[apple/ipsec.git] / ipsec-tools / racoon / handler.h

/* $Id: handler.h,v 1.11.4.3 2005/05/07 17:26:05 manubsd Exp $ */

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

#ifndef _HANDLER_H
#define _HANDLER_H

#include <sys/queue.h>
#include <openssl/rsa.h>

#include <sys/time.h>

#include "isakmp_var.h"
#include "oakley.h"

/* Phase 1 handler */
/*
 * main mode:
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   (---)                   1st valid msg received
 *  3   1st msg sent	        1st msg sent
 *  4   1st valid msg received  2st valid msg received
 *  5   2nd msg sent            2nd msg sent
 *  6   2nd valid msg received  3rd valid msg received
 *  7   3rd msg sent            3rd msg sent
 *  8   3rd valid msg received  (---)
 *  9   SA established          SA established
 *
 * aggressive mode:
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   (---)                   1st valid msg received
 *  3   1st msg sent	        1st msg sent
 *  4   1st valid msg received  2st valid msg received
 *  5   (---)                   (---)
 *  6   (---)                   (---)
 *  7   (---)                   (---)
 *  8   (---)                   (---)
 *  9   SA established          SA established
 *
 * base mode:
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   (---)                   1st valid msg received
 *  3   1st msg sent	        1st msg sent
 *  4   1st valid msg received  2st valid msg received
 *  5   2nd msg sent            (---)
 *  6   (---)                   (---)
 *  7   (---)                   (---)
 *  8   (---)                   (---)
 *  9   SA established          SA established
 */
#define PHASE1ST_SPAWN			0
#define PHASE1ST_START			1
#define PHASE1ST_MSG1RECEIVED		2
#define PHASE1ST_MSG1SENT		3
#define PHASE1ST_MSG2RECEIVED		4
#define PHASE1ST_MSG2SENT		5
#define PHASE1ST_MSG3RECEIVED		6
#define PHASE1ST_MSG3SENT		7
#define PHASE1ST_MSG4RECEIVED		8
#define PHASE1ST_ESTABLISHED		9
#define PHASE1ST_EXPIRED		10
#define PHASE1ST_MAX			11

/* About address semantics in each case.
 *			initiator(addr=I)	responder(addr=R)
 *			src	dst		src	dst
 *			(local)	(remote)	(local)	(remote)
 * phase 1 handler	I	R		R	I
 * phase 2 handler	I	R		R	I
 * getspi msg		R	I		I	R
 * acquire msg		I	R
 * ID payload		I	R		I	R
 */
#ifdef ENABLE_HYBRID
struct isakmp_cfg_state;
#endif
struct ph1handle {
	isakmp_index index;

	int status;			/* status of this SA */
	int side;			/* INITIATOR or RESPONDER */

	struct sockaddr *remote;	/* remote address to negosiate ph1 */
	struct sockaddr *local;		/* local address to negosiate ph1 */
			/* XXX copy from rmconf due to anonymous configuration.
			 * If anonymous will be forbidden, we do delete them. */

	struct remoteconf *rmconf;	/* pointer to remote configuration */

	struct isakmpsa *approval;	/* pointer to SA(s) approved. */
	vchar_t *authstr;		/* place holder of string for auth. */
					/* for example pre-shared key */

	u_int8_t version;		/* ISAKMP version */
	u_int8_t etype;			/* Exchange type actually for use */
	u_int8_t flags;			/* Flags */
	u_int32_t msgid;		/* message id */

	struct ph1natt_options *natt_options;	/* Selected NAT-T IKE version */
	u_int32_t natt_flags;		/* NAT-T related flags */
#ifdef ENABLE_FRAG
	int frag;			/* IKE phase 1 fragmentation */
	struct isakmp_frag_item *frag_chain;	/* Received fragments */
#endif

	struct sched *sce;		/* schedule for expire */

	struct sched *scr;		/* schedule for resend */
	int retry_counter;		/* for resend. */
	vchar_t *sendbuf;		/* buffer for re-sending */

