]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/handler.h
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-146.3.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / handler.h
1 /* $NetBSD: handler.h,v 1.9 2006/09/09 16:22:09 manu Exp $ */
2
3 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _HANDLER_H
35 #define _HANDLER_H
36
37 #include "config.h"
38
39 #include <sys/queue.h>
40 #ifdef HAVE_OPENSSL
41 #include <openssl/rsa.h>
42 #endif
43
44 #include <sys/time.h>
45
46 #include "isakmp_var.h"
47 #include "oakley.h"
48 #ifndef HAVE_OPENSSL
49 #include <Security/SecDH.h>
50 #endif
51
52 typedef struct ike_session ike_session_t;
53
54 /* Phase 1 handler */
55 /*
56 * main mode:
57 * initiator responder
58 * 0 (---) (---)
59 * 1 start start (1st msg received)
60 * 2 (---) 1st valid msg received
61 * 3 1st msg sent 1st msg sent
62 * 4 1st valid msg received 2st valid msg received
63 * 5 2nd msg sent 2nd msg sent
64 * 6 2nd valid msg received 3rd valid msg received
65 * 7 3rd msg sent 3rd msg sent
66 * 8 3rd valid msg received (---)
67 * 9 SA established SA established
68 *
69 * aggressive mode:
70 * initiator responder
71 * 0 (---) (---)
72 * 1 start start (1st msg received)
73 * 2 (---) 1st valid msg received
74 * 3 1st msg sent 1st msg sent
75 * 4 1st valid msg received 2st valid msg received
76 * 5 (---) (---)
77 * 6 (---) (---)
78 * 7 (---) (---)
79 * 8 (---) (---)
80 * 9 SA established SA established
81 *
82 * base mode:
83 * initiator responder
84 * 0 (---) (---)
85 * 1 start start (1st msg received)
86 * 2 (---) 1st valid msg received
87 * 3 1st msg sent 1st msg sent
88 * 4 1st valid msg received 2st valid msg received
89 * 5 2nd msg sent (---)
90 * 6 (---) (---)
91 * 7 (---) (---)
92 * 8 (---) (---)
93 * 9 SA established SA established
94 */
95 #define PHASE1ST_SPAWN 0
96 #define PHASE1ST_START 1
97 #define PHASE1ST_MSG1RECEIVED 2
98 #define PHASE1ST_MSG1SENT 3
99 #define PHASE1ST_MSG2RECEIVED 4
100 #define PHASE1ST_MSG2SENT 5
101 #define PHASE1ST_MSG3RECEIVED 6
102 #define PHASE1ST_MSG3SENT 7
103 #define PHASE1ST_MSG4RECEIVED 8
104 #define PHASE1ST_ESTABLISHED 9
105 #define PHASE1ST_EXPIRED 10
106 #define PHASE1ST_MAX 11
107
108 /* About address semantics in each case.
109 * initiator(addr=I) responder(addr=R)
110 * src dst src dst
111 * (local) (remote) (local) (remote)
112 * phase 1 handler I R R I
113 * phase 2 handler I R R I
114 * getspi msg R I I R
115 * acquire msg I R
116 * ID payload I R I R
117 */
118 #ifdef ENABLE_HYBRID
119 struct isakmp_cfg_state;
120 #endif
121 struct ph1handle {
122 isakmp_index index;
123
124 int status; /* status of this SA */
125 int side; /* INITIATOR or RESPONDER */
126 int started_by_api; /* connection started by VPNControl API */
127
128 struct sockaddr *remote; /* remote address to negosiate ph1 */
129 struct sockaddr *local; /* local address to negosiate ph1 */
130 /* XXX copy from rmconf due to anonymous configuration.
