]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/handler.h
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-34.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / handler.h
1 /* $Id: handler.h,v 1.11.4.3 2005/05/07 17:26:05 manubsd Exp $ */
2
3 /*
4 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. Neither the name of the project nor the names of its contributors
16 * may be used to endorse or promote products derived from this software
17 * without specific prior written permission.
18 *
19 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
20 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
21 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
22 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
23 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
24 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
25 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
26 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
27 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
28 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
29 * SUCH DAMAGE.
30 */
31
32 #ifndef _HANDLER_H
33 #define _HANDLER_H
34
35 #include <sys/queue.h>
36 #include <openssl/rsa.h>
37
38 #include <sys/time.h>
39
40 #include "isakmp_var.h"
41 #include "oakley.h"
42
43 /* Phase 1 handler */
44 /*
45 * main mode:
46 * initiator responder
47 * 0 (---) (---)
48 * 1 start start (1st msg received)
49 * 2 (---) 1st valid msg received
50 * 3 1st msg sent 1st msg sent
51 * 4 1st valid msg received 2st valid msg received
52 * 5 2nd msg sent 2nd msg sent
53 * 6 2nd valid msg received 3rd valid msg received
54 * 7 3rd msg sent 3rd msg sent
55 * 8 3rd valid msg received (---)
56 * 9 SA established SA established
57 *
58 * aggressive mode:
59 * initiator responder
60 * 0 (---) (---)
61 * 1 start start (1st msg received)
62 * 2 (---) 1st valid msg received
63 * 3 1st msg sent 1st msg sent
64 * 4 1st valid msg received 2st valid msg received
65 * 5 (---) (---)
66 * 6 (---) (---)
67 * 7 (---) (---)
68 * 8 (---) (---)
69 * 9 SA established SA established
70 *
71 * base mode:
72 * initiator responder
73 * 0 (---) (---)
74 * 1 start start (1st msg received)
75 * 2 (---) 1st valid msg received
76 * 3 1st msg sent 1st msg sent
77 * 4 1st valid msg received 2st valid msg received
78 * 5 2nd msg sent (---)
79 * 6 (---) (---)
80 * 7 (---) (---)
81 * 8 (---) (---)
82 * 9 SA established SA established
83 */
84 #define PHASE1ST_SPAWN 0
85 #define PHASE1ST_START 1
86 #define PHASE1ST_MSG1RECEIVED 2
87 #define PHASE1ST_MSG1SENT 3
88 #define PHASE1ST_MSG2RECEIVED 4
89 #define PHASE1ST_MSG2SENT 5
90 #define PHASE1ST_MSG3RECEIVED 6
91 #define PHASE1ST_MSG3SENT 7
92 #define PHASE1ST_MSG4RECEIVED 8
93 #define PHASE1ST_ESTABLISHED 9
94 #define PHASE1ST_EXPIRED 10
95 #define PHASE1ST_MAX 11
96
97 /* About address semantics in each case.
98 * initiator(addr=I) responder(addr=R)
99 * src dst src dst
100 * (local) (remote) (local) (remote)
101 * phase 1 handler I R R I
102 * phase 2 handler I R R I
103 * getspi msg R I I R
104 * acquire msg I R
105 * ID payload I R I R
106 */
107 #ifdef ENABLE_HYBRID
108 struct isakmp_cfg_state;
109 #endif
110 struct ph1handle {
111 isakmp_index index;
112
113 int status; /* status of this SA */
114 int side; /* INITIATOR or RESPONDER */
115
116 struct sockaddr *remote; /* remote address to negosiate ph1 */
117 struct sockaddr *local; /* local address to negosiate ph1 */
118 /* XXX copy from rmconf due to anonymous configuration.