	vchar_t *dhpriv;		/* DH; private value */
	vchar_t *dhpub;			/* DH; public value */
	vchar_t *dhpub_p;		/* DH; partner's public value */
	vchar_t *dhgxy;			/* DH; shared secret */
	vchar_t *nonce;			/* nonce value */
	vchar_t *nonce_p;		/* partner's nonce value */
	vchar_t *skeyid;		/* SKEYID */
	vchar_t *skeyid_d;		/* SKEYID_d */
	vchar_t *skeyid_a;		/* SKEYID_a, i.e. hash */
	vchar_t *skeyid_e;		/* SKEYID_e, i.e. encryption */
	vchar_t *key;			/* cipher key */
	vchar_t *hash;			/* HASH minus general header */
	vchar_t *sig;			/* SIG minus general header */
	vchar_t *sig_p;			/* peer's SIG minus general header */
	cert_t *cert;			/* CERT minus general header */
	cert_t *cert_p;			/* peer's CERT minus general header */
	cert_t *crl_p;			/* peer's CRL minus general header */
	cert_t *cr_p;			/* peer's CR not including general */
	RSA *rsa;			/* my RSA key */
	RSA *rsa_p;			/* peer's RSA key */
	struct genlist *rsa_candidates;	/* possible candidates for peer's RSA key */
	vchar_t *id;			/* ID minus gen header */
	vchar_t *id_p;			/* partner's ID minus general header */
					/* i.e. strut ipsecdoi_id_b*. */
	struct isakmp_ivm *ivm;		/* IVs */

	vchar_t *sa;			/* whole SA payload to send/to be sent*/
					/* to calculate HASH */
					/* NOT INCLUDING general header. */

	vchar_t *sa_ret;		/* SA payload to reply/to be replyed */
					/* NOT INCLUDING general header. */
					/* NOTE: Should be release after use. */

#ifdef HAVE_GSSAPI
	void *gssapi_state;		/* GSS-API specific state. */
					/* Allocated when needed */
	vchar_t *gi_i;			/* optional initiator GSS id */
	vchar_t *gi_r;			/* optional responder GSS id */
#endif

	struct isakmp_pl_hash *pl_hash;	/* pointer to hash payload */

	time_t created;			/* timestamp for establish */
#ifdef ENABLE_STATS
	struct timeval start;
	struct timeval end;
#endif

	int		dpd_support;	/* Does remote supports DPD ? */
	time_t		dpd_lastack;	/* Last ack received */
	u_int16_t	dpd_seq;		/* DPD seq number to receive */
	u_int8_t	dpd_fails;		/* number of failures */
	struct sched	*dpd_r_u;

	u_int32_t msgid2;		/* msgid counter for Phase 2 */
	int ph2cnt;	/* the number which is negotiated by this phase 1 */
	LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;

	LIST_ENTRY(ph1handle) chain;
#ifdef ENABLE_HYBRID
	struct isakmp_cfg_state *mode_cfg;	/* ISAKMP mode config state */
#endif       

};

/* Phase 2 handler */
/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
/*
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   acquire msg get         1st valid msg received
 *  3   getspi request sent     getspi request sent
 *  4   getspi done             getspi done
 *  5   1st msg sent            1st msg sent
 *  6   1st valid msg received  2nd valid msg received
 *  7   (commit bit)            (commit bit)
 *  8   SAs added               SAs added
 *  9   SAs established         SAs established
 * 10   SAs expired             SAs expired
 */
#define PHASE2ST_SPAWN		0
#define PHASE2ST_START		1
#define PHASE2ST_STATUS2	2
#define PHASE2ST_GETSPISENT	3
#define PHASE2ST_GETSPIDONE	4
#define PHASE2ST_MSG1SENT	5
#define PHASE2ST_STATUS6	6
#define PHASE2ST_COMMIT		7
#define PHASE2ST_ADDSA		8
#define PHASE2ST_ESTABLISHED	9
#define PHASE2ST_EXPIRED	10
#define PHASE2ST_MAX		11

struct ph2handle {
	struct sockaddr *src;		/* my address of SA. */
	struct sockaddr *dst;		/* peer's address of SA. */

