1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
|
/* parsing packets: formats and tools
* Copyright (C) 1997 Angelos D. Keromytis.
* Copyright (C) 1998-2001 D. Hugh Redelmeier.
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef _PACKET_H
#define _PACKET_H
/* a struct_desc describes a structure for the struct I/O routines.
* This requires arrays of field_desc values to describe struct fields.
*/
typedef const struct struct_desc {
const char *name;
const struct field_desc *fields;
size_t size;
} struct_desc;
/* Note: if an ft_af_enum field has the ISAKMP_ATTR_AF_TV bit set,
* the subsequent ft_lv field will be interpreted as an immediate value.
* This matches how attributes are encoded.
* See RFC 2408 "ISAKMP" 3.3
*/
enum field_type {
ft_mbz, /* must be zero */
ft_nat, /* natural number (may be 0) */
ft_len, /* length of this struct and any following crud */
ft_lv, /* length/value field of attribute */
ft_enum, /* value from an enumeration */
ft_loose_enum, /* value from an enumeration with only some names known */
ft_af_loose_enum, /* Attribute Format + enumeration, some names known */
ft_af_enum, /* Attribute Format + value from an enumeration */
ft_set, /* bits representing set */
ft_raw, /* bytes to be left in network-order */
ft_end, /* end of field list */
};
typedef const struct field_desc {
enum field_type field_type;
int size; /* size, in bytes, of field */
const char *name;
const void *desc; /* enum_names for enum or char *[] for bits */
} field_desc;
/* The formatting of input and output of packets is done
* through packet_byte_stream objects.
* These describe a stream of bytes in memory.
* Several routines are provided to manipulate these objects
* Actual packet transfer is done elsewhere.
*/
typedef struct packet_byte_stream {
struct packet_byte_stream *container; /* PBS of which we are part */
struct_desc *desc;
const char *name; /* what does this PBS represent? */
u_int8_t
*start,
*cur, /* current position in stream */
*roof; /* byte after last in PBS (actually just a limit on output) */
/* For an output PBS, the length field will be filled in later so
* we need to record its particulars. Note: it may not be aligned.
*/
u_int8_t *lenfld;
field_desc *lenfld_desc;
} pb_stream;
/* For an input PBS, pbs_offset is amount of stream processed.
* For an output PBS, pbs_offset is current size of stream.
* For an input PBS, pbs_room is size of stream.
* For an output PBS, pbs_room is maximum size allowed.
*/
#define pbs_offset(pbs) ((size_t)((pbs)->cur - (pbs)->start))
#define pbs_room(pbs) ((size_t)((pbs)->roof - (pbs)->start))
#define pbs_left(pbs) ((size_t)((pbs)->roof - (pbs)->cur))
extern void init_pbs(pb_stream *pbs, u_int8_t *start, size_t len, const char *name);
extern bool in_struct(void *struct_ptr, struct_desc *sd,
pb_stream *ins, pb_stream *obj_pbs);
extern bool in_raw(void *bytes, size_t len, pb_stream *ins, const char *name);
extern bool out_struct(const void *struct_ptr, struct_desc *sd,
pb_stream *outs, pb_stream *obj_pbs);
extern bool out_generic(u_int8_t np, struct_desc *sd,
pb_stream *outs, pb_stream *obj_pbs);
extern bool out_generic_raw(u_int8_t np, struct_desc *sd,
pb_stream *outs, const void *bytes, size_t len, const char *name);
#define out_generic_chunk(np, sd, outs, ch, name) \
out_generic_raw(np, sd, outs, (ch).ptr, (ch).len, name)
extern bool out_zero(size_t len, pb_stream *outs, const char *name);
extern bool out_raw(const void *bytes, size_t len, pb_stream *outs, const char *name);
#define out_chunk(ch, outs, name) out_raw((ch).ptr, (ch).len, (outs), (name))
extern void close_output_pbs(pb_stream *pbs);
#ifdef DEBUG
extern void DBG_print_struct(const char *label, const void *struct_ptr,
struct_desc *sd, bool len_meaningful);
#endif
/* ISAKMP Header: for all messages
* layout from RFC 2408 "ISAKMP" section 3.1
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Initiator !
* ! Cookie !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Responder !
* ! Cookie !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! MjVer ! MnVer ! Exchange Type ! Flags !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Message ID !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* Although the drafts are a little unclear, there are a few
* places that specify that messages should be padded with 0x00
* octets (bytes) to make the length a multiple of something.
