1: /* $NetBSD: handler.h,v 1.25 2010/11/17 10:40:41 tteras Exp $ */
2:
3: /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
4:
5: /*
6: * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7: * All rights reserved.
8: *
9: * Redistribution and use in source and binary forms, with or without
10: * modification, are permitted provided that the following conditions
11: * are met:
12: * 1. Redistributions of source code must retain the above copyright
13: * notice, this list of conditions and the following disclaimer.
14: * 2. Redistributions in binary form must reproduce the above copyright
15: * notice, this list of conditions and the following disclaimer in the
16: * documentation and/or other materials provided with the distribution.
17: * 3. Neither the name of the project nor the names of its contributors
18: * may be used to endorse or promote products derived from this software
19: * without specific prior written permission.
20: *
21: * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22: * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23: * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24: * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25: * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26: * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27: * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28: * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29: * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30: * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31: * SUCH DAMAGE.
32: */
33:
34: #ifndef _HANDLER_H
35: #define _HANDLER_H
36:
37: #include <sys/queue.h>
38: #include <openssl/rsa.h>
39:
40: #include <sys/time.h>
41:
42: #include "isakmp_var.h"
43: #include "oakley.h"
44: #include "schedule.h"
45: #include "evt.h"
46:
47: /* Phase 1 handler */
48: /*
49: * main mode:
50: * initiator responder
51: * 0 (---) (---)
52: * 1 start start (1st msg received)
53: * 2 (---) 1st valid msg received
54: * 3 1st msg sent 1st msg sent
55: * 4 1st valid msg received 2st valid msg received
56: * 5 2nd msg sent 2nd msg sent
57: * 6 2nd valid msg received 3rd valid msg received
58: * 7 3rd msg sent 3rd msg sent
59: * 8 3rd valid msg received (---)
60: * 9 SA established SA established
61: *
62: * aggressive mode:
63: * initiator responder
64: * 0 (---) (---)
65: * 1 start start (1st msg received)
66: * 2 (---) 1st valid msg received
67: * 3 1st msg sent 1st msg sent
68: * 4 1st valid msg received 2st valid msg received
69: * 5 (---) (---)
70: * 6 (---) (---)
71: * 7 (---) (---)
72: * 8 (---) (---)
73: * 9 SA established SA established
74: *
75: * base mode:
76: * initiator responder
77: * 0 (---) (---)
78: * 1 start start (1st msg received)
79: * 2 (---) 1st valid msg received
80: * 3 1st msg sent 1st msg sent
81: * 4 1st valid msg received 2st valid msg received
82: * 5 2nd msg sent (---)
83: * 6 (---) (---)
84: * 7 (---) (---)
85: * 8 (---) (---)
86: * 9 SA established SA established
87: */
88: #define PHASE1ST_SPAWN 0
89: #define PHASE1ST_START 1
90: #define PHASE1ST_MSG1RECEIVED 2
91: #define PHASE1ST_MSG1SENT 3
92: #define PHASE1ST_MSG2RECEIVED 4
93: #define PHASE1ST_MSG2SENT 5
94: #define PHASE1ST_MSG3RECEIVED 6
95: #define PHASE1ST_MSG3SENT 7
96: #define PHASE1ST_MSG4RECEIVED 8
97: #define PHASE1ST_ESTABLISHED 9
98: #define PHASE1ST_DYING 10
99: #define PHASE1ST_EXPIRED 11
100: #define PHASE1ST_MAX 12
101:
102: /* About address semantics in each case.
103: * initiator(addr=I) responder(addr=R)
104: * src dst src dst
105: * (local) (remote) (local) (remote)
106: * phase 1 handler I R R I
107: * phase 2 handler I R R I
108: * getspi msg R I I R
109: * acquire msg I R
110: * ID payload I R I R
111: */
112: #ifdef ENABLE_HYBRID
113: struct isakmp_cfg_state;
114: #endif
115: struct ph1handle {
116: isakmp_index index;
117:
118: int status; /* status of this SA */
119: int side; /* INITIATOR or RESPONDER */
120:
121: struct sockaddr *remote; /* remote address to negosiate ph1 */
122: struct sockaddr *local; /* local address to negosiate ph1 */
123: /* XXX copy from rmconf due to anonymous configuration.