		/*
		 * copy ip address from ID payloads when ID type is ip address.
		 * In other case, they must be null.
		 */
	struct sockaddr *src_id;
	struct sockaddr *dst_id;

	u_int32_t spid;			/* policy id by kernel */

	int status;			/* ipsec sa status */
	u_int8_t side;			/* INITIATOR or RESPONDER */

	struct sched *sce;		/* schedule for expire */
	struct sched *scr;		/* schedule for resend */
	int retry_counter;		/* for resend. */
	vchar_t *sendbuf;		/* buffer for re-sending */
	vchar_t *msg1;			/* buffer for re-sending */
				/* used for responder's first message */

	int retry_checkph1;		/* counter to wait phase 1 finished. */
					/* NOTE: actually it's timer. */

	u_int32_t seq;			/* sequence number used by PF_KEY */
			/*
			 * NOTE: In responder side, we can't identify each SAs
			 * with same destination address for example, when
			 * socket based SA is required.  So we set a identifier
			 * number to "seq", and sent kernel by pfkey.
			 */
	u_int8_t satype;		/* satype in PF_KEY */
			/*
			 * saved satype in the original PF_KEY request from
			 * the kernel in order to reply a error.
			 */

	u_int8_t flags;			/* Flags for phase 2 */
	u_int32_t msgid;		/* msgid for phase 2 */

	struct sainfo *sainfo;		/* place holder of sainfo */
	struct saprop *proposal;	/* SA(s) proposal. */
	struct saprop *approval;	/* SA(s) approved. */
	caddr_t spidx_gen;		/* policy from peer's proposal */

	struct dhgroup *pfsgrp;		/* DH; prime number */
	vchar_t *dhpriv;		/* DH; private value */
	vchar_t *dhpub;			/* DH; public value */
	vchar_t *dhpub_p;		/* DH; partner's public value */
	vchar_t *dhgxy;			/* DH; shared secret */
	vchar_t *id;			/* ID minus gen header */
	vchar_t *id_p;			/* peer's ID minus general header */
	vchar_t *nonce;			/* nonce value in phase 2 */
	vchar_t *nonce_p;		/* partner's nonce value in phase 2 */

	vchar_t *sa;			/* whole SA payload to send/to be sent*/
					/* to calculate HASH */
					/* NOT INCLUDING general header. */

	vchar_t *sa_ret;		/* SA payload to reply/to be replyed */
					/* NOT INCLUDING general header. */
					/* NOTE: Should be release after use. */

	struct isakmp_ivm *ivm;		/* IVs */

	int generated_spidx;	/* mark handlers whith generated policy */

#ifdef ENABLE_STATS
	struct timeval start;
	struct timeval end;
#endif
	struct ph1handle *ph1;	/* back pointer to isakmp status */

	LIST_ENTRY(ph2handle) chain;
	LIST_ENTRY(ph2handle) ph1bind;	/* chain to ph1handle */
};

/*
 * for handling initial contact.
 */
struct contacted {
	struct sockaddr *remote;	/* remote address to negotiate ph1 */
	LIST_ENTRY(contacted) chain;
};

/*
 * for checking if a packet is retransmited.
 */
struct recvdpkt {
	struct sockaddr *remote;	/* the remote address */
	struct sockaddr *local;		/* the local address */
	vchar_t *hash;			/* hash of the received packet */
	vchar_t *sendbuf;		/* buffer for the response */
	int retry_counter;		/* how many times to send */
	time_t time_send;		/* timestamp to send a packet */
	time_t created;			/* timestamp to create a queue */

	struct sched *scr;		/* schedule for resend, may not used */

	LIST_ENTRY(recvdpkt) chain;
};

/* for parsing ISAKMP header. */
struct isakmp_parse_t {
	u_char type;		/* payload type of mine */
	int len;		/* ntohs(ptr->len) */
	struct isakmp_gen *ptr;
};