119 * If anonymous will be forbidden, we do delete them. */
120
121 struct remoteconf *rmconf; /* pointer to remote configuration */
122
123 struct isakmpsa *approval; /* pointer to SA(s) approved. */
124 vchar_t *authstr; /* place holder of string for auth. */
125 /* for example pre-shared key */
126
127 u_int8_t version; /* ISAKMP version */
128 u_int8_t etype; /* Exchange type actually for use */
129 u_int8_t flags; /* Flags */
130 u_int32_t msgid; /* message id */
131
132 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
133 u_int32_t natt_flags; /* NAT-T related flags */
134 #ifdef ENABLE_FRAG
135 int frag; /* IKE phase 1 fragmentation */
136 struct isakmp_frag_item *frag_chain; /* Received fragments */
137 #endif
138
139 struct sched *sce; /* schedule for expire */
140
141 struct sched *scr; /* schedule for resend */
142 int retry_counter; /* for resend. */
143 vchar_t *sendbuf; /* buffer for re-sending */
144
145 vchar_t *dhpriv; /* DH; private value */
146 vchar_t *dhpub; /* DH; public value */
147 vchar_t *dhpub_p; /* DH; partner's public value */
148 vchar_t *dhgxy; /* DH; shared secret */
149 vchar_t *nonce; /* nonce value */
150 vchar_t *nonce_p; /* partner's nonce value */
151 vchar_t *skeyid; /* SKEYID */
152 vchar_t *skeyid_d; /* SKEYID_d */
153 vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
154 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
155 vchar_t *key; /* cipher key */
156 vchar_t *hash; /* HASH minus general header */
157 vchar_t *sig; /* SIG minus general header */
158 vchar_t *sig_p; /* peer's SIG minus general header */
159 cert_t *cert; /* CERT minus general header */
160 cert_t *cert_p; /* peer's CERT minus general header */
161 cert_t *crl_p; /* peer's CRL minus general header */
162 cert_t *cr_p; /* peer's CR not including general */
163 RSA *rsa; /* my RSA key */
164 RSA *rsa_p; /* peer's RSA key */
165 struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
166 vchar_t *id; /* ID minus gen header */
167 vchar_t *id_p; /* partner's ID minus general header */
168 /* i.e. strut ipsecdoi_id_b*. */
169 struct isakmp_ivm *ivm; /* IVs */
170
171 vchar_t *sa; /* whole SA payload to send/to be sent*/
172 /* to calculate HASH */
173 /* NOT INCLUDING general header. */
174
175 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
176 /* NOT INCLUDING general header. */
177 /* NOTE: Should be release after use. */
178
179 #ifdef HAVE_GSSAPI
180 void *gssapi_state; /* GSS-API specific state. */
181 /* Allocated when needed */
182 vchar_t *gi_i; /* optional initiator GSS id */
183 vchar_t *gi_r; /* optional responder GSS id */
184 #endif
185
186 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
187
188 time_t created; /* timestamp for establish */
189 #ifdef ENABLE_STATS
190 struct timeval start;
191 struct timeval end;
192 #endif
193
194 int dpd_support; /* Does remote supports DPD ? */
195 time_t dpd_lastack; /* Last ack received */
196 u_int16_t dpd_seq; /* DPD seq number to receive */
197 u_int8_t dpd_fails; /* number of failures */
198 struct sched *dpd_r_u;
199
200 u_int32_t msgid2; /* msgid counter for Phase 2 */
201 int ph2cnt; /* the number which is negotiated by this phase 1 */
202 LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
203
204 LIST_ENTRY(ph1handle) chain;
205 #ifdef ENABLE_HYBRID
206 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
207 #endif
208
209 };
210
211 /* Phase 2 handler */
212 /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
213 /*
214 * initiator responder
215 * 0 (---) (---)
216 * 1 start start (1st msg received)
217 * 2 acquire msg get 1st valid msg received
218 * 3 getspi request sent getspi request sent
219 * 4 getspi done getspi done
220 * 5 1st msg sent 1st msg sent
221 * 6 1st valid msg received 2nd valid msg received
222 * 7 (commit bit) (commit bit)
223 * 8 SAs added SAs added
224 * 9 SAs established SAs established
225 * 10 SAs expired SAs expired
226 */
227 #define PHASE2ST_SPAWN 0
228 #define PHASE2ST_START 1
229 #define PHASE2ST_STATUS2 2
230 #define PHASE2ST_GETSPISENT 3
231 #define PHASE2ST_GETSPIDONE 4
232 #define PHASE2ST_MSG1SENT 5
233 #define PHASE2ST_STATUS6 6
234 #define PHASE2ST_COMMIT 7
235 #define PHASE2ST_ADDSA 8
236 #define PHASE2ST_ESTABLISHED 9
237 #define PHASE2ST_EXPIRED 10
238 #define PHASE2ST_MAX 11
239
240 struct ph2handle {
241 struct sockaddr *src; /* my address of SA. */
242 struct sockaddr *dst; /* peer's address of SA. */
243
244 /*
245 * copy ip address from ID payloads when ID type is ip address.