*
* RFC 2408 "ISAKMP" 3.6 specifies that all messages will be
* padded to be a multiple of 4 octets in length.
* ??? This looks vestigial, and we ignore this requirement.
*
* RFC 2409 "IKE" Appedix B specifies:
* Each message should be padded up to the nearest block size
* using bytes containing 0x00.
* ??? This does not appear to be limited to encrypted messages,
* but it surely must be: the block size is meant to be the encryption
* block size, and that is meaningless for a non-encrypted message.
*
* RFC 2409 "IKE" 5.3 specifies:
* Encrypted payloads are padded up to the nearest block size.
* All padding bytes, except for the last one, contain 0x00. The
* last byte of the padding contains the number of the padding
* bytes used, excluding the last one. Note that this means there
* will always be padding.
* ??? This is nuts since payloads are not padded, messages are.
* It also contradicts Appendix B. So we ignore it.
*
* Summary: we pad encrypted output messages with 0x00 to bring them
* up to a multiple of the encryption block size. On input, we require
* that any encrypted portion of a message be a multiple of the encryption
* block size. After any decryption, we ignore padding (any bytes after
* the first payload that specifies a next payload of none; we don't
* require them to be zero).
*/
struct isakmp_hdr
{
u_int8_t isa_icookie[COOKIE_SIZE];
u_int8_t isa_rcookie[COOKIE_SIZE];
u_int8_t isa_np; /* Next payload */
u_int8_t isa_version; /* high-order 4 bits: Major; low order 4: Minor */
#define ISA_MAJ_SHIFT 4
#define ISA_MIN_MASK (~((~0u) << ISA_MAJ_SHIFT))
u_int8_t isa_xchg; /* Exchange type */
u_int8_t isa_flags;
u_int32_t isa_msgid; /* Message ID (RAW) */
u_int32_t isa_length; /* Length of message */
};
extern struct_desc isakmp_hdr_desc;
/* Generic portion of all ISAKMP payloads.
* layout from RFC 2408 "ISAKMP" section 3.2
* This describes the first 32-bit chunk of all payloads.
* The previous next payload depends on the actual payload type.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_generic
{
u_int8_t isag_np;
u_int8_t isag_reserved;
u_int16_t isag_length;
};
extern struct_desc isakmp_generic_desc;
/* ISAKMP Data Attribute (generic representation within payloads)
* layout from RFC 2408 "ISAKMP" section 3.3
* This is not a payload type.
* In TLV format, this is followed by a value field.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* !A! Attribute Type ! AF=0 Attribute Length !
* !F! ! AF=1 Attribute Value !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* . AF=0 Attribute Value .
* . AF=1 Not Transmitted .
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_attribute
{
/* The high order bit of isaat_af_type is the Attribute Format
* If it is off, the format is TLV: lv is the length of the following
* attribute value.
* If it is on, the format is TV: lv is the value of the attribute.
* ISAKMP_ATTR_AF_MASK is the mask in host form.
*
* The low order 15 bits of isaat_af_type is the Attribute Type.
* ISAKMP_ATTR_RTYPE_MASK is the mask in host form.
*/
u_int16_t isaat_af_type; /* high order bit: AF; lower 15: rtype */
u_int16_t isaat_lv; /* Length or value */
};
#define ISAKMP_ATTR_AF_MASK 0x8000
#define ISAKMP_ATTR_AF_TV ISAKMP_ATTR_AF_MASK /* value in lv */
#define ISAKMP_ATTR_AF_TLV 0 /* length in lv; value follows */
#define ISAKMP_ATTR_RTYPE_MASK 0x7FFF
extern struct_desc
isakmp_oakley_attribute_desc,
isakmp_ipsec_attribute_desc;
/* ISAKMP Security Association Payload
* layout from RFC 2408 "ISAKMP" section 3.4
* A variable length Situation follows.
* Previous next payload: ISAKMP_NEXT_SA
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Domain of Interpretation (DOI) !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Situation ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_sa
{
u_int8_t isasa_np; /* Next payload */
u_int8_t isasa_reserved;
u_int16_t isasa_length; /* Payload length */
u_int32_t isasa_doi; /* DOI */
};
extern struct_desc isakmp_sa_desc;
extern struct_desc ipsec_sit_desc;
/* ISAKMP Proposal Payload
* layout from RFC 2408 "ISAKMP" section 3.5
* A variable length SPI follows.
* Previous next payload: ISAKMP_NEXT_P
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Proposal # ! Protocol-Id ! SPI Size !# of Transforms!