/*
 * for IV management.
 *
 * - normal case
 * initiator                                     responder
 * -------------------------                     --------------------------
 * initialize iv(A), ive(A).                     initialize iv(A), ive(A).
 * encode by ive(A).
 * save to iv(B).            ---[packet(B)]-->   save to ive(B).
 *                                               decode by iv(A).
 *                                               packet consistency.
 *                                               sync iv(B) with ive(B).
 *                                               check auth, integrity.
 *                                               encode by ive(B).
 * save to ive(C).          <--[packet(C)]---    save to iv(C).
 * decoded by iv(B).
 *      :
 *
 * - In the case that a error is found while cipher processing,
 * initiator                                     responder
 * -------------------------                     --------------------------
 * initialize iv(A), ive(A).                     initialize iv(A), ive(A).
 * encode by ive(A).
 * save to iv(B).            ---[packet(B)]-->   save to ive(B).
 *                                               decode by iv(A).
 *                                               packet consistency.
 *                                               sync iv(B) with ive(B).
 *                                               check auth, integrity.
 *                                               error found.
 *                                               create notify.
 *                                               get ive2(X) from iv(B).
 *                                               encode by ive2(X).
 * get iv2(X) from iv(B).   <--[packet(Y)]---    save to iv2(Y).
 * save to ive2(Y).
 * decoded by iv2(X).
 *      :
 *
 * The reason why the responder synchronizes iv with ive after checking the
 * packet consistency is that it is required to leave the IV for decoding
 * packet.  Because there is a potential of error while checking the packet
 * consistency.  Also the reason why that is before authentication and
 * integirty check is that the IV for informational exchange has to be made
 * by the IV which is after packet decoded and checking the packet consistency.
 * Otherwise IV mismatched happens between the intitiator and the responder.
 */
struct isakmp_ivm {
	vchar_t *iv;	/* for decoding packet */
			/* if phase 1, it's for computing phase2 iv */
	vchar_t *ive;	/* for encoding packet */
};

/* for dumping */
struct ph1dump {
	isakmp_index index;
	int status;
	int side;
	struct sockaddr_storage remote;
	struct sockaddr_storage local;
	u_int8_t version;
	u_int8_t etype;	
	time_t created;
	int ph2cnt;
};

struct sockaddr;
struct ph1handle;
struct ph2handle;
struct policyindex;

extern struct ph1handle *getph1byindex __P((isakmp_index *));
extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
	struct sockaddr *));
extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
	struct sockaddr *));
extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
extern vchar_t *dumpph1 __P((void));
extern struct ph1handle *newph1 __P((void));
extern void delph1 __P((struct ph1handle *));
extern int insph1 __P((struct ph1handle *));
extern void remph1 __P((struct ph1handle *));
extern void flushph1 __P((void));
extern void initph1tree __P((void));

extern struct ph2handle *getph2byspidx __P((struct policyindex *));
extern struct ph2handle *getph2byspid __P((u_int32_t));
extern struct ph2handle *getph2byseq __P((u_int32_t));
extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
	struct sockaddr *));
extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
extern struct ph2handle *getph2byid __P((struct sockaddr *,
	struct sockaddr *, u_int32_t));
extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
	struct sockaddr *, u_int, u_int32_t));
extern struct ph2handle *newph2 __P((void));
extern void initph2 __P((struct ph2handle *));
extern void delph2 __P((struct ph2handle *));
extern int insph2 __P((struct ph2handle *));
extern void remph2 __P((struct ph2handle *));
extern void flushph2 __P((void));
extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
extern void initph2tree __P((void));

extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
extern void unbindph12 __P((struct ph2handle *));

extern struct contacted *getcontacted __P((struct sockaddr *));
extern int inscontacted __P((struct sockaddr *));
extern void clear_contacted __P((void));
extern void initctdtree __P((void));

extern int check_recvdpkt __P((struct sockaddr *,
	struct sockaddr *, vchar_t *));
extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
	vchar_t *, vchar_t *));
extern void clear_recvdpkt __P((void));
extern void init_recvdpkt __P((void));

#ifdef ENABLE_HYBRID
extern int exclude_cfg_addr __P((const struct sockaddr *));
#endif