246 * In other case, they must be null.
247 */
248 struct sockaddr *src_id;
249 struct sockaddr *dst_id;
250
251 u_int32_t spid; /* policy id by kernel */
252
253 int status; /* ipsec sa status */
254 u_int8_t side; /* INITIATOR or RESPONDER */
255
256 struct sched *sce; /* schedule for expire */
257 struct sched *scr; /* schedule for resend */
258 int retry_counter; /* for resend. */
259 vchar_t *sendbuf; /* buffer for re-sending */
260 vchar_t *msg1; /* buffer for re-sending */
261 /* used for responder's first message */
262
263 int retry_checkph1; /* counter to wait phase 1 finished. */
264 /* NOTE: actually it's timer. */
265
266 u_int32_t seq; /* sequence number used by PF_KEY */
267 /*
268 * NOTE: In responder side, we can't identify each SAs
269 * with same destination address for example, when
270 * socket based SA is required. So we set a identifier
271 * number to "seq", and sent kernel by pfkey.
272 */
273 u_int8_t satype; /* satype in PF_KEY */
274 /*
275 * saved satype in the original PF_KEY request from
276 * the kernel in order to reply a error.
277 */
278
279 u_int8_t flags; /* Flags for phase 2 */
280 u_int32_t msgid; /* msgid for phase 2 */
281
282 struct sainfo *sainfo; /* place holder of sainfo */
283 struct saprop *proposal; /* SA(s) proposal. */
284 struct saprop *approval; /* SA(s) approved. */
285 caddr_t spidx_gen; /* policy from peer's proposal */
286
287 struct dhgroup *pfsgrp; /* DH; prime number */
288 vchar_t *dhpriv; /* DH; private value */
289 vchar_t *dhpub; /* DH; public value */
290 vchar_t *dhpub_p; /* DH; partner's public value */
291 vchar_t *dhgxy; /* DH; shared secret */
292 vchar_t *id; /* ID minus gen header */
293 vchar_t *id_p; /* peer's ID minus general header */
294 vchar_t *nonce; /* nonce value in phase 2 */
295 vchar_t *nonce_p; /* partner's nonce value in phase 2 */
296
297 vchar_t *sa; /* whole SA payload to send/to be sent*/
298 /* to calculate HASH */
299 /* NOT INCLUDING general header. */
300
301 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
302 /* NOT INCLUDING general header. */
303 /* NOTE: Should be release after use. */
304
305 struct isakmp_ivm *ivm; /* IVs */
306
307 int generated_spidx; /* mark handlers whith generated policy */
308
309 #ifdef ENABLE_STATS
310 struct timeval start;
311 struct timeval end;
312 #endif
313 struct ph1handle *ph1; /* back pointer to isakmp status */
314
315 LIST_ENTRY(ph2handle) chain;
316 LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
317 };
318
319 /*
320 * for handling initial contact.
321 */
322 struct contacted {
323 struct sockaddr *remote; /* remote address to negotiate ph1 */
324 LIST_ENTRY(contacted) chain;
325 };
326
327 /*
328 * for checking if a packet is retransmited.
329 */
330 struct recvdpkt {
331 struct sockaddr *remote; /* the remote address */
332 struct sockaddr *local; /* the local address */
333 vchar_t *hash; /* hash of the received packet */
334 vchar_t *sendbuf; /* buffer for the response */
335 int retry_counter; /* how many times to send */
336 time_t time_send; /* timestamp to send a packet */
337 time_t created; /* timestamp to create a queue */
338
339 struct sched *scr; /* schedule for resend, may not used */
340
341 LIST_ENTRY(recvdpkt) chain;
342 };
343
344 /* for parsing ISAKMP header. */
345 struct isakmp_parse_t {
346 u_char type; /* payload type of mine */
347 int len; /* ntohs(ptr->len) */
348 struct isakmp_gen *ptr;
349 };
350
351 /*
352 * for IV management.
353 *
354 * - normal case
355 * initiator responder
356 * ------------------------- --------------------------
357 * initialize iv(A), ive(A). initialize iv(A), ive(A).
