654 lines
27 KiB
C
654 lines
27 KiB
C
/* parsing packets: formats and tools
|
|
* Copyright (C) 1997 Angelos D. Keromytis.
|
|
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
|
|
*
|
|
* This program is free software; you can redistribute it and/or modify it
|
|
* under the terms of the GNU General Public License as published by the
|
|
* Free Software Foundation; either version 2 of the License, or (at your
|
|
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
|
|
*
|
|
* This program is distributed in the hope that it will be useful, but
|
|
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
|
|
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
|
|
* for more details.
|
|
*/
|
|
|
|
#ifndef _PACKET_H
|
|
#define _PACKET_H
|
|
|
|
/* a struct_desc describes a structure for the struct I/O routines.
|
|
* This requires arrays of field_desc values to describe struct fields.
|
|
*/
|
|
|
|
typedef const struct struct_desc {
|
|
const char *name;
|
|
const struct field_desc *fields;
|
|
size_t size;
|
|
} struct_desc;
|
|
|
|
/* Note: if an ft_af_enum field has the ISAKMP_ATTR_AF_TV bit set,
|
|
* the subsequent ft_lv field will be interpreted as an immediate value.
|
|
* This matches how attributes are encoded.
|
|
* See RFC 2408 "ISAKMP" 3.3
|
|
*/
|
|
|
|
enum field_type {
|
|
ft_mbz, /* must be zero */
|
|
ft_nat, /* natural number (may be 0) */
|
|
ft_len, /* length of this struct and any following crud */
|
|
ft_lv, /* length/value field of attribute */
|
|
ft_enum, /* value from an enumeration */
|
|
ft_loose_enum, /* value from an enumeration with only some names known */
|
|
ft_af_loose_enum, /* Attribute Format + enumeration, some names known */
|
|
ft_af_enum, /* Attribute Format + value from an enumeration */
|
|
ft_set, /* bits representing set */
|
|
ft_raw, /* bytes to be left in network-order */
|
|
ft_end, /* end of field list */
|
|
};
|
|
|
|
typedef const struct field_desc {
|
|
enum field_type field_type;
|
|
int size; /* size, in bytes, of field */
|
|
const char *name;
|
|
const void *desc; /* enum_names for enum or char *[] for bits */
|
|
} field_desc;
|
|
|
|
/* The formatting of input and output of packets is done
|
|
* through packet_byte_stream objects.
|
|
* These describe a stream of bytes in memory.
|
|
* Several routines are provided to manipulate these objects
|
|
* Actual packet transfer is done elsewhere.
|
|
*/
|
|
typedef struct packet_byte_stream {
|
|
struct packet_byte_stream *container; /* PBS of which we are part */
|
|
struct_desc *desc;
|
|
const char *name; /* what does this PBS represent? */
|
|
u_int8_t
|
|
*start,
|
|
*cur, /* current position in stream */
|
|
*roof; /* byte after last in PBS (actually just a limit on output) */
|
|
/* For an output PBS, the length field will be filled in later so
|
|
* we need to record its particulars. Note: it may not be aligned.
|
|
*/
|
|
u_int8_t *lenfld;
|
|
field_desc *lenfld_desc;
|
|
} pb_stream;
|
|
|
|
/* For an input PBS, pbs_offset is amount of stream processed.
|
|
* For an output PBS, pbs_offset is current size of stream.
|
|
* For an input PBS, pbs_room is size of stream.
|
|
* For an output PBS, pbs_room is maximum size allowed.
|
|
*/
|
|
#define pbs_offset(pbs) ((size_t)((pbs)->cur - (pbs)->start))
|
|
#define pbs_room(pbs) ((size_t)((pbs)->roof - (pbs)->start))
|
|
#define pbs_left(pbs) ((size_t)((pbs)->roof - (pbs)->cur))
|
|
|
|
extern void init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name);
|
|
|
|
extern bool in_struct(void *struct_ptr, struct_desc *sd,
|
|
pb_stream *ins, pb_stream *obj_pbs);
|
|
extern bool in_raw(void *bytes, size_t len, pb_stream *ins, const char *name);
|
|
|
|
extern bool out_struct(const void *struct_ptr, struct_desc *sd,
|
|
pb_stream *outs, pb_stream *obj_pbs);
|
|
extern bool out_generic(u_int8_t np, struct_desc *sd,
|
|
pb_stream *outs, pb_stream *obj_pbs);
|
|
extern bool out_generic_raw(u_int8_t np, struct_desc *sd,
|
|
pb_stream *outs, const void *bytes, size_t len, const char *name);
|
|
#define out_generic_chunk(np, sd, outs, ch, name) \
|
|
out_generic_raw(np, sd, outs, (ch).ptr, (ch).len, name)
|
|
extern bool out_zero(size_t len, pb_stream *outs, const char *name);
|
|
extern bool out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name);
|
|
#define out_chunk(ch, outs, name) out_raw((ch).ptr, (ch).len, (outs), (name))
|
|
extern void close_output_pbs(pb_stream *pbs);
|
|
|
|
#ifdef DEBUG
|
|
extern void DBG_print_struct(const char *label, const void *struct_ptr,
|
|
struct_desc *sd, bool len_meaningful);
|
|
#endif
|
|
|
|
/* ISAKMP Header: for all messages
|
|
* layout from RFC 2408 "ISAKMP" section 3.1
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Initiator !