#endif /* _HANDLER_H */
Commit	Line	Data
52b7d2ce A	1	/* $Id: handler.h,v 1.11.4.3 2005/05/07 17:26:05 manubsd Exp $ */
	2
	3	/*
	4	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	5	* All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of the project nor the names of its contributors
	16	* may be used to endorse or promote products derived from this software
	17	* without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	29	* SUCH DAMAGE.
	30	*/
	31
	32	#ifndef _HANDLER_H
	33	#define _HANDLER_H
	34
	35	#include <sys/queue.h>
	36	#include <openssl/rsa.h>
	37
	38	#include <sys/time.h>
	39
	40	#include "isakmp_var.h"
	41	#include "oakley.h"
	42
	43	/* Phase 1 handler */
	44	/*
	45	* main mode:
	46	* initiator responder
	47	* 0 (---) (---)
	48	* 1 start start (1st msg received)
	49	* 2 (---) 1st valid msg received
	50	* 3 1st msg sent 1st msg sent
	51	* 4 1st valid msg received 2st valid msg received
	52	* 5 2nd msg sent 2nd msg sent
	53	* 6 2nd valid msg received 3rd valid msg received
	54	* 7 3rd msg sent 3rd msg sent
	55	* 8 3rd valid msg received (---)
	56	* 9 SA established SA established
	57	*
	58	* aggressive mode:
	59	* initiator responder
	60	* 0 (---) (---)
	61	* 1 start start (1st msg received)
	62	* 2 (---) 1st valid msg received
	63	* 3 1st msg sent 1st msg sent
	64	* 4 1st valid msg received 2st valid msg received
65	* 5 (---) (---)
66	* 6 (---) (---)
67	* 7 (---) (---)
68	* 8 (---) (---)
69	* 9 SA established SA established
70	*
71	* base mode:
72	* initiator responder
73	* 0 (---) (---)
74	* 1 start start (1st msg received)
75	* 2 (---) 1st valid msg received
76	* 3 1st msg sent 1st msg sent
77	* 4 1st valid msg received 2st valid msg received
78	* 5 2nd msg sent (---)
79	* 6 (---) (---)
80	* 7 (---) (---)
81	* 8 (---) (---)
82	* 9 SA established SA established
83	*/
84	#define PHASE1ST_SPAWN 0
85	#define PHASE1ST_START 1
86	#define PHASE1ST_MSG1RECEIVED 2
87	#define PHASE1ST_MSG1SENT 3
88	#define PHASE1ST_MSG2RECEIVED 4
89	#define PHASE1ST_MSG2SENT 5
90	#define PHASE1ST_MSG3RECEIVED 6
91	#define PHASE1ST_MSG3SENT 7
92	#define PHASE1ST_MSG4RECEIVED 8
93	#define PHASE1ST_ESTABLISHED 9
94	#define PHASE1ST_EXPIRED 10
95	#define PHASE1ST_MAX 11
96
97	/* About address semantics in each case.
98	* initiator(addr=I) responder(addr=R)
99	* src dst src dst
100	* (local) (remote) (local) (remote)
101	* phase 1 handler I R R I
102	* phase 2 handler I R R I
103	* getspi msg R I I R
104	* acquire msg I R
105	* ID payload I R I R
106	*/
107	#ifdef ENABLE_HYBRID
108	struct isakmp_cfg_state;
109	#endif
110	struct ph1handle {
111	isakmp_index index;
112
113	int status; /* status of this SA */
114	int side; /* INITIATOR or RESPONDER */
115
116	struct sockaddr remote; / remote address to negosiate ph1 */
117	struct sockaddr local; / local address to negosiate ph1 */
118	/* XXX copy from rmconf due to anonymous configuration.
119	* If anonymous will be forbidden, we do delete them. */
120
121	struct remoteconf rmconf; / pointer to remote configuration */
122
123	struct isakmpsa approval; / pointer to SA(s) approved. */
124	vchar_t authstr; / place holder of string for auth. */
125	/* for example pre-shared key */
126
127	u_int8_t version; /* ISAKMP version */
128	u_int8_t etype; /* Exchange type actually for use */
129	u_int8_t flags; /* Flags */
130	u_int32_t msgid; /* message id */
131
132	struct ph1natt_options natt_options; / Selected NAT-T IKE version */
133	u_int32_t natt_flags; /* NAT-T related flags */
134	#ifdef ENABLE_FRAG
135	int frag; /* IKE phase 1 fragmentation */
136	struct isakmp_frag_item frag_chain; / Received fragments */
137	#endif
138
139	struct sched sce; / schedule for expire */
140
141	struct sched scr; / schedule for resend */
142	int retry_counter; /* for resend. */
143	vchar_t sendbuf; / buffer for re-sending */
144
145	vchar_t dhpriv; / DH; private value */