358 * encode by ive(A).
359 * save to iv(B). ---[packet(B)]--> save to ive(B).
360 * decode by iv(A).
361 * packet consistency.
362 * sync iv(B) with ive(B).
363 * check auth, integrity.
364 * encode by ive(B).
365 * save to ive(C). <--[packet(C)]--- save to iv(C).
366 * decoded by iv(B).
367 * :
368 *
369 * - In the case that a error is found while cipher processing,
370 * initiator responder
371 * ------------------------- --------------------------
372 * initialize iv(A), ive(A). initialize iv(A), ive(A).
373 * encode by ive(A).
374 * save to iv(B). ---[packet(B)]--> save to ive(B).
375 * decode by iv(A).
376 * packet consistency.
377 * sync iv(B) with ive(B).
378 * check auth, integrity.
379 * error found.
380 * create notify.
381 * get ive2(X) from iv(B).
382 * encode by ive2(X).
383 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
384 * save to ive2(Y).
385 * decoded by iv2(X).
386 * :
387 *
388 * The reason why the responder synchronizes iv with ive after checking the
389 * packet consistency is that it is required to leave the IV for decoding
390 * packet. Because there is a potential of error while checking the packet
391 * consistency. Also the reason why that is before authentication and
392 * integirty check is that the IV for informational exchange has to be made
393 * by the IV which is after packet decoded and checking the packet consistency.
394 * Otherwise IV mismatched happens between the intitiator and the responder.
395 */
396 struct isakmp_ivm {
397 vchar_t *iv; /* for decoding packet */
398 /* if phase 1, it's for computing phase2 iv */
399 vchar_t *ive; /* for encoding packet */
400 };
401
402 /* for dumping */
403 struct ph1dump {
404 isakmp_index index;
405 int status;
406 int side;
407 struct sockaddr_storage remote;
408 struct sockaddr_storage local;
409 u_int8_t version;
410 u_int8_t etype;
411 time_t created;
412 int ph2cnt;
413 };
414
415 struct sockaddr;
416 struct ph1handle;
417 struct ph2handle;
418 struct policyindex;
419
420 extern struct ph1handle *getph1byindex __P((isakmp_index *));
421 extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
422 extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
423 struct sockaddr *));
424 extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
425 struct sockaddr *));
426 extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
427 extern vchar_t *dumpph1 __P((void));
428 extern struct ph1handle *newph1 __P((void));
429 extern void delph1 __P((struct ph1handle *));
430 extern int insph1 __P((struct ph1handle *));
431 extern void remph1 __P((struct ph1handle *));
432 extern void flushph1 __P((void));
433 extern void initph1tree __P((void));
434
435 extern struct ph2handle *getph2byspidx __P((struct policyindex *));
436 extern struct ph2handle *getph2byspid __P((u_int32_t));
437 extern struct ph2handle *getph2byseq __P((u_int32_t));
438 extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
439 struct sockaddr *));
440 extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
441 extern struct ph2handle *getph2byid __P((struct sockaddr *,
442 struct sockaddr *, u_int32_t));
443 extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
444 struct sockaddr *, u_int, u_int32_t));
445 extern struct ph2handle *newph2 __P((void));
446 extern void initph2 __P((struct ph2handle *));
447 extern void delph2 __P((struct ph2handle *));
448 extern int insph2 __P((struct ph2handle *));
449 extern void remph2 __P((struct ph2handle *));
450 extern void flushph2 __P((void));
451 extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
452 extern void initph2tree __P((void));
453
454 extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
455 extern void unbindph12 __P((struct ph2handle *));
456
457 extern struct contacted *getcontacted __P((struct sockaddr *));
458 extern int inscontacted __P((struct sockaddr *));
459 extern void clear_contacted __P((void));
460 extern void initctdtree __P((void));
461
462 extern int check_recvdpkt __P((struct sockaddr *,
463 struct sockaddr *, vchar_t *));
464 extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
465 vchar_t *, vchar_t *));
466 extern void clear_recvdpkt __P((void));
467 extern void init_recvdpkt __P((void));
468
469 #ifdef ENABLE_HYBRID
470 extern int exclude_cfg_addr __P((const struct sockaddr *));
471 #endif
472
473 #endif /* _HANDLER_H */
mirror of ipsec