131 * If anonymous will be forbidden, we do delete them. */
132
133 struct remoteconf *rmconf; /* pointer to remote configuration */
134
135 struct isakmpsa *approval; /* pointer to SA(s) approved. */
136 vchar_t *authstr; /* place holder of string for auth. */
137 /* for example pre-shared key */
138
139 u_int8_t version; /* ISAKMP version */
140 u_int8_t etype; /* Exchange type actually for use */
141 u_int8_t flags; /* Flags */
142 u_int32_t msgid; /* message id */
143
144 #ifdef ENABLE_NATT
145 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
146 u_int32_t natt_flags; /* NAT-T related flags */
147 #endif
148 #ifdef ENABLE_FRAG
149 int frag; /* IKE phase 1 fragmentation */
150 struct isakmp_frag_item *frag_chain; /* Received fragments */
151 #endif
152
153 struct sched *sce; /* schedule for expire */
154 struct sched *sce_rekey; /* schedule for rekey */
155
156 struct sched *scr; /* schedule for resend */
157 int retry_counter; /* for resend. */
158 vchar_t *sendbuf; /* buffer for re-sending */
159
160 #ifndef HAVE_OPENSSL
161 SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
162 size_t publicKeySize;
163 #endif
164 vchar_t *dhpriv; /* DH; private value */
165 vchar_t *dhpub; /* DH; public value */
166 vchar_t *dhpub_p; /* DH; partner's public value */
167 vchar_t *dhgxy; /* DH; shared secret */
168 vchar_t *nonce; /* nonce value */
169 vchar_t *nonce_p; /* partner's nonce value */
170 vchar_t *skeyid; /* SKEYID */
171 vchar_t *skeyid_d; /* SKEYID_d */
172 vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
173 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
174 vchar_t *key; /* cipher key */
175 vchar_t *hash; /* HASH minus general header */
176 vchar_t *sig; /* SIG minus general header */
177 vchar_t *sig_p; /* peer's SIG minus general header */
178 cert_t *cert; /* CERT minus general header */
179 cert_t *cert_p; /* peer's CERT minus general header */
180 cert_t *crl_p; /* peer's CRL minus general header */
181 cert_t *cr_p; /* peer's CR not including general */
182 #ifdef HAVE_OPENSSL
183 RSA *rsa; /* my RSA key */
184 RSA *rsa_p; /* peer's RSA key */
185 struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
186 #endif
187 vchar_t *id; /* ID minus gen header */
188 vchar_t *id_p; /* partner's ID minus general header */
189 /* i.e. struct ipsecdoi_id_b*. */
190 struct isakmp_ivm *ivm; /* IVs */
191
192 vchar_t *sa; /* whole SA payload to send/to be sent*/
193 /* to calculate HASH */
194 /* NOT INCLUDING general header. */
195
196 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
197 /* NOT INCLUDING general header. */
198 /* NOTE: Should be release after use. */
199
200 #ifdef HAVE_GSSAPI
201 void *gssapi_state; /* GSS-API specific state. */
202 /* Allocated when needed */
203 vchar_t *gi_i; /* optional initiator GSS id */
204 vchar_t *gi_r; /* optional responder GSS id */
205 #endif
206
207 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
208
209 time_t created; /* timestamp for establish */
210 #ifdef ENABLE_STATS
211 struct timeval start;
212 struct timeval end;
213 #endif
214
215 #ifdef ENABLE_DPD
216 int dpd_support; /* Does remote supports DPD ? */
217 time_t dpd_lastack; /* Last ack received */
