH_AES_GCM_12	2019	/* internal */
#define IKEV2_XFORMAUTH_AES_GCM_16	2020	/* internal */

extern struct iked_constmap ikev2_xformauth_map[];

#define IKEV2_XFORMDH_NONE		0	/* No DH */
#define IKEV2_XFORMDH_MODP_768		1	/* DH Group 1 */
#define IKEV2_XFORMDH_MODP_1024		2	/* DH Group 2 */
#define IKEV2_XFORMDH_MODP_1536		5	/* DH Group 5 */
#define IKEV2_XFORMDH_MODP_2048		14	/* DH Group 14 */
#define IKEV2_XFORMDH_MODP_3072		15	/* DH Group 15 */
#define IKEV2_XFORMDH_MODP_4096		16	/* DH Group 16 */
#define IKEV2_XFORMDH_MODP_6144		17	/* DH Group 17 */
#define IKEV2_XFORMDH_MODP_8192		18	/* DH Group 18 */
#define IKEV2_XFORMDH_ECP_256		19	/* RFC5114 */
#define IKEV2_XFORMDH_ECP_384		20	/* RFC5114 */
#define IKEV2_XFORMDH_ECP_521		21	/* RFC5114 */
#define IKEV2_XFORMDH_ECP_192		25	/* RFC5114 */
#define IKEV2_XFORMDH_ECP_224		26	/* RFC5114 */
#define IKEV2_XFORMDH_BRAINPOOL_P224R1	27	/* RFC6954 */
#define IKEV2_XFORMDH_BRAINPOOL_P256R1	28	/* RFC6954 */
#define IKEV2_XFORMDH_BRAINPOOL_P384R1	29	/* RFC6954 */
#define IKEV2_XFORMDH_BRAINPOOL_P512R1	30	/* RFC6954 */
#define IKEV2_XFORMDH_CURVE25519	31	/* RFC8031 */
#define IKEV2_XFORMDH_X_SNTRUP761X25519	1035	/* private */

extern struct iked_constmap ikev2_xformdh_map[];

#define IKEV2_IPV4_OVERHEAD		(20 + 8 + 28) /* IPv4 + UDP + IKE_HDR*/
#define IKEV2_MAXLEN_IPV4_FRAG		(576 - IKEV2_IPV4_OVERHEAD)
#define IKEV2_IPV6_OVERHEAD		(40 + 8 + 28) /* IPv6 + UDP + IKE_HDR*/
#define IKEV2_MAXLEN_IPV6_FRAG		(1280 - IKEV2_IPV6_OVERHEAD)

#define IKEV2_MAXNUM_TSS		255	/* 8 bit Number of TSs field */

#define IKEV2_XFORMESN_NONE		0	/* No ESN */
#define IKEV2_XFORMESN_ESN		1	/* ESN */

extern struct iked_constmap ikev2_xformesn_map[];

struct ikev2_attribute {
	uint16_t	attr_type;	/* Attribute type */
	uint16_t	attr_length;	/* Attribute length or value */
	/* Followed by variable length (TLV) */
} __packed;

#define IKEV2_ATTRAF_TLV		0x0000	/* Type-Length-Value format */
#define IKEV2_ATTRAF_TV			0x8000	/* Type-Value format */

#define IKEV2_ATTRTYPE_KEY_LENGTH	14	/* Key length */

extern struct iked_constmap ikev2_attrtype_map[];

/*
 * KE Payload
 */

struct ikev2_keyexchange {
	uint16_t	 kex_dhgroup;		/* DH Group # */
	uint16_t	 kex_reserved;		/* Reserved */
} __packed;

/*
 * N payload
 */

struct ikev2_notify {
	uint8_t		 n_protoid;		/* Protocol Id */
	uint8_t		 n_spisize;		/* SPI size */
	uint16_t	 n_type;		/* Notify message type */
	/* Followed by variable length SPI */
	/* Followed by variable length notification data */
} __packed;