146	vchar_t dhpub; / DH; public value */
147	vchar_t dhpub_p; / DH; partner's public value */
148	vchar_t dhgxy; / DH; shared secret */
149	vchar_t nonce; / nonce value */
150	vchar_t nonce_p; / partner's nonce value */
151	vchar_t skeyid; / SKEYID */
152	vchar_t skeyid_d; / SKEYID_d */
153	vchar_t skeyid_a; / SKEYID_a, i.e. hash */
154	vchar_t skeyid_e; / SKEYID_e, i.e. encryption */
155	vchar_t key; / cipher key */
156	vchar_t hash; / HASH minus general header */
157	vchar_t sig; / SIG minus general header */
158	vchar_t sig_p; / peer's SIG minus general header */
159	cert_t cert; / CERT minus general header */
160	cert_t cert_p; / peer's CERT minus general header */
161	cert_t crl_p; / peer's CRL minus general header */
162	cert_t cr_p; / peer's CR not including general */
163	RSA rsa; / my RSA key */
164	RSA rsa_p; / peer's RSA key */
165	struct genlist rsa_candidates; / possible candidates for peer's RSA key */
166	vchar_t id; / ID minus gen header */
167	vchar_t id_p; / partner's ID minus general header */
168	/* i.e. strut ipsecdoi_id_b. /
169	struct isakmp_ivm ivm; / IVs */
170
171	vchar_t sa; / whole SA payload to send/to be sent*/
172	/* to calculate HASH */
173	/* NOT INCLUDING general header. */
174
175	vchar_t sa_ret; / SA payload to reply/to be replyed */
176	/* NOT INCLUDING general header. */
177	/* NOTE: Should be release after use. */
178
179	#ifdef HAVE_GSSAPI
180	void gssapi_state; / GSS-API specific state. */
181	/* Allocated when needed */
182	vchar_t gi_i; / optional initiator GSS id */
183	vchar_t gi_r; / optional responder GSS id */
184	#endif
185
186	struct isakmp_pl_hash pl_hash; / pointer to hash payload */
187
188	time_t created; /* timestamp for establish */
189	#ifdef ENABLE_STATS
190	struct timeval start;
191	struct timeval end;
192	#endif
193
194	int dpd_support; /* Does remote supports DPD ? */
195	time_t dpd_lastack; /* Last ack received */
196	u_int16_t dpd_seq; /* DPD seq number to receive */
197	u_int8_t dpd_fails; /* number of failures */
198	struct sched *dpd_r_u;
199
200	u_int32_t msgid2; /* msgid counter for Phase 2 */
201	int ph2cnt; /* the number which is negotiated by this phase 1 */
202	LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
203
204	LIST_ENTRY(ph1handle) chain;
205	#ifdef ENABLE_HYBRID
206	struct isakmp_cfg_state mode_cfg; / ISAKMP mode config state */
207	#endif
208
209	};
210
211	/* Phase 2 handler */
212	/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
213	/*
214	* initiator responder
215	* 0 (---) (---)
216	* 1 start start (1st msg received)
217	* 2 acquire msg get 1st valid msg received
218	* 3 getspi request sent getspi request sent
219	* 4 getspi done getspi done
220	* 5 1st msg sent 1st msg sent
221	* 6 1st valid msg received 2nd valid msg received
222	* 7 (commit bit) (commit bit)
223	* 8 SAs added SAs added
224	* 9 SAs established SAs established
225	* 10 SAs expired SAs expired
226	*/
227	#define PHASE2ST_SPAWN 0
228	#define PHASE2ST_START 1
229	#define PHASE2ST_STATUS2 2
230	#define PHASE2ST_GETSPISENT 3
231	#define PHASE2ST_GETSPIDONE 4
232	#define PHASE2ST_MSG1SENT 5
233	#define PHASE2ST_STATUS6 6
234	#define PHASE2ST_COMMIT 7
235	#define PHASE2ST_ADDSA 8
236	#define PHASE2ST_ESTABLISHED 9
237	#define PHASE2ST_EXPIRED 10
238	#define PHASE2ST_MAX 11
239
240	struct ph2handle {
241	struct sockaddr src; / my address of SA. */
242	struct sockaddr dst; / peer's address of SA. */
243
244	/*
245	* copy ip address from ID payloads when ID type is ip address.
246	* In other case, they must be null.
247	*/
248	struct sockaddr *src_id;
249	struct sockaddr *dst_id;
250
251	u_int32_t spid; /* policy id by kernel */
252
253	int status; /* ipsec sa status */
254	u_int8_t side; /* INITIATOR or RESPONDER */
255
256	struct sched sce; / schedule for expire */
257	struct sched scr; / schedule for resend */