218 u_int16_t dpd_seq; /* DPD seq number to receive */
219 u_int8_t dpd_fails; /* number of failures */
220 u_int8_t peer_sent_ike;
221 struct sched *dpd_r_u;
222 #endif
223
224 #ifdef ENABLE_VPNCONTROL_PORT
225 struct sched *ping_sched; /* for sending pings to keep FW open */
226 #endif
227
228 u_int32_t msgid2; /* msgid counter for Phase 2 */
229 int ph2cnt; /* the number which is negotiated by this phase 1 */
230 LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
231
232 LIST_ENTRY(ph1handle) chain;
233 #ifdef ENABLE_HYBRID
234 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
235 u_int8_t pended_xauth_id; /* saved id for reply from vpn control socket */
236 u_int8_t xauth_awaiting_userinput; /* indicates we are waiting for user input */
237 vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */
238 #endif
239 int is_rekey:1;
240 int is_dying:1;
241 ike_session_t *parent_session;
242 LIST_ENTRY(ph1handle) ph1ofsession_chain;
243 };
244
245 /* Phase 2 handler */
246 /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
247 /*
248 * initiator responder
249 * 0 (---) (---)
250 * 1 start start (1st msg received)
251 * 2 acquire msg get 1st valid msg received
252 * 3 getspi request sent getspi request sent
253 * 4 getspi done getspi done
254 * 5 1st msg sent 1st msg sent
255 * 6 1st valid msg received 2nd valid msg received
256 * 7 (commit bit) (commit bit)
257 * 8 SAs added SAs added
258 * 9 SAs established SAs established
259 * 10 SAs expired SAs expired
260 */
261 #define PHASE2ST_SPAWN 0
262 #define PHASE2ST_START 1
263 #define PHASE2ST_STATUS2 2
264 #define PHASE2ST_GETSPISENT 3
265 #define PHASE2ST_GETSPIDONE 4
266 #define PHASE2ST_MSG1SENT 5
267 #define PHASE2ST_STATUS6 6
268 #define PHASE2ST_COMMIT 7
269 #define PHASE2ST_ADDSA 8
270 #define PHASE2ST_ESTABLISHED 9
271 #define PHASE2ST_EXPIRED 10
272 #define PHASE2ST_MAX 11
273
274 struct ph2handle {
275 struct sockaddr *src; /* my address of SA. */
276 struct sockaddr *dst; /* peer's address of SA. */
277
278 /*
279 * copy ip address from ID payloads when ID type is ip address.
280 * In other case, they must be null.
281 */
282 struct sockaddr *src_id;
283 struct sockaddr *dst_id;
284
285 u_int32_t spid; /* policy id by kernel */
286
287 int status; /* ipsec sa status */
288 u_int8_t side; /* INITIATOR or RESPONDER */
289
290 struct sched *sce; /* schedule for expire */
291 struct sched *scr; /* schedule for resend */
292 int retry_counter; /* for resend. */
293 vchar_t *sendbuf; /* buffer for re-sending */
294 vchar_t *msg1; /* buffer for re-sending */
295 /* used for responder's first message */
296
297 int retry_checkph1; /* counter to wait phase 1 finished. */
298 /* NOTE: actually it's timer. */
299
300 u_int32_t seq; /* sequence number used by PF_KEY */
301 /*
302 * NOTE: In responder side, we can't identify each SAs
303 * with same destination address for example, when
304 * socket based SA is required. So we set a identifier
305 * number to "seq", and sent kernel by pfkey.
306 */
307 u_int8_t satype; /* satype in PF_KEY */
308 /*
309 * saved satype in the original PF_KEY request from
310 * the kernel in order to reply a error.