#define IKEV2_N_UNSUPPORTED_CRITICAL_PAYLOAD	1	/* RFC7296 */
#define IKEV2_N_INVALID_IKE_SPI			4	/* RFC7296 */
#define IKEV2_N_INVALID_MAJOR_VERSION		5	/* RFC7296 */
#define IKEV2_N_INVALID_SYNTAX			7	/* RFC7296 */
#define IKEV2_N_INVALID_MESSAGE_ID		9	/* RFC7296 */
#define IKEV2_N_INVALID_SPI			11	/* RFC7296 */
#define IKEV2_N_NO_PROPOSAL_CHOSEN		14	/* RFC7296 */
#define IKEV2_N_INVALID_KE_PAYLOAD		17	/* RFC7296 */
#define IKEV2_N_AUTHENTICATION_FAILED		24	/* RFC7296 */
#define IKEV2_N_SINGLE_PAIR_REQUIRED		34	/* RFC7296 */
#define IKEV2_N_NO_ADDITIONAL_SAS		35	/* RFC7296 */
#define IKEV2_N_INTERNAL_ADDRESS_FAILURE	36	/* RFC7296 */
#define IKEV2_N_FAILED_CP_REQUIRED		37	/* RFC7296 */
#define IKEV2_N_TS_UNACCEPTABLE			38	/* RFC7296 */
#define IKEV2_N_INVALID_SELECTORS		39	/* RFC7296 */
#define IKEV2_N_UNACCEPTABLE_ADDRESSES		40	/* RFC4555 */
#define IKEV2_N_UNEXPECTED_NAT_DETECTED		41	/* RFC4555 */
#define IKEV2_N_USE_ASSIGNED_HoA		42	/* RFC5026 */
#define IKEV2_N_TEMPORARY_FAILURE		43	/* RFC7296 */
#define IKEV2_N_CHILD_SA_NOT_FOUND		44	/* RFC7296 */
#define IKEV2_N_INITIAL_CONTACT			16384	/* RFC7296 */
#define IKEV2_N_SET_WINDOW_SIZE			16385	/* RFC7296 */
#define IKEV2_N_ADDITIONAL_TS_POSSIBLE		16386	/* RFC7296 */
#define IKEV2_N_IPCOMP_SUPPORTED		16387	/* RFC7296 */
#define IKEV2_N_NAT_DETECTION_SOURCE_IP		16388	/* RFC7296 */
#define IKEV2_N_NAT_DETECTION_DESTINATION_IP	16389	/* RFC7296 */
#define IKEV2_N_COOKIE				16390	/* RFC7296 */
#define IKEV2_N_USE_TRANSPORT_MODE		16391	/* RFC7296 */
#define IKEV2_N_HTTP_CERT_LOOKUP_SUPPORTED	16392	/* RFC7296 */
#define IKEV2_N_REKEY_SA			16393	/* RFC7296 */
#define IKEV2_N_ESP_TFC_PADDING_NOT_SUPPORTED	16394	/* RFC7296 */
#define IKEV2_N_NON_FIRST_FRAGMENTS_ALSO	16395	/* RFC7296 */
#define IKEV2_N_MOBIKE_SUPPORTED		16396	/* RFC4555 */
#define IKEV2_N_ADDITIONAL_IP4_ADDRESS		16397	/* RFC4555 */
#define IKEV2_N_ADDITIONAL_IP6_ADDRESS		16398	/* RFC4555 */
#define IKEV2_N_NO_ADDITIONAL_ADDRESSES		16399	/* RFC4555 */
#define IKEV2_N_UPDATE_SA_ADDRESSES		16400	/* RFC4555 */
#define IKEV2_N_COOKIE2				16401	/* RFC4555 */
#define IKEV2_N_NO_NATS_ALLOWED			16402	/* RFC4555 */
#define IKEV2_N_AUTH_LIFETIME			16403	/* RFC4478 */
#define IKEV2_N_MULTIPLE_AUTH_SUPPORTED		16404	/* RFC4739 */
#define IKEV2_N_ANOTHER_AUTH_FOLLOWS		16405	/* RFC4739 */
#define IKEV2_N_REDIRECT_SUPPORTED		16406	/* RFC5685 */
#define IKEV2_N_REDIRECT			16407	/* RFC5685 */
#define IKEV2_N_REDIRECTED_FROM			16408	/* RFC5685 */
#define IKEV2_N_TICKET_LT_OPAQUE		16409	/* RFC5723 */
#define IKEV2_N_TICKET_REQUEST			16410	/* RFC5723 */
#define IKEV2_N_TICKET_ACK			16411	/* RFC5723 */
#define IKEV2_N_TICKET_NACK			16412	/* RFC5723 */
#define IKEV2_N_TICKET_OPAQUE			16413	/* RFC5723 */
#define IKEV2_N_LINK_ID				16414	/* RFC5739 */
#define IKEV2_N_USE_WESP_MODE			16415	/* RFC5415 */
#define IKEV2_N_ROHC_SUPPORTED			16416	/* RFC5857 */
#define IKEV2_N_EAP_ONLY_AUTHENTICATION		16417	/* RFC5998 */
#define IKEV2_N_CHILDLESS_IKEV2_SUPPORTED	16418	/* RFC6023 */
#define IKEV2_N_QUICK_CRASH_DETECTION		16419	/* RFC6290 */
#define IKEV2_N_IKEV2_MESSAGE_ID_SYNC_SUPPORTED	16420	/* RFC6311 */
#define IKEV2_N_IPSEC_REPLAY_CTR_SYNC_SUPPORTED	16421	/* RFC6311 */
#define IKEV2_N_IKEV2_MESSAGE_ID_SYNC		16422	/* RFC6311 */
#define IKEV2_N_IPSEC_REPLAY_CTR_SYNC		16423	/* RFC6311 */
#define IKEV2_N_SECURE_PASSWORD_METHODS		16424	/* RFC6467 */
#define IKEV2_N_PSK_PERSIST			16425	/* RFC6631 */
#define IKEV2_N_PSK_CONFIRM			16426	/* RFC6631 */
#define IKEV2_N_ERX_SUPPORTED			16427	/* RFC6867 */
#define IKEV2_N_IFOM_CAPABILITY			16428	/* OA3GPP */
#define IKEV2_N_FRAGMENTATION_SUPPORTED		16430	/* RFC7383 */
#define IKEV2_N_SIGNATURE_HASH_ALGORITHMS	16431	/* RFC7427 */