|
|
* ! Cookie !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Responder !
|
|
* ! Cookie !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Message ID !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* Although the drafts are a little unclear, there are a few
|
|
* places that specify that messages should be padded with 0x00
|
|
* octets (bytes) to make the length a multiple of something.
|
|
*
|
|
* RFC 2408 "ISAKMP" 3.6 specifies that all messages will be
|
|
* padded to be a multiple of 4 octets in length.
|
|
* ??? This looks vestigial, and we ignore this requirement.
|
|
*
|
|
* RFC 2409 "IKE" Appedix B specifies:
|
|
* Each message should be padded up to the nearest block size
|
|
* using bytes containing 0x00.
|
|
* ??? This does not appear to be limited to encrypted messages,
|
|
* but it surely must be: the block size is meant to be the encryption
|
|
* block size, and that is meaningless for a non-encrypted message.
|
|
*
|
|
* RFC 2409 "IKE" 5.3 specifies:
|
|
* Encrypted payloads are padded up to the nearest block size.
|
|
* All padding bytes, except for the last one, contain 0x00. The
|
|
* last byte of the padding contains the number of the padding
|
|
* bytes used, excluding the last one. Note that this means there
|
|
* will always be padding.
|
|
* ??? This is nuts since payloads are not padded, messages are.
|
|
* It also contradicts Appendix B. So we ignore it.
|
|
*
|
|
* Summary: we pad encrypted output messages with 0x00 to bring them
|
|
* up to a multiple of the encryption block size. On input, we require
|
|
* that any encrypted portion of a message be a multiple of the encryption
|
|
* block size. After any decryption, we ignore padding (any bytes after
|
|
* the first payload that specifies a next payload of none; we don't
|
|
* require them to be zero).
|
|
*/
|
|
|
|
struct isakmp_hdr
|
|
{
|
|
u_int8_t isa_icookie[COOKIE_SIZE];
|
|
u_int8_t isa_rcookie[COOKIE_SIZE];
|
|
u_int8_t isa_np; /* Next payload */
|
|
u_int8_t isa_version; /* high-order 4 bits: Major; low order 4: Minor */
|
|
#define ISA_MAJ_SHIFT 4
|
|
#define ISA_MIN_MASK (~((~0u) << ISA_MAJ_SHIFT))
|
|
u_int8_t isa_xchg; /* Exchange type */
|
|
u_int8_t isa_flags;
|
|
u_int32_t isa_msgid; /* Message ID (RAW) */
|
|
u_int32_t isa_length; /* Length of message */
|
|
};
|
|
|
|
extern struct_desc isakmp_hdr_desc;
|
|
|
|
/* Generic portion of all ISAKMP payloads.
|
|
* layout from RFC 2408 "ISAKMP" section 3.2
|
|
* This describes the first 32-bit chunk of all payloads.
|
|
* The previous next payload depends on the actual payload type.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_generic
|
|
{
|
|
u_int8_t isag_np;
|
|
u_int8_t isag_reserved;
|
|
u_int16_t isag_length;
|
|
};
|
|
|
|
extern struct_desc isakmp_generic_desc;
|
|
|
|
/* ISAKMP Data Attribute (generic representation within payloads)
|
|
* layout from RFC 2408 "ISAKMP" section 3.3
|
|
* This is not a payload type.
|
|
* In TLV format, this is followed by a value field.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* !A! Attribute Type ! AF=0 Attribute Length !
|
|
* !F! ! AF=1 Attribute Value !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* . AF=0 Attribute Value .
|
|
* . AF=1 Not Transmitted .
