]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/handler.h
projects / apple / ipsec.git / blob
? search:


9dcfdbd341c4b818772e74dd778ea31071f24db6
[apple/ipsec.git] / ipsec-tools / racoon / handler.h
1 /* $NetBSD: handler.h,v 1.9 2006/09/09 16:22:09 manu Exp $ */
2
3 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _HANDLER_H
35 #define _HANDLER_H
36
37 #include <sys/queue.h>
38 #include <openssl/rsa.h>
39
40 #include <sys/time.h>
41
42 #include "isakmp_var.h"
43 #include "oakley.h"
44
45 typedef struct ike_session ike_session_t;
46
47 /* Phase 1 handler */
48 /*
49 * main mode:
50 * initiator responder
51 * 0 (---) (---)
52 * 1 start start (1st msg received)
53 * 2 (---) 1st valid msg received
54 * 3 1st msg sent 1st msg sent
55 * 4 1st valid msg received 2st valid msg received
56 * 5 2nd msg sent 2nd msg sent
57 * 6 2nd valid msg received 3rd valid msg received
58 * 7 3rd msg sent 3rd msg sent
59 * 8 3rd valid msg received (---)
60 * 9 SA established SA established
61 *
62 * aggressive mode:
63 * initiator responder
64 * 0 (---) (---)
65 * 1 start start (1st msg received)
66 * 2 (---) 1st valid msg received
67 * 3 1st msg sent 1st msg sent
68 * 4 1st valid msg received 2st valid msg received
69 * 5 (---) (---)
70 * 6 (---) (---)
71 * 7 (---) (---)
72 * 8 (---) (---)
73 * 9 SA established SA established
74 *
75 * base mode:
76 * initiator responder
77 * 0 (---) (---)
78 * 1 start start (1st msg received)
79 * 2 (---) 1st valid msg received
80 * 3 1st msg sent 1st msg sent
81 * 4 1st valid msg received 2st valid msg received
82 * 5 2nd msg sent (---)
83 * 6 (---) (---)
84 * 7 (---) (---)
85 * 8 (---) (---)
86 * 9 SA established SA established
87 */
88 #define PHASE1ST_SPAWN 0
89 #define PHASE1ST_START 1
90 #define PHASE1ST_MSG1RECEIVED 2
91 #define PHASE1ST_MSG1SENT 3
92 #define PHASE1ST_MSG2RECEIVED 4
93 #define PHASE1ST_MSG2SENT 5
94 #define PHASE1ST_MSG3RECEIVED 6
95 #define PHASE1ST_MSG3SENT 7
96 #define PHASE1ST_MSG4RECEIVED 8
97 #define PHASE1ST_ESTABLISHED 9
98 #define PHASE1ST_EXPIRED 10
99 #define PHASE1ST_MAX 11
100
101 /* About address semantics in each case.
102 * initiator(addr=I) responder(addr=R)
103 * src dst src dst
104 * (local) (remote) (local) (remote)
105 * phase 1 handler I R R I
106 * phase 2 handler I R R I
107 * getspi msg R I I R
108 * acquire msg I R
109 * ID payload I R I R
110 */
111 #ifdef ENABLE_HYBRID
112 struct isakmp_cfg_state;
113 #endif
114 struct ph1handle {
115 isakmp_index index;
116
117 int status; /* status of this SA */
118 int side; /* INITIATOR or RESPONDER */
119 int started_by_api; /* connection started by VPNControl API */
120
121 struct sockaddr *remote; /* remote address to negosiate ph1 */
122 struct sockaddr *local; /* local address to negosiate ph1 */
123 /* XXX copy from rmconf due to anonymous configuration.