311 */
312
313 u_int8_t flags; /* Flags for phase 2 */
314 u_int32_t msgid; /* msgid for phase 2 */
315
316 struct sainfo *sainfo; /* place holder of sainfo */
317 struct saprop *proposal; /* SA(s) proposal. */
318 struct saprop *approval; /* SA(s) approved. */
319 caddr_t spidx_gen; /* policy from peer's proposal */
320
321 #ifndef HAVE_OPENSSL
322 SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
323 size_t publicKeySize;
324 #endif
325 struct dhgroup *pfsgrp; /* DH; prime number */
326 vchar_t *dhpriv; /* DH; private value */
327 vchar_t *dhpub; /* DH; public value */
328 vchar_t *dhpub_p; /* DH; partner's public value */
329 vchar_t *dhgxy; /* DH; shared secret */
330 vchar_t *id; /* ID minus gen header */
331 vchar_t *id_p; /* peer's ID minus general header */
332 vchar_t *nonce; /* nonce value in phase 2 */
333 vchar_t *nonce_p; /* partner's nonce value in phase 2 */
334
335 vchar_t *sa; /* whole SA payload to send/to be sent*/
336 /* to calculate HASH */
337 /* NOT INCLUDING general header. */
338
339 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
340 /* NOT INCLUDING general header. */
341 /* NOTE: Should be release after use. */
342
343 struct isakmp_ivm *ivm; /* IVs */
344
345 int generated_spidx; /* mark handlers whith generated policy */
346
347 #ifdef ENABLE_STATS
348 struct timeval start;
349 struct timeval end;
350 #endif
351 struct ph1handle *ph1; /* back pointer to isakmp status */
352 int is_rekey:1;
353 int is_dying:1;
354 ike_session_t *parent_session;
355 LIST_ENTRY(ph2handle) ph2ofsession_chain;
356 vchar_t *ext_nat_id;
357 vchar_t *ext_nat_id_p;
358
359 LIST_ENTRY(ph2handle) chain;
360 LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
361 };
362
363 /*
364 * for handling initial contact.
365 */
366 struct contacted {
367 struct sockaddr *remote; /* remote address to negotiate ph1 */
368 LIST_ENTRY(contacted) chain;
369 };
370
371 /*
372 * for checking if a packet is retransmited.
373 */
374 struct recvdpkt {
375 struct sockaddr *remote; /* the remote address */
376 struct sockaddr *local; /* the local address */
377 vchar_t *hash; /* hash of the received packet */
378 vchar_t *sendbuf; /* buffer for the response */
379 int retry_counter; /* how many times to send */
380 time_t time_send; /* timestamp to send a packet */
381 time_t created; /* timestamp to create a queue */
382 time_t retry_interval;
383 #ifdef ENABLE_FRAG
384 u_int32_t frag_flags; /* IKE phase 1 fragmentation */
385 #endif
386
387 struct sched *scr; /* schedule for resend, may not used */
388
389 LIST_ENTRY(recvdpkt) chain;
390 };
391
392 /* for parsing ISAKMP header. */
393 struct isakmp_parse_t {
394 u_char type; /* payload type of mine */
395 int len; /* ntohs(ptr->len) */
396 struct isakmp_gen *ptr;
397 };
398
399 /*
400 * for IV management.
401 *
402 * - normal case
403 * initiator responder
404 * ------------------------- --------------------------
405 * initialize iv(A), ive(A). initialize iv(A), ive(A).
406 * encode by ive(A).
407 * save to iv(B). ---[packet(B)]--> save to ive(B).
408 * decode by iv(A).
409 * packet consistency.
410 * sync iv(B) with ive(B).
411 * check auth, integrity.
412 * encode by ive(B).
413 * save to ive(C). <--[packet(C)]--- save to iv(C).
414 * decoded by iv(B).
415 * :
416 *
417 * - In the case that a error is found while cipher processing,
418 * initiator responder
419 * ------------------------- --------------------------
420 * initialize iv(A), ive(A). initialize iv(A), ive(A).
421 * encode by ive(A).
422 * save to iv(B). ---[packet(B)]--> save to ive(B).
423 * decode by iv(A).
424 * packet consistency.
425 * sync iv(B) with ive(B).
426 * check auth, integrity.
427 * error found.
428 * create notify.
429 * get ive2(X) from iv(B).
430 * encode by ive2(X).
431 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
432 * save to ive2(Y).
433 * decoded by iv2(X).
434 * :
435 *
436 * The reason why the responder synchronizes iv with ive after checking the
437 * packet consistency is that it is required to leave the IV for decoding
438 * packet. Because there is a potential of error while checking the packet
439 * consistency. Also the reason why that is before authentication and
440 * integirty check is that the IV for informational exchange has to be made
441 * by the IV which is after packet decoded and checking the packet consistency.