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_attribute
|
|
{
|
|
/* The high order bit of isaat_af_type is the Attribute Format
|
|
* If it is off, the format is TLV: lv is the length of the following
|
|
* attribute value.
|
|
* If it is on, the format is TV: lv is the value of the attribute.
|
|
* ISAKMP_ATTR_AF_MASK is the mask in host form.
|
|
*
|
|
* The low order 15 bits of isaat_af_type is the Attribute Type.
|
|
* ISAKMP_ATTR_RTYPE_MASK is the mask in host form.
|
|
*/
|
|
u_int16_t isaat_af_type; /* high order bit: AF; lower 15: rtype */
|
|
u_int16_t isaat_lv; /* Length or value */
|
|
};
|
|
|
|
#define ISAKMP_ATTR_AF_MASK 0x8000
|
|
#define ISAKMP_ATTR_AF_TV ISAKMP_ATTR_AF_MASK /* value in lv */
|
|
#define ISAKMP_ATTR_AF_TLV 0 /* length in lv; value follows */
|
|
|
|
#define ISAKMP_ATTR_RTYPE_MASK 0x7FFF
|
|
|
|
extern struct_desc
|
|
isakmp_oakley_attribute_desc,
|
|
isakmp_ipsec_attribute_desc;
|
|
|
|
/* ISAKMP Security Association Payload
|
|
* layout from RFC 2408 "ISAKMP" section 3.4
|
|
* A variable length Situation follows.
|
|
* Previous next payload: ISAKMP_NEXT_SA
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Domain of Interpretation (DOI) !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Situation ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_sa
|
|
{
|
|
u_int8_t isasa_np; /* Next payload */
|
|
u_int8_t isasa_reserved;
|
|
u_int16_t isasa_length; /* Payload length */
|
|
u_int32_t isasa_doi; /* DOI */
|
|
};
|
|
|
|
extern struct_desc isakmp_sa_desc;
|
|
|
|
extern struct_desc ipsec_sit_desc;
|
|
|
|
/* ISAKMP Proposal Payload
|
|
* layout from RFC 2408 "ISAKMP" section 3.5
|
|
* A variable length SPI follows.
|
|
* Previous next payload: ISAKMP_NEXT_P
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! SPI (variable) !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_proposal
|
|
{
|
|
u_int8_t isap_np;
|
|
u_int8_t isap_reserved;
|
|
u_int16_t isap_length;
|
|
u_int8_t isap_proposal;
|
|
u_int8_t isap_protoid;
|
|
u_int8_t isap_spisize;
|
|
u_int8_t isap_notrans; /* Number of transforms */
|
|
};
|
|
|
|
extern struct_desc isakmp_proposal_desc;
|
|
|
|
/* ISAKMP Transform Payload
|
|
* layout from RFC 2408 "ISAKMP" section 3.6
|
|
* Variable length SA Attributes follow.
|
|
* Previous next payload: ISAKMP_NEXT_T
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Transform # ! Transform-Id ! RESERVED2 !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ SA Attributes ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_transform
|
|
{
|
|
u_int8_t isat_np;
|
|
u_int8_t isat_reserved;
|
|
u_int16_t isat_length;
|
|
u_int8_t isat_transnum; /* Number of the transform */
|
|
u_int8_t isat_transid;
|
|
u_int16_t isat_reserved2;
|
|
};
|
|
|
|
extern struct_desc
|
|
isakmp_isakmp_transform_desc,
|
|
isakmp_ah_transform_desc,
|
|
isakmp_esp_transform_desc,
|
|
isakmp_ipcomp_transform_desc;
|
|
|
|
/* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
|
|
* layout from RFC 2408 "ISAKMP" section 3.7
|
|
* Variable Key Exchange Data follow the generic fields.
|
|
* Previous next payload: ISAKMP_NEXT_KE
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Key Exchange Data ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
extern struct_desc isakmp_keyex_desc;
|
|
|
|
/* ISAKMP Identification Payload
|
|
* layout from RFC 2408 "ISAKMP" section 3.8
|
|
* See "struct identity" declared later.
|
|
* Variable length Identification Data follow.