124 * If anonymous will be forbidden, we do delete them. */
125
126 struct remoteconf *rmconf; /* pointer to remote configuration */
127
128 struct isakmpsa *approval; /* pointer to SA(s) approved. */
129 vchar_t *authstr; /* place holder of string for auth. */
130 /* for example pre-shared key */
131
132 u_int8_t version; /* ISAKMP version */
133 u_int8_t etype; /* Exchange type actually for use */
134 u_int8_t flags; /* Flags */
135 u_int32_t msgid; /* message id */
136
137 #ifdef ENABLE_NATT
138 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
139 u_int32_t natt_flags; /* NAT-T related flags */
140 #endif
141 #ifdef ENABLE_FRAG
142 int frag; /* IKE phase 1 fragmentation */
143 struct isakmp_frag_item *frag_chain; /* Received fragments */
144 #endif
145
146 struct sched *sce; /* schedule for expire */
147 struct sched *sce_rekey; /* schedule for rekey */
148
149 struct sched *scr; /* schedule for resend */
150 int retry_counter; /* for resend. */
151 vchar_t *sendbuf; /* buffer for re-sending */
152
153 vchar_t *dhpriv; /* DH; private value */
154 vchar_t *dhpub; /* DH; public value */
155 vchar_t *dhpub_p; /* DH; partner's public value */
156 vchar_t *dhgxy; /* DH; shared secret */
157 vchar_t *nonce; /* nonce value */
158 vchar_t *nonce_p; /* partner's nonce value */
159 vchar_t *skeyid; /* SKEYID */
160 vchar_t *skeyid_d; /* SKEYID_d */
161 vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
162 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
163 vchar_t *key; /* cipher key */
164 vchar_t *hash; /* HASH minus general header */
165 vchar_t *sig; /* SIG minus general header */
166 vchar_t *sig_p; /* peer's SIG minus general header */
167 cert_t *cert; /* CERT minus general header */
168 cert_t *cert_p; /* peer's CERT minus general header */
169 cert_t *crl_p; /* peer's CRL minus general header */
170 cert_t *cr_p; /* peer's CR not including general */
171 RSA *rsa; /* my RSA key */
172 RSA *rsa_p; /* peer's RSA key */
173 struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */
174 vchar_t *id; /* ID minus gen header */
175 vchar_t *id_p; /* partner's ID minus general header */
176 /* i.e. struct ipsecdoi_id_b*. */
177 struct isakmp_ivm *ivm; /* IVs */
178
179 vchar_t *sa; /* whole SA payload to send/to be sent*/
180 /* to calculate HASH */
181 /* NOT INCLUDING general header. */
182
183 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
184 /* NOT INCLUDING general header. */
185 /* NOTE: Should be release after use. */
186
187 #ifdef HAVE_GSSAPI
188 void *gssapi_state; /* GSS-API specific state. */
189 /* Allocated when needed */
190 vchar_t *gi_i; /* optional initiator GSS id */
191 vchar_t *gi_r; /* optional responder GSS id */
192 #endif
193
194 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
195
196 time_t created; /* timestamp for establish */
197 #ifdef ENABLE_STATS
198 struct timeval start;
199 struct timeval end;
200 #endif
201
202 #ifdef ENABLE_DPD
203 int dpd_support; /* Does remote supports DPD ? */
204 time_t dpd_lastack; /* Last ack received */
205 u_int16_t dpd_seq; /* DPD seq number to receive */
206 u_int8_t dpd_fails; /* number of failures */
207 u_int8_t peer_sent_ike;
208 struct sched *dpd_r_u;
209 #endif
210
211 #ifdef ENABLE_VPNCONTROL_PORT
212 struct sched *ping_sched; /* for sending pings to keep FW open */
213 #endif
214
215 u_int32_t msgid2; /* msgid counter for Phase 2 */
216 int ph2cnt; /* the number which is negotiated by this phase 1 */
217 LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
218
219 LIST_ENTRY(ph1handle) chain;
220 #ifdef ENABLE_HYBRID
221 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
222 u_int8_t pended_xauth_id; /* saved id for reply from vpn control socket */
223 u_int8_t xauth_awaiting_userinput; /* indicates we are waiting for user input */
224 vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */
225 #endif
226 #ifdef __APPLE__
227 int is_rekey:1;
228 int is_dying:1;
229 ike_session_t *parent_session;
230 LIST_ENTRY(ph1handle) ph1ofsession_chain;
231 #endif
232 };
233
234 /* Phase 2 handler */
235 /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
236 /*
237 * initiator responder
238 * 0 (---) (---)
239 * 1 start start (1st msg received)
240 * 2 acquire msg get 1st valid msg received
241 * 3 getspi request sent getspi request sent
242 * 4 getspi done getspi done
243 * 5 1st msg sent 1st msg sent
244 * 6 1st valid msg received 2nd valid msg received
245 * 7 (commit bit) (commit bit)
246 * 8 SAs added SAs added
247 * 9 SAs established SAs established
248 * 10 SAs expired SAs expired
249 */
250 #define PHASE2ST_SPAWN 0
251 #define PHASE2ST_START 1
252 #define PHASE2ST_STATUS2 2
253 #define PHASE2ST_GETSPISENT 3
254 #define PHASE2ST_GETSPIDONE 4
255 #define PHASE2ST_MSG1SENT 5
256 #define PHASE2ST_STATUS6 6
257 #define PHASE2ST_COMMIT 7
258 #define PHASE2ST_ADDSA 8
259 #define PHASE2ST_ESTABLISHED 9
260 #define PHASE2ST_EXPIRED 10
261 #define PHASE2ST_MAX 11
262
263 struct ph2handle {
264 struct sockaddr *src; /* my address of SA. */
265 struct sockaddr *dst; /* peer's address of SA. */
266
267 /*
268 * copy ip address from ID payloads when ID type is ip address.
269 * In other case, they must be null.