extern struct iked_constmap ikev2_n_map[];

/*
 * DELETE payload
 */

struct ikev2_delete {
	uint8_t		 del_protoid;		/* Protocol Id */
	uint8_t		 del_spisize;		/* SPI size */
	uint16_t	 del_nspi;		/* Number of SPIs */
	/* Followed by variable length SPIs */
} __packed;

/*
 * ID payload
 */

struct ikev2_id {
	uint8_t		 id_type;		/* Id type */
	uint8_t		 id_reserved[3];	/* Reserved */
	/* Followed by the identification data */
} __packed;

#define IKEV2_ID_NONE		0	/* No ID */
#define IKEV2_ID_IPV4		1	/* RFC7296 (ID_IPV4_ADDR) */
#define IKEV2_ID_FQDN		2	/* RFC7296 */
#define IKEV2_ID_UFQDN		3	/* RFC7296 (ID_RFC822_ADDR) */
#define IKEV2_ID_IPV6		5	/* RFC7296 (ID_IPV6_ADDR) */
#define IKEV2_ID_ASN1_DN	9	/* RFC7296 */
#define IKEV2_ID_ASN1_GN	10	/* RFC7296 */
#define IKEV2_ID_KEY_ID		11	/* RFC7296 */
#define IKEV2_ID_FC_NAME	12	/* RFC4595 */

extern struct iked_constmap ikev2_id_map[];

/*
 * CERT/CERTREQ payloads
 */

struct ikev2_cert {
	uint8_t		cert_type;	/* Encoding */
	/* Followed by the certificate data */
} __packed;

#define IKEV2_CERT_NONE			0	/* None */
#define IKEV2_CERT_X509_PKCS7		1	/* UNSPECIFIED */
#define IKEV2_CERT_PGP			2	/* UNSPECIFIED */
#define IKEV2_CERT_DNS_SIGNED_KEY	3	/* UNSPECIFIED */
#define IKEV2_CERT_X509_CERT		4	/* RFC7296 */
#define IKEV2_CERT_KERBEROS_TOKEN	6	/* UNSPECIFIED */
#define IKEV2_CERT_CRL			7	/* RFC7296 */
#define IKEV2_CERT_ARL			8	/* UNSPECIFIED */
#define IKEV2_CERT_SPKI			9	/* UNSPECIFIED */
#define IKEV2_CERT_X509_ATTR		10	/* UNSPECIFIED */
#define IKEV2_CERT_RSA_KEY		11	/* RFC7296 */
#define IKEV2_CERT_HASHURL_X509		12	/* RFC7296 */
#define IKEV2_CERT_HASHURL_X509_BUNDLE	13	/* RFC7296 */
#define IKEV2_CERT_OCSP			14	/* RFC4806 */
/*
 * As of November 2014, work was still in progress to add a more generic
 * format for raw public keys (RFC7296), so we use a number in IANA's private
 * use range (201-255, same RFC) for ECDSA.
 */
#define IKEV2_CERT_ECDSA		201	/* Private */
#define IKEV2_CERT_BUNDLE		254	/* Private */

extern struct iked_constmap ikev2_cert_map[];

/*
 * TSi/TSr payloads
 */

struct ikev2_tsp {
	uint8_t		tsp_count;		/* Number of TSs */
	uint8_t		tsp_reserved[3];	/* Reserved */
	/* Followed by the traffic selectors */
} __packed;

struct ikev2_ts {
	uint8_t		ts_type;		/* TS type */
	uint8_t		ts_protoid;		/* Protocol Id */
	uint16_t	ts_length;		/* Length */
	uint16_t	ts_startport;		/* Start port */
	uint16_t	ts_endport;		/* End port */
} __packed;