|
|
* Previous next payload: ISAKMP_NEXT_ID
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! ID Type ! DOI Specific ID Data !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Identification Data ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_id
|
|
{
|
|
u_int8_t isaid_np;
|
|
u_int8_t isaid_reserved;
|
|
u_int16_t isaid_length;
|
|
u_int8_t isaid_idtype;
|
|
u_int8_t isaid_doi_specific_a;
|
|
u_int16_t isaid_doi_specific_b;
|
|
};
|
|
|
|
extern struct_desc isakmp_identification_desc;
|
|
|
|
/* IPSEC Identification Payload Content
|
|
* layout from RFC 2407 "IPsec DOI" section 4.6.2
|
|
* See struct isakmp_id declared earlier.
|
|
* Note: Hashing skips the ISAKMP generic payload header
|
|
* Variable length Identification Data follow.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! ID Type ! Protocol ID ! Port !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ~ Identification Data ~
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_ipsec_id
|
|
{
|
|
u_int8_t isaiid_np;
|
|
u_int8_t isaiid_reserved;
|
|
u_int16_t isaiid_length;
|
|
u_int8_t isaiid_idtype;
|
|
u_int8_t isaiid_protoid;
|
|
u_int16_t isaiid_port;
|
|
};
|
|
|
|
extern struct_desc isakmp_ipsec_identification_desc;
|
|
|
|
/* ISAKMP Certificate Payload: no fixed fields beyond the generic ones.
|
|
* layout from RFC 2408 "ISAKMP" section 3.9
|
|
* Variable length Certificate Data follow the generic fields.
|
|
* Previous next payload: ISAKMP_NEXT_CERT.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Cert Encoding ! !
|
|
* +-+-+-+-+-+-+-+-+ !
|
|
* ~ Certificate Data ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_cert
|
|
{
|
|
u_int8_t isacert_np;
|
|
u_int8_t isacert_reserved;
|
|
u_int16_t isacert_length;
|
|
u_int8_t isacert_type;
|
|
};
|
|
|
|
/* NOTE: this packet type has a fixed portion that is not a
|
|
* multiple of 4 octets. This means that sizeof(struct isakmp_cert)
|
|
* yields the wrong value for the length.
|
|
*/
|
|
#define ISAKMP_CERT_SIZE 5
|
|
|
|
extern struct_desc isakmp_ipsec_certificate_desc;
|
|
|
|
/* ISAKMP Certificate Request Payload: no fixed fields beyond the generic ones.
|
|
* layout from RFC 2408 "ISAKMP" section 3.10
|
|
* Variable length Certificate Types and Certificate Authorities follow.
|
|
* Previous next payload: ISAKMP_NEXT_CR.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Cert. Type ! !
|
|
* +-+-+-+-+-+-+-+-+ !
|
|
* ~ Certificate Authority ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_cr
|
|
{
|
|
u_int8_t isacr_np;
|
|
u_int8_t isacr_reserved;
|
|
u_int16_t isacr_length;
|
|
u_int8_t isacr_type;
|
|
};
|
|
|
|
/* NOTE: this packet type has a fixed portion that is not a
|
|
* multiple of 4 octets. This means that sizeof(struct isakmp_cr)
|
|
* yields the wrong value for the length.
|
|
*/
|
|
#define ISAKMP_CR_SIZE 5
|
|
|
|
extern struct_desc isakmp_ipsec_cert_req_desc;
|
|
|
|
/* ISAKMP Hash Payload: no fixed fields beyond the generic ones.
|
|
* layout from RFC 2408 "ISAKMP" section 3.11
|
|
* Variable length Hash Data follow.
|
|
* Previous next payload: ISAKMP_NEXT_HASH.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Hash Data ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
extern struct_desc isakmp_hash_desc;
|
|
|
|
/* ISAKMP Signature Payload: no fixed fields beyond the generic ones.
|
|
* layout from RFC 2408 "ISAKMP" section 3.12
|
|
* Variable length Signature Data follow.
|
|
* Previous next payload: ISAKMP_NEXT_SIG.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Signature Data ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
extern struct_desc isakmp_signature_desc;
|
|
|
|
/* ISAKMP Nonce Payload: no fixed fields beyond the generic ones.
|
|
* layout from RFC 2408 "ISAKMP" section 3.13
|
|
* Variable length Nonce Data follow.
|
|
* Previous next payload: ISAKMP_NEXT_NONCE.