258	int retry_counter; /* for resend. */
259	vchar_t sendbuf; / buffer for re-sending */
260	vchar_t msg1; / buffer for re-sending */
261	/* used for responder's first message */
262
263	int retry_checkph1; /* counter to wait phase 1 finished. */
264	/* NOTE: actually it's timer. */
265
266	u_int32_t seq; /* sequence number used by PF_KEY */
267	/*
268	* NOTE: In responder side, we can't identify each SAs
269	* with same destination address for example, when
270	* socket based SA is required. So we set a identifier
271	* number to "seq", and sent kernel by pfkey.
272	*/
273	u_int8_t satype; /* satype in PF_KEY */
274	/*
275	* saved satype in the original PF_KEY request from
276	* the kernel in order to reply a error.
277	*/
278
279	u_int8_t flags; /* Flags for phase 2 */
280	u_int32_t msgid; /* msgid for phase 2 */
281
282	struct sainfo sainfo; / place holder of sainfo */
283	struct saprop proposal; / SA(s) proposal. */
284	struct saprop approval; / SA(s) approved. */
285	caddr_t spidx_gen; /* policy from peer's proposal */
286
287	struct dhgroup pfsgrp; / DH; prime number */
288	vchar_t dhpriv; / DH; private value */
289	vchar_t dhpub; / DH; public value */
290	vchar_t dhpub_p; / DH; partner's public value */
291	vchar_t dhgxy; / DH; shared secret */
292	vchar_t id; / ID minus gen header */
293	vchar_t id_p; / peer's ID minus general header */
294	vchar_t nonce; / nonce value in phase 2 */
295	vchar_t nonce_p; / partner's nonce value in phase 2 */
296
297	vchar_t sa; / whole SA payload to send/to be sent*/
298	/* to calculate HASH */
299	/* NOT INCLUDING general header. */
300
301	vchar_t sa_ret; / SA payload to reply/to be replyed */
302	/* NOT INCLUDING general header. */
303	/* NOTE: Should be release after use. */
304
305	struct isakmp_ivm ivm; / IVs */
306
307	int generated_spidx; /* mark handlers whith generated policy */
308
309	#ifdef ENABLE_STATS
310	struct timeval start;
311	struct timeval end;
312	#endif
313	struct ph1handle ph1; / back pointer to isakmp status */
314
315	LIST_ENTRY(ph2handle) chain;
316	LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
317	};
318
319	/*
320	* for handling initial contact.
321	*/
322	struct contacted {
323	struct sockaddr remote; / remote address to negotiate ph1 */
324	LIST_ENTRY(contacted) chain;
325	};
326
327	/*
328	* for checking if a packet is retransmited.
329	*/
330	struct recvdpkt {
331	struct sockaddr remote; / the remote address */
332	struct sockaddr local; / the local address */
333	vchar_t hash; / hash of the received packet */
334	vchar_t sendbuf; / buffer for the response */
335	int retry_counter; /* how many times to send */
336	time_t time_send; /* timestamp to send a packet */
337	time_t created; /* timestamp to create a queue */
338
339	struct sched scr; / schedule for resend, may not used */
340
341	LIST_ENTRY(recvdpkt) chain;
342	};
343
344	/* for parsing ISAKMP header. */
345	struct isakmp_parse_t {
346	u_char type; /* payload type of mine */
347	int len; /* ntohs(ptr->len) */
348	struct isakmp_gen *ptr;
349	};
350
351	/*
352	* for IV management.
353	*
354	* - normal case
355	* initiator responder
356	* ------------------------- --------------------------
357	* initialize iv(A), ive(A). initialize iv(A), ive(A).
358	* encode by ive(A).
359	* save to iv(B). ---[packet(B)]--> save to ive(B).
360	* decode by iv(A).
361	* packet consistency.
362	* sync iv(B) with ive(B).
363	* check auth, integrity.
364	* encode by ive(B).
365	* save to ive(C). <--[packet(C)]--- save to iv(C).
366	* decoded by iv(B).
367	* :
368	*
369	* - In the case that a error is found while cipher processing,
370	* initiator responder
371	* ------------------------- --------------------------
372	* initialize iv(A), ive(A). initialize iv(A), ive(A).
373	* encode by ive(A).
374	* save to iv(B). ---[packet(B)]--> save to ive(B).