124: * If anonymous will be forbidden, we do delete them. */
125:
126: struct remoteconf *rmconf; /* pointer to remote configuration */
127:
128: struct isakmpsa *approval; /* pointer to SA(s) approved. */
129: vchar_t *authstr; /* place holder of string for auth. */
130: /* for example pre-shared key */
131:
132: u_int8_t version; /* ISAKMP version */
133: u_int8_t etype; /* Exchange type actually for use */
134: u_int8_t flags; /* Flags */
135: u_int32_t msgid; /* message id */
136:
137: u_int32_t vendorid_mask; /* bitmask of received supported vendor ids*/
138: #ifdef ENABLE_NATT
139: struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
140: u_int32_t natt_flags; /* NAT-T related flags */
141: #endif
142: #ifdef ENABLE_FRAG
143: int frag; /* IKE phase 1 fragmentation */
144: struct isakmp_frag_item *frag_chain; /* Received fragments */
145: #endif
146:
147: struct sched sce; /* schedule for expire */
148:
149: struct sched scr; /* schedule for resend */
150: int retry_counter; /* for resend. */
151: vchar_t *sendbuf; /* buffer for re-sending */
152:
153: vchar_t *dhpriv; /* DH; private value */
154: vchar_t *dhpub; /* DH; public value */
155: vchar_t *dhpub_p; /* DH; partner's public value */
156: vchar_t *dhgxy; /* DH; shared secret */
157: vchar_t *nonce; /* nonce value */
158: vchar_t *nonce_p; /* partner's nonce value */
159: vchar_t *skeyid; /* SKEYID */
160: vchar_t *skeyid_d; /* SKEYID_d */
161: vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
162: vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
163: vchar_t *key; /* cipher key */
164: vchar_t *hash; /* HASH minus general header */
165: vchar_t *sig; /* SIG minus general header */
166: vchar_t *sig_p; /* peer's SIG minus general header */
167: vchar_t *cert; /* CERT minus general header */
168: vchar_t *cert_p; /* peer's CERT minus general header */
169: vchar_t *crl_p; /* peer's CRL minus general header */
170: vchar_t *cr_p; /* peer's CR not including general */
171: RSA *rsa; /* my RSA key */
172: RSA *rsa_p; /* peer's RSA key */
173: struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
174: vchar_t *id; /* ID minus gen header */
175: vchar_t *id_p; /* partner's ID minus general header */
176: /* i.e. struct ipsecdoi_id_b*. */
177: struct isakmp_ivm *ivm; /* IVs */
178:
179: vchar_t *sa; /* whole SA payload to send/to be sent*/
180: /* to calculate HASH */
181: /* NOT INCLUDING general header. */
182:
183: vchar_t *sa_ret; /* SA payload to reply/to be replyed */
184: /* NOT INCLUDING general header. */
185: /* NOTE: Should be release after use. */
186:
187: #ifdef HAVE_GSSAPI
188: void *gssapi_state; /* GSS-API specific state. */
189: /* Allocated when needed */
190: vchar_t *gi_i; /* optional initiator GSS id */
191: vchar_t *gi_r; /* optional responder GSS id */
192: #endif
193:
194: struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
195:
196: time_t created; /* timestamp for establish */
197: int initial_contact_received; /* set if initial contact received */
198: #ifdef ENABLE_STATS
199: struct timeval start;
200: struct timeval end;
201: #endif
202:
203: #ifdef ENABLE_DPD
204: int dpd_support; /* Does remote supports DPD ? */
205: u_int32_t dpd_last_ack;
206: u_int32_t dpd_seq; /* DPD seq number to receive */
207: u_int8_t dpd_fails; /* number of failures */
208: struct sched dpd_r_u;
209: #endif
210:
211: u_int32_t msgid2; /* msgid counter for Phase 2 */
212: int ph2cnt; /* the number which is negotiated by this phase 1 */
213: LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
214:
215: LIST_ENTRY(ph1handle) chain;
216: #ifdef ENABLE_HYBRID