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Nonce Data ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
extern struct_desc isakmp_nonce_desc;
|
|
|
|
/* ISAKMP Notification Payload
|
|
* layout from RFC 2408 "ISAKMP" section 3.14
|
|
* This is followed by a variable length SPI
|
|
* and then possibly by variable length Notification Data.
|
|
* Previous next payload: ISAKMP_NEXT_N
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Domain of Interpretation (DOI) !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Protocol-ID ! SPI Size ! Notify Message Type !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Security Parameter Index (SPI) ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Notification Data ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_notification
|
|
{
|
|
u_int8_t isan_np;
|
|
u_int8_t isan_reserved;
|
|
u_int16_t isan_length;
|
|
u_int32_t isan_doi;
|
|
u_int8_t isan_protoid;
|
|
u_int8_t isan_spisize;
|
|
u_int16_t isan_type;
|
|
};
|
|
|
|
extern struct_desc isakmp_notification_desc;
|
|
|
|
/* ISAKMP Delete Payload
|
|
* layout from RFC 2408 "ISAKMP" section 3.15
|
|
* This is followed by a variable length SPI.
|
|
* Previous next payload: ISAKMP_NEXT_D
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Domain of Interpretation (DOI) !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Protocol-Id ! SPI Size ! # of SPIs !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Security Parameter Index(es) (SPI) ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_delete
|
|
{
|
|
u_int8_t isad_np;
|
|
u_int8_t isad_reserved;
|
|
u_int16_t isad_length;
|
|
u_int32_t isad_doi;
|
|
u_int8_t isad_protoid;
|
|
u_int8_t isad_spisize;
|
|
u_int16_t isad_nospi;
|
|
};
|
|
|
|
extern struct_desc isakmp_delete_desc;
|
|
|
|
/* From draft-dukes-ike-mode-cfg
|
|
3.2. Attribute Payload
|
|
1 2 3
|
|
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
! Next Payload ! RESERVED ! Payload Length !
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
! Type ! RESERVED ! Identifier !
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
! !
|
|
! !
|
|
~ Attributes ~
|
|
! !
|
|
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
struct isakmp_mode_attr
|
|
{
|
|
u_int8_t isama_np;
|
|
u_int8_t isama_reserved;
|
|
u_int16_t isama_length;
|
|
u_int8_t isama_type;
|
|
u_int8_t isama_reserved2;
|
|
u_int16_t isama_identifier;
|
|
};
|
|
|
|
extern struct_desc isakmp_attr_desc;
|
|
extern struct_desc isakmp_modecfg_attribute_desc;
|
|
|
|
/* ISAKMP Vendor ID Payload
|
|
* layout from RFC 2408 "ISAKMP" section 3.15
|
|
* This is followed by a variable length VID.
|
|
* Previous next payload: ISAKMP_NEXT_VID
|
|
* 1 2 3
|
|
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! Next Payload ! RESERVED ! Payload Length !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
* ! !
|
|
* ~ Vendor ID (VID) ~
|
|
* ! !
|
|
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|
|
*/
|
|
extern struct_desc isakmp_vendor_id_desc;
|
|
|
|
struct isakmp_nat_oa
|
|
{
|
|
u_int8_t isanoa_np;
|
|
u_int8_t isanoa_reserved_1;
|
|
u_int16_t isanoa_length;
|
|
u_int8_t isanoa_idtype;
|
|
u_int8_t isanoa_reserved_2;
|
|
u_int16_t isanoa_reserved_3;
|
|
};
|
|
|
|
extern struct_desc isakmp_nat_d;
|
|
extern struct_desc isakmp_nat_oa;
|
|
|
|
/* union of all payloads */
|
|
|
|
union payload {
|
|
struct isakmp_generic generic;
|
|
struct isakmp_sa sa;
|
|
struct isakmp_proposal proposal;
|
|
struct isakmp_transform transform;
|
|
struct isakmp_id id; /* Main Mode */
|
|
struct isakmp_cert cert;
|
|
struct isakmp_cr cr;
|
|
struct isakmp_ipsec_id ipsec_id; /* Quick Mode */
|
|
struct isakmp_notification notification;
|
|
struct isakmp_delete delete;
|
|
struct isakmp_nat_oa nat_oa;
|
|
struct isakmp_mode_attr attribute;
|
|
};
|
|
|
|
/* descriptor for each payload type
|
|
*
|
|
* There is a slight problem in that some payloads differ, depending
|
|
* on the mode. Since this is table only used for top-level payloads,
|
|
* Proposal and Transform payloads need not be handled.
|
|
* That leaves only Identification payloads as a problem.
|
|
* We make all these entries NULL
|
|
*/
|
|
extern struct_desc *const payload_descs[ISAKMP_NEXT_ROOF];
|
|
|
|
#endif /* _PACKET_H */
|