375	* decode by iv(A).
376	* packet consistency.
377	* sync iv(B) with ive(B).
378	* check auth, integrity.
379	* error found.
380	* create notify.
381	* get ive2(X) from iv(B).
382	* encode by ive2(X).
383	* get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
384	* save to ive2(Y).
385	* decoded by iv2(X).
386	* :
387	*
388	* The reason why the responder synchronizes iv with ive after checking the
389	* packet consistency is that it is required to leave the IV for decoding
390	* packet. Because there is a potential of error while checking the packet
391	* consistency. Also the reason why that is before authentication and
392	* integirty check is that the IV for informational exchange has to be made
393	* by the IV which is after packet decoded and checking the packet consistency.
394	* Otherwise IV mismatched happens between the intitiator and the responder.
395	*/
396	struct isakmp_ivm {
397	vchar_t iv; / for decoding packet */
398	/* if phase 1, it's for computing phase2 iv */
399	vchar_t ive; / for encoding packet */
400	};
401
402	/* for dumping */
403	struct ph1dump {
404	isakmp_index index;
405	int status;
406	int side;
407	struct sockaddr_storage remote;
408	struct sockaddr_storage local;
409	u_int8_t version;
410	u_int8_t etype;
411	time_t created;
412	int ph2cnt;
413	};
414
415	struct sockaddr;
416	struct ph1handle;
417	struct ph2handle;
418	struct policyindex;
419
420	extern struct ph1handle getph1byindex __P((isakmp_index ));
421	extern struct ph1handle getph1byindex0 __P((isakmp_index ));
422	extern struct ph1handle getph1byaddr __P((struct sockaddr ,
423	struct sockaddr *));
424	extern struct ph1handle getph1byaddrwop __P((struct sockaddr ,
425	struct sockaddr *));
426	extern struct ph1handle getph1bydstaddrwop __P((struct sockaddr ));
427	extern vchar_t *dumpph1 __P((void));
428	extern struct ph1handle *newph1 __P((void));
429	extern void delph1 __P((struct ph1handle *));
430	extern int insph1 __P((struct ph1handle *));
431	extern void remph1 __P((struct ph1handle *));
432	extern void flushph1 __P((void));
433	extern void initph1tree __P((void));
434
435	extern struct ph2handle getph2byspidx __P((struct policyindex ));
436	extern struct ph2handle *getph2byspid __P((u_int32_t));
437	extern struct ph2handle *getph2byseq __P((u_int32_t));
438	extern struct ph2handle getph2bysaddr __P((struct sockaddr ,
439	struct sockaddr *));
440	extern struct ph2handle getph2bymsgid __P((struct ph1handle , u_int32_t));
441	extern struct ph2handle getph2byid __P((struct sockaddr ,
442	struct sockaddr *, u_int32_t));
443	extern struct ph2handle getph2bysaidx __P((struct sockaddr ,
444	struct sockaddr *, u_int, u_int32_t));
445	extern struct ph2handle *newph2 __P((void));
446	extern void initph2 __P((struct ph2handle *));
447	extern void delph2 __P((struct ph2handle *));
448	extern int insph2 __P((struct ph2handle *));
449	extern void remph2 __P((struct ph2handle *));
450	extern void flushph2 __P((void));
451	extern void deleteallph2 __P((struct sockaddr , struct sockaddr , u_int));
452	extern void initph2tree __P((void));
453
454	extern void bindph12 __P((struct ph1handle , struct ph2handle ));
455	extern void unbindph12 __P((struct ph2handle *));
456
457	extern struct contacted getcontacted __P((struct sockaddr ));
458	extern int inscontacted __P((struct sockaddr *));
459	extern void clear_contacted __P((void));
460	extern void initctdtree __P((void));
461
462	extern int check_recvdpkt __P((struct sockaddr *,
463	struct sockaddr , vchar_t ));
464	extern int add_recvdpkt __P((struct sockaddr , struct sockaddr ,
465	vchar_t , vchar_t ));
466	extern void clear_recvdpkt __P((void));
467	extern void init_recvdpkt __P((void));
468
469	#ifdef ENABLE_HYBRID
470	extern int exclude_cfg_addr __P((const struct sockaddr *));
471	#endif
472
473	#endif /* _HANDLER_H */