217: struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
218: #endif
219: EVT_LISTENER_LIST(evt_listeners);
220: };
221:
222: /* For limiting enumeration of ph1 tree */
223: struct ph1selector {
224: struct sockaddr *local;
225: struct sockaddr *remote;
226: };
227:
228: /* Phase 2 handler */
229: /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
230: /*
231: * initiator responder
232: * 0 (---) (---)
233: * 1 start start (1st msg received)
234: * 2 acquire msg get 1st valid msg received
235: * 3 getspi request sent getspi request sent
236: * 4 getspi done getspi done
237: * 5 1st msg sent 1st msg sent
238: * 6 1st valid msg received 2nd valid msg received
239: * 7 (commit bit) (commit bit)
240: * 8 SAs added SAs added
241: * 9 SAs established SAs established
242: * 10 SAs expired SAs expired
243: */
244: #define PHASE2ST_SPAWN 0
245: #define PHASE2ST_START 1
246: #define PHASE2ST_STATUS2 2
247: #define PHASE2ST_GETSPISENT 3
248: #define PHASE2ST_GETSPIDONE 4
249: #define PHASE2ST_MSG1SENT 5
250: #define PHASE2ST_STATUS6 6
251: #define PHASE2ST_COMMIT 7
252: #define PHASE2ST_ADDSA 8
253: #define PHASE2ST_ESTABLISHED 9
254: #define PHASE2ST_EXPIRED 10
255: #define PHASE2ST_MAX 11
256:
257: struct ph2handle {
258: /* source and destination addresses used for IKE exchange. Might
259: * differ from source and destination of SA. On the initiator,
260: * they are tweaked if a hint is available in the SPD (set by
261: * MIGRATE for instance). Otherwise they are the source and
262: * destination of SA for transport mode and the tunnel endpoints
263: * for tunnel mode */
264: struct sockaddr *src;
265: struct sockaddr *dst;
266:
267: /* source and destination addresses of the SA in the case addresses
268: * used for IKE exchanges (src and dst) do differ. On the initiator,
269: * they are set (if needed) in pk_recvacquire(). On the responder,
270: * they are _derived_ from the local and remote parameters of the
271: * SP, if available. */
272: struct sockaddr *sa_src;
273: struct sockaddr *sa_dst;
274:
275: /* Store our Phase 2 ID and the peer ID (ID minus general header).
276: * On the initiator, they are set during ACQUIRE processing.
277: * On the responder, they are set from the content of ID payload
278: * in quick_r1recv(). Then, if they are of type address or
279: * tunnel, they are compared to sainfo selectors.
280: */
281: vchar_t *id; /* ID minus gen header */
282: vchar_t *id_p; /* peer's ID minus general header */
283:
284: #ifdef ENABLE_NATT
285: struct sockaddr *natoa_src; /* peer's view of my address */
286: struct sockaddr *natoa_dst; /* peer's view of his address */
287: #endif
288:
289: u_int32_t spid; /* policy id by kernel */
290:
291: int status; /* ipsec sa status */
292: u_int8_t side; /* INITIATOR or RESPONDER */
293:
294: struct sched sce; /* schedule for expire */
295: struct sched scr; /* schedule for resend */
296: int retry_counter; /* for resend. */
297: vchar_t *sendbuf; /* buffer for re-sending */
298: vchar_t *msg1; /* buffer for re-sending */
299: /* used for responder's first message */
300:
301: int retry_checkph1; /* counter to wait phase 1 finished. */
302: /* NOTE: actually it's timer. */
303:
304: u_int32_t seq; /* sequence number used by PF_KEY */
305: /*
306: * NOTE: In responder side, we can't identify each SAs
307: * with same destination address for example, when
308: * socket based SA is required. So we set a identifier
309: * number to "seq", and sent kernel by pfkey.
310: */
311: u_int8_t satype; /* satype in PF_KEY */
312: /*
313: * saved satype in the original PF_KEY request from
314: * the kernel in order to reply a error.