442 * Otherwise IV mismatched happens between the intitiator and the responder.
443 */
444 struct isakmp_ivm {
445 vchar_t *iv; /* for decoding packet */
446 /* if phase 1, it's for computing phase2 iv */
447 vchar_t *ive; /* for encoding packet */
448 };
449
450 /* for dumping */
451 struct ph1dump {
452 isakmp_index index;
453 int status;
454 int side;
455 struct sockaddr_storage remote;
456 struct sockaddr_storage local;
457 u_int8_t version;
458 u_int8_t etype;
459 time_t created;
460 int ph2cnt;
461 };
462
463 struct sockaddr;
464 struct ph1handle;
465 struct ph2handle;
466 struct policyindex;
467
468 extern struct ph1handle *getph1byindex __P((isakmp_index *));
469 extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
470 extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
471 struct sockaddr *));
472 extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
473 struct sockaddr *));
474 extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
475 extern int islast_ph1 __P((struct ph1handle *));
476 struct ph1handle *ph1;
477 #ifdef ENABLE_HYBRID
478 struct ph1handle *getph1bylogin __P((char *));
479 int purgeph1bylogin __P((char *));
480 #endif
481 extern int purgephXbydstaddrwop __P((struct sockaddr *));
482 extern void purgephXbyspid __P((u_int32_t, int));
483
484 extern vchar_t *dumpph1 __P((void));
485 extern struct ph1handle *newph1 __P((void));
486 extern void delph1 __P((struct ph1handle *));
487 extern int insph1 __P((struct ph1handle *));
488 extern void remph1 __P((struct ph1handle *));
489 extern void flushph1 __P((int));
490 extern void initph1tree __P((void));
491
492 extern struct ph2handle *getph2byspidx __P((struct policyindex *));
493 extern struct ph2handle *getph2byspid __P((u_int32_t));
494 extern struct ph2handle *getph2byseq __P((u_int32_t));
495 extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
496 struct sockaddr *));
497 extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
498 extern struct ph2handle *getph2byid __P((struct sockaddr *,
499 struct sockaddr *, u_int32_t));
500 extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
501 struct sockaddr *, u_int, u_int32_t));
502 extern struct ph2handle *newph2 __P((void));
503 extern void initph2 __P((struct ph2handle *));
504 extern void delph2 __P((struct ph2handle *));
505 extern int insph2 __P((struct ph2handle *));
506 extern void remph2 __P((struct ph2handle *));
507 extern void flushph2 __P((int));
508 extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
509 extern void deleteallph1 __P((struct sockaddr *, struct sockaddr *));
510 extern void initph2tree __P((void));
511
512 extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
513 extern void unbindph12 __P((struct ph2handle *));
514 extern void rebindph12 __P((struct ph1handle *, struct ph2handle *));
515
516 extern struct contacted *getcontacted __P((struct sockaddr *));
517 extern int inscontacted __P((struct sockaddr *));
518 extern void clear_contacted __P((void));
519 extern void initctdtree __P((void));
520
521 extern time_t get_exp_retx_interval __P((int num_retries, int fixed_retry_interval));
522
523 extern int check_recvdpkt __P((struct sockaddr *,
524 struct sockaddr *, vchar_t *));
525 extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
526 vchar_t *, vchar_t *, size_t, u_int32_t));
527 extern void clear_recvdpkt __P((void));
528 extern void init_recvdpkt __P((void));
529
530 #ifdef ENABLE_HYBRID
531 extern int exclude_cfg_addr __P((const struct sockaddr *));
532 #endif
533
534 #ifdef ENABLE_DPD
535 extern int ph1_force_dpd __P((struct sockaddr *));
536 #endif
537 extern void sweep_sleepwake __P((void));
538
539 #endif /* _HANDLER_H */
mirror of ipsec