270 */
271 struct sockaddr *src_id;
272 struct sockaddr *dst_id;
273
274 u_int32_t spid; /* policy id by kernel */
275
276 int status; /* ipsec sa status */
277 u_int8_t side; /* INITIATOR or RESPONDER */
278
279 struct sched *sce; /* schedule for expire */
280 struct sched *scr; /* schedule for resend */
281 int retry_counter; /* for resend. */
282 vchar_t *sendbuf; /* buffer for re-sending */
283 vchar_t *msg1; /* buffer for re-sending */
284 /* used for responder's first message */
285
286 int retry_checkph1; /* counter to wait phase 1 finished. */
287 /* NOTE: actually it's timer. */
288
289 u_int32_t seq; /* sequence number used by PF_KEY */
290 /*
291 * NOTE: In responder side, we can't identify each SAs
292 * with same destination address for example, when
293 * socket based SA is required. So we set a identifier
294 * number to "seq", and sent kernel by pfkey.
295 */
296 u_int8_t satype; /* satype in PF_KEY */
297 /*
298 * saved satype in the original PF_KEY request from
299 * the kernel in order to reply a error.
300 */
301
302 u_int8_t flags; /* Flags for phase 2 */
303 u_int32_t msgid; /* msgid for phase 2 */
304
305 struct sainfo *sainfo; /* place holder of sainfo */
306 struct saprop *proposal; /* SA(s) proposal. */
307 struct saprop *approval; /* SA(s) approved. */
308 caddr_t spidx_gen; /* policy from peer's proposal */
309
310 struct dhgroup *pfsgrp; /* DH; prime number */
311 vchar_t *dhpriv; /* DH; private value */
312 vchar_t *dhpub; /* DH; public value */
313 vchar_t *dhpub_p; /* DH; partner's public value */
314 vchar_t *dhgxy; /* DH; shared secret */
315 vchar_t *id; /* ID minus gen header */
316 vchar_t *id_p; /* peer's ID minus general header */
317 vchar_t *nonce; /* nonce value in phase 2 */
318 vchar_t *nonce_p; /* partner's nonce value in phase 2 */
319
320 vchar_t *sa; /* whole SA payload to send/to be sent*/
321 /* to calculate HASH */
322 /* NOT INCLUDING general header. */
323
324 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
325 /* NOT INCLUDING general header. */
326 /* NOTE: Should be release after use. */
327
328 struct isakmp_ivm *ivm; /* IVs */
329
330 int generated_spidx; /* mark handlers whith generated policy */
331
332 #ifdef ENABLE_STATS
333 struct timeval start;
334 struct timeval end;
335 #endif
336 struct ph1handle *ph1; /* back pointer to isakmp status */
337 #ifdef __APPLE__
338 int is_rekey:1;
339 int is_dying:1;
340 ike_session_t *parent_session;
341 LIST_ENTRY(ph2handle) ph2ofsession_chain;
342 #endif
343
344 LIST_ENTRY(ph2handle) chain;
345 LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
346 };
347
348 /*
349 * for handling initial contact.
350 */
351 struct contacted {
352 struct sockaddr *remote; /* remote address to negotiate ph1 */
353 LIST_ENTRY(contacted) chain;
354 };
355
356 /*
357 * for checking if a packet is retransmited.
358 */
359 struct recvdpkt {
360 struct sockaddr *remote; /* the remote address */
361 struct sockaddr *local; /* the local address */
362 vchar_t *hash; /* hash of the received packet */
363 vchar_t *sendbuf; /* buffer for the response */
364 int retry_counter; /* how many times to send */
365 time_t time_send; /* timestamp to send a packet */
366 time_t created; /* timestamp to create a queue */
367
368 struct sched *scr; /* schedule for resend, may not used */
369
370 LIST_ENTRY(recvdpkt) chain;
371 };
372
373 /* for parsing ISAKMP header. */
374 struct isakmp_parse_t {
375 u_char type; /* payload type of mine */
376 int len; /* ntohs(ptr->len) */
377 struct isakmp_gen *ptr;
378 };
379
380 /*
381 * for IV management.
382 *
383 * - normal case
384 * initiator responder
385 * ------------------------- --------------------------
386 * initialize iv(A), ive(A). initialize iv(A), ive(A).
387 * encode by ive(A).
388 * save to iv(B). ---[packet(B)]--> save to ive(B).
389 * decode by iv(A).
390 * packet consistency.
391 * sync iv(B) with ive(B).
392 * check auth, integrity.
393 * encode by ive(B).
394 * save to ive(C). <--[packet(C)]--- save to iv(C).
395 * decoded by iv(B).
396 * :
397 *
398 * - In the case that a error is found while cipher processing,
399 * initiator responder
400 * ------------------------- --------------------------
401 * initialize iv(A), ive(A). initialize iv(A), ive(A).
402 * encode by ive(