315: */
316:
317: u_int8_t flags; /* Flags for phase 2 */
318: u_int32_t msgid; /* msgid for phase 2 */
319:
320: struct sainfo *sainfo; /* place holder of sainfo */
321: struct saprop *proposal; /* SA(s) proposal. */
322: struct saprop *approval; /* SA(s) approved. */
323: u_int32_t lifetime_secs; /* responder lifetime (seconds) */
324: u_int32_t lifetime_kb; /* responder lifetime (kbytes) */
325: caddr_t spidx_gen; /* policy from peer's proposal */
326:
327: struct dhgroup *pfsgrp; /* DH; prime number */
328: vchar_t *dhpriv; /* DH; private value */
329: vchar_t *dhpub; /* DH; public value */
330: vchar_t *dhpub_p; /* DH; partner's public value */
331: vchar_t *dhgxy; /* DH; shared secret */
332: vchar_t *nonce; /* nonce value in phase 2 */
333: vchar_t *nonce_p; /* partner's nonce value in phase 2 */
334:
335: vchar_t *sa; /* whole SA payload to send/to be sent*/
336: /* to calculate HASH */
337: /* NOT INCLUDING general header. */
338:
339: vchar_t *sa_ret; /* SA payload to reply/to be replyed */
340: /* NOT INCLUDING general header. */
341: /* NOTE: Should be release after use. */
342:
343: struct isakmp_ivm *ivm; /* IVs */
344:
345: int generated_spidx; /* mark handlers whith generated policy */
346:
347: #ifdef ENABLE_STATS
348: struct timeval start;
349: struct timeval end;
350: #endif
351: struct ph1handle *ph1; /* back pointer to isakmp status */
352:
353: LIST_ENTRY(ph2handle) chain;
354: LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
355: EVT_LISTENER_LIST(evt_listeners);
356: };
357:
358: /* For limiting enumeration of ph2 tree */
359: struct ph2selector {
360: u_int32_t spid;
361: struct sockaddr *src;
362: struct sockaddr *dst;
363: };
364:
365: /*
366: * for handling initial contact.
367: */
368: struct contacted {
369: struct sockaddr *remote; /* remote address to negosiate ph1 */
370: LIST_ENTRY(contacted) chain;
371: };
372:
373: /*
374: * for checking a packet retransmited.
375: */
376: struct recvdpkt {
377: struct sockaddr *remote; /* the remote address */
378: struct sockaddr *local; /* the local address */
379: vchar_t *hash; /* hash of the received packet */
380: vchar_t *sendbuf; /* buffer for the response */
381: int retry_counter; /* how many times to send */
382: struct timeval time_send; /* timestamp of previous send */
383:
384: LIST_ENTRY(recvdpkt) chain;
385: };
386:
387: /* for parsing ISAKMP header. */
388: struct isakmp_parse_t {
389: u_char type; /* payload type of mine */
390: int len; /* ntohs(ptr->len) */
391: struct isakmp_gen *ptr;
392: };
393:
394: /*
395: * for IV management.
396: *
397: * - normal case
398: * initiator responder
399: * ------------------------- --------------------------
400: * initialize iv(A), ive(A). initialize iv(A), ive(A).
401: * encode by ive(A).
402: * save to iv(B). ---[packet(B)]--> save to ive(B).
403: * decode by iv(A).
404: * packet consistency.
405: * sync iv(B) with ive(B).
406: * check auth, integrity.
407: * encode by ive(B).
408: * save to ive(C). <--[packet(C)]--- save to iv(C).
409: * decoded by iv(B).
410: * :
411: *
412: * - In the case that a error is found while cipher processing,
413: * initiator responder
414: * ------------------------- --------------------------
415: * initialize iv(A), ive(A). initialize iv(A), ive(A).
416: * encode by ive(A).
417: * save to iv(B). ---[packet(B)]--> save to ive(B).
418: * decode by iv(A).
419: * packet consistency.
420: * sync iv(B) with ive(B).
421: * check auth, integrity.
422: * error found.
423: * create notify.
424: * get ive2(X) from iv(B).
425: * encode by ive2(X).
426: * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
427: * save to ive2(Y).
428: * decoded by iv2(X).