#define IKEV2_TS_IPV4_ADDR_RANGE	7	/* RFC7296 */
#define IKEV2_TS_IPV6_ADDR_RANGE	8	/* RFC7296 */
#define IKEV2_TS_FC_ADDR_RANGE		9	/* RFC4595 */

extern struct iked_constmap ikev2_ts_map[];

/*
 * AUTH payload
 */

struct ikev2_auth {
	uint8_t		auth_method;		/* Signature type */
	uint8_t		auth_reserved[3];	/* Reserved */
	/* Followed by the signature */
} __packed;

#define IKEV2_AUTH_NONE			0	/* None */
#define IKEV2_AUTH_RSA_SIG		1	/* RFC7296 */
#define IKEV2_AUTH_SHARED_KEY_MIC	2	/* RFC7296 */
#define IKEV2_AUTH_DSS_SIG		3	/* RFC7296 */
#define IKEV2_AUTH_ECDSA_256		9	/* RFC4754 */
#define IKEV2_AUTH_ECDSA_384		10	/* RFC4754 */
#define IKEV2_AUTH_ECDSA_521		11	/* RFC4754 */
#define IKEV2_AUTH_GSPM			12	/* RFC6467 */
#define IKEV2_AUTH_NULL			13	/* RFC7619 */
#define IKEV2_AUTH_SIG			14	/* RFC7427 */
#define IKEV2_AUTH_SIG_ANY		255	/* Internal (any signature) */
/*
 * AUTH_SIG also serves as an indication that a given policy has
 * been configured to accept RSA or ECDSA payloads, as long as it
 * successfully authenticates against a configured CA.
 */

extern struct iked_constmap ikev2_auth_map[];

/* Notifications used together with IKEV2_AUTH_SIG */

#define IKEV2_SIGHASH_RESERVED		0	/* RFC7427 */
#define IKEV2_SIGHASH_SHA1		1	/* RFC7427 */
#define IKEV2_SIGHASH_SHA2_256		2	/* RFC7427 */
#define IKEV2_SIGHASH_SHA2_384		3	/* RFC7427 */
#define IKEV2_SIGHASH_SHA2_512		4	/* RFC7427 */

extern struct iked_constmap ikev2_sighash_map[];

/*
 * CP payload
 */

struct ikev2_cp {
	uint8_t		cp_type;
	uint8_t		cp_reserved[3];
	/* Followed by the attributes */
} __packed;

#define IKEV2_CP_REQUEST	1	/* CFG-Request */
#define IKEV2_CP_REPLY		2	/* CFG-Reply */
#define IKEV2_CP_SET		3	/* CFG-SET */
#define IKEV2_CP_ACK		4	/* CFG-ACK */

extern struct iked_constmap ikev2_cp_map[];

struct ikev2_cfg {
	uint16_t	cfg_type;	/* first bit must be set to zero */
	uint16_t	cfg_length;
	/* Followed by variable-length data */
} __packed;

#define IKEV2_CFG_INTERNAL_IP4_ADDRESS		1	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP4_NETMASK		2	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP4_DNS		3	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP4_NBNS		4	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_ADDRESS_EXPIRY	5	/* RFC4306 */
#define IKEV2_CFG_INTERNAL_IP4_DHCP		6	/* RFC7296 */
#define IKEV2_CFG_APPLICATION_VERSION		7	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP6_ADDRESS		8	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP6_DNS		10	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP6_NBNS		11	/* RFC4306 */
#define IKEV2_CFG_INTERNAL_IP6_DHCP		12	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP4_SUBNET		13	/* RFC7296 */
#define IKEV2_CFG_SUPPORTED_ATTRIBUTES		14	/* RFC7296 */
#define IKEV2_CFG_INTERNAL_IP6_SUBNET		15	/* RFC7296 */
#define IKEV2_CFG_MIP6_HOME_PREFIX		16	/* RFC5026 */
#define IKEV2_CFG_INTERNAL_IP6_LINK		17	/* RFC5739 */
#define IKEV2_CFG_INTERNAL_IP6_PREFIX		18	/* RFC5739 */
#define IKEV2_CFG_HOME_AGENT_ADDRESS		19	/* http://www.3gpp.org/ftp/Specs/html-info/24302.htm */
#define IKEV2_CFG_INTERNAL_IP4_SERVER		23456	/* MS-IKEE */
#define IKEV2_CFG_INTERNAL_IP6_SERVER		23457	/* MS-IKEE */

extern struct iked_constmap ikev2_cfg_map[];

/* IKEv1 payload types */
#define IKEV1_PAYLOAD_NONE	0	/* No payload */
#define IKEV1_PAYLOAD_PROPOSAL	2	/* Proposal */

#endif /* IKED_IKEV2_H */