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! SPI (variable) !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_proposal
{
u_int8_t isap_np;
u_int8_t isap_reserved;
u_int16_t isap_length;
u_int8_t isap_proposal;
u_int8_t isap_protoid;
u_int8_t isap_spisize;
u_int8_t isap_notrans; /* Number of transforms */
};
extern struct_desc isakmp_proposal_desc;
/* ISAKMP Transform Payload
* layout from RFC 2408 "ISAKMP" section 3.6
* Variable length SA Attributes follow.
* Previous next payload: ISAKMP_NEXT_T
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Transform # ! Transform-Id ! RESERVED2 !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ SA Attributes ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_transform
{
u_int8_t isat_np;
u_int8_t isat_reserved;
u_int16_t isat_length;
u_int8_t isat_transnum; /* Number of the transform */
u_int8_t isat_transid;
u_int16_t isat_reserved2;
};
extern struct_desc
isakmp_isakmp_transform_desc,
isakmp_ah_transform_desc,
isakmp_esp_transform_desc,
isakmp_ipcomp_transform_desc;
/* ISAKMP Key Exchange Payload: no fixed fields beyond the generic ones.
* layout from RFC 2408 "ISAKMP" section 3.7
* Variable Key Exchange Data follow the generic fields.
* Previous next payload: ISAKMP_NEXT_KE
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Key Exchange Data ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
extern struct_desc isakmp_keyex_desc;
/* ISAKMP Identification Payload
* layout from RFC 2408 "ISAKMP" section 3.8
* See "struct identity" declared later.
* Variable length Identification Data follow.
* Previous next payload: ISAKMP_NEXT_ID
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! ID Type ! DOI Specific ID Data !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Identification Data ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_id
{
u_int8_t isaid_np;
u_int8_t isaid_reserved;
u_int16_t isaid_length;
u_int8_t isaid_idtype;
u_int8_t isaid_doi_specific_a;
u_int16_t isaid_doi_specific_b;
};
extern struct_desc isakmp_identification_desc;
/* IPSEC Identification Payload Content
* layout from RFC 2407 "IPsec DOI" section 4.6.2
* See struct isakmp_id declared earlier.
* Note: Hashing skips the ISAKMP generic payload header
* Variable length Identification Data follow.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! ID Type ! Protocol ID ! Port !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ~ Identification Data ~
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_ipsec_id
{
u_int8_t isaiid_np;
u_int8_t isaiid_reserved;
u_int16_t isaiid_length;
u_int8_t isaiid_idtype;
u_int8_t isaiid_protoid;
u_int16_t isaiid_port;
};
extern struct_desc isakmp_ipsec_identification_desc;
/* ISAKMP Certificate Payload: no fixed fields beyond the generic ones.
* layout from RFC 2408 "ISAKMP" section 3.9
* Variable length Certificate Data follow the generic fields.
* Previous next payload: ISAKMP_NEXT_CERT.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Cert Encoding ! !
* +-+-+-+-+-+-+-+-+ !
* ~ Certificate Data ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_cert
{
u_int8_t isacert_np;
u_int8_t isacert_reserved;
u_int16_t isacert_length;
u_int8_t isacert_type;
};
/* NOTE: this packet type has a fixed portion that is not a
* multiple of 4 octets. This means that sizeof(struct isakmp_cert)
* yields the wrong value for the length.
*/
#define ISAKMP_CERT_SIZE 5
extern struct_desc isakmp_ipsec_certificate_desc;
/* ISAKMP Certificate Request Payload: no fixed fields beyond the generic ones.
* layout from RFC 2408 "ISAKMP" section 3.10
* Variable length Certificate Types and Certificate Authorities follow.
* Previous next payload: ISAKMP_NEXT_CR.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Cert. Type ! !
* +-+-+-+-+-+-+-+-+ !
* ~ Certificate Authority ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_cr
{
u_int8_t isacr_np;
u_int8_t isacr_reserved;
u_int16_t isacr_length;
u_int8_t isacr_type;
};
/* NOTE: this packet type has a fixed portion that is not a
* multiple of 4 octets. This means that sizeof(struct isakmp_cr)
* yields the wrong value for the length.
*/
#define ISAKMP_CR_SIZE 5
extern struct_desc isakmp_ipsec_cert_req_desc;
/* ISAKMP Hash Payload: no fixed fields beyond the generic ones.
* layout from RFC 2408 "ISAKMP" section 3.11
* Variable length Hash Data follow.
* Previous next payload: ISAKMP_NEXT_HASH.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Hash Data ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
extern struct_desc isakmp_hash_desc;
/* ISAKMP Signature Payload: no fixed fields beyond the generic ones.
* layout from RFC 2408 "ISAKMP" section 3.12
* Variable length Signature Data follow.
* Previous next payload: ISAKMP_NEXT_SIG.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Signature Data ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
extern struct_desc isakmp_signature_desc;
/* ISAKMP Nonce Payload: no fixed fields beyond the generic ones.
* layout from RFC 2408 "ISAKMP" section 3.13
* Variable length Nonce Data follow.
* Previous next payload: ISAKMP_NEXT_NONCE.
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Nonce Data ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
extern struct_desc isakmp_nonce_desc;
/* ISAKMP Notification Payload
* layout from RFC 2408 "ISAKMP" section 3.14
* This is followed by a variable length SPI
* and then possibly by variable length Notification Data.
* Previous next payload: ISAKMP_NEXT_N
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Domain of Interpretation (DOI) !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Protocol-ID ! SPI Size ! Notify Message Type !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Security Parameter Index (SPI) ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Notification Data ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_notification
{
u_int8_t isan_np;
u_int8_t isan_reserved;
u_int16_t isan_length;
u_int32_t isan_doi;
u_int8_t isan_protoid;
u_int8_t isan_spisize;
u_int16_t isan_type;
};
extern struct_desc isakmp_notification_desc;
/* ISAKMP Delete Payload
* layout from RFC 2408 "ISAKMP" section 3.15
* This is followed by a variable length SPI.
* Previous next payload: ISAKMP_NEXT_D
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Domain of Interpretation (DOI) !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Protocol-Id ! SPI Size ! # of SPIs !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Security Parameter Index(es) (SPI) ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_delete
{
u_int8_t isad_np;
u_int8_t isad_reserved;
u_int16_t isad_length;
u_int32_t isad_doi;
u_int8_t isad_protoid;
u_int8_t isad_spisize;
u_int16_t isad_nospi;
};
extern struct_desc isakmp_delete_desc;
/* From draft-dukes-ike-mode-cfg
3.2. Attribute Payload
1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Next Payload ! RESERVED ! Payload Length !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! Type ! RESERVED ! Identifier !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
! !
! !
~ Attributes ~
! !
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
struct isakmp_mode_attr
{
u_int8_t isama_np;
u_int8_t isama_reserved;
u_int16_t isama_length;
u_int8_t isama_type;
u_int8_t isama_reserved2;
u_int16_t isama_identifier;
};
extern struct_desc isakmp_attr_desc;
extern struct_desc isakmp_modecfg_attribute_desc;
/* ISAKMP Vendor ID Payload
* layout from RFC 2408 "ISAKMP" section 3.15
* This is followed by a variable length VID.
* Previous next payload: ISAKMP_NEXT_VID
* 1 2 3
* 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! Next Payload ! RESERVED ! Payload Length !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
* ! !
* ~ Vendor ID (VID) ~
* ! !
* +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
*/
extern struct_desc isakmp_vendor_id_desc;
struct isakmp_nat_oa
{
u_int8_t isanoa_np;
u_int8_t isanoa_reserved_1;
u_int16_t isanoa_length;
u_int8_t isanoa_idtype;
u_int8_t isanoa_reserved_2;
u_int16_t isanoa_reserved_3;
};
extern struct_desc isakmp_nat_d;
extern struct_desc isakmp_nat_oa;
/* union of all payloads */
union payload {
struct isakmp_generic generic;
struct isakmp_sa sa;
struct isakmp_proposal proposal;
struct isakmp_transform transform;
struct isakmp_id id; /* Main Mode */
struct isakmp_cert cert;
struct isakmp_cr cr;
struct isakmp_ipsec_id ipsec_id; /* Quick Mode */
struct isakmp_notification notification;
struct isakmp_delete delete;
struct isakmp_nat_oa nat_oa;
struct isakmp_mode_attr attribute;
};
/* descriptor for each payload type
*
* There is a slight problem in that some payloads differ, depending
* on the mode. Since this is table only used for top-level payloads,
* Proposal and Transform payloads need not be handled.
* That leaves only Identification payloads as a problem.
* We make all these entries NULL
*/
extern struct_desc *const payload_descs[ISAKMP_NEXT_ROOF];
#endif /* _PACKET_H */
|