429: * :
430: *
431: * The reason why the responder synchronizes iv with ive after checking the
432: * packet consistency is that it is required to leave the IV for decoding
433: * packet. Because there is a potential of error while checking the packet
434: * consistency. Also the reason why that is before authentication and
435: * integirty check is that the IV for informational exchange has to be made
436: * by the IV which is after packet decoded and checking the packet consistency.
437: * Otherwise IV mismatched happens between the intitiator and the responder.
438: */
439: struct isakmp_ivm {
440: vchar_t *iv; /* for decoding packet */
441: /* if phase 1, it's for computing phase2 iv */
442: vchar_t *ive; /* for encoding packet */
443: };
444:
445: /* for dumping */
446: struct ph1dump {
447: isakmp_index index;
448: int status;
449: int side;
450: struct sockaddr_storage remote;
451: struct sockaddr_storage local;
452: u_int8_t version;
453: u_int8_t etype;
454: time_t created;
455: int ph2cnt;
456: };
457:
458: struct sockaddr;
459: struct ph1handle;
460: struct ph2handle;
461: struct policyindex;
462:
463: extern struct ph1handle *getph1byindex __P((isakmp_index *));
464: extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
465:
466: extern int enumph1 __P((struct ph1selector *ph1sel,
467: int (* enum_func)(struct ph1handle *iph1, void *arg),
468: void *enum_arg));
469:
470: #define GETPH1_F_ESTABLISHED 0x0001
471:
472: extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint,
473: struct sockaddr *local,
474: struct sockaddr *remote,
475: int flags));
476:
477: #define getph1byaddr(local, remote, est) \
478: getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0)
479: #define getph1bydstaddr(remote) \
480: getph1(NULL, NULL, remote, 0)
481:
482: #ifdef ENABLE_HYBRID
483: struct ph1handle *getph1bylogin __P((char *));
484: int purgeph1bylogin __P((char *));
485: #endif
486: extern void migrate_ph12 __P((struct ph1handle *old_iph1, struct ph1handle *new_iph1));
487: extern void migrate_dying_ph12 __P((struct ph1handle *iph1));
488: extern vchar_t *dumpph1 __P((void));
489: extern struct ph1handle *newph1 __P((void));
490: extern void delph1 __P((struct ph1handle *));
491: extern int insph1 __P((struct ph1handle *));
492: extern void remph1 __P((struct ph1handle *));
493: extern int resolveph1rmconf __P((struct ph1handle *));
494: extern void flushph1 __P((void));
495: extern void initph1tree __P((void));
496: extern int ph1_rekey_enabled __P((struct ph1handle *));
497:
498: extern int enumph2 __P((struct ph2selector *ph2sel,
499: int (* enum_func)(struct ph2handle *iph2, void *arg),
500: void *enum_arg));
501: extern struct ph2handle *getph2byseq __P((u_int32_t));
502: extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
503: struct sockaddr *));
504: extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
505: extern struct ph2handle *getph2byid __P((struct sockaddr *,
506: struct sockaddr *, u_int32_t));
507: extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
508: struct sockaddr *, u_int, u_int32_t));
509: extern struct ph2handle *newph2 __P((void));
510: extern void initph2 __P((struct ph2handle *));
511: extern void delph2 __P((struct ph2handle *));
512: extern int insph2 __P((struct ph2handle *));
513: extern void remph2 __P((struct ph2handle *));
514: extern void flushph2 __P((void));
515: extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
516: extern void initph2tree __P((void));
517:
518: extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
519: extern void unbindph12 __P((struct ph2handle *));
520:
521: extern struct contacted *getcontacted __P((struct sockaddr *));
522: extern int inscontacted __P((struct sockaddr *));
523: extern void remcontacted __P((struct sockaddr *));
524: extern void initctdtree __P((void));
525:
526: extern int check_recvdpkt __P((struct sockaddr *,
527: struct sockaddr *, vchar_t *));
528: extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
529: vchar_t *, vchar_t *));
530: extern void init_recvdpkt __P((void));
531:
532: #ifdef ENABLE_HYBRID
533: extern int exclude_cfg_addr __P((const struct sockaddr *));
534: #endif
535:
536: extern int revalidate_ph12(void);
537:
538: #endif /* _HANDLER_H */
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to handler.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / ipsec-tools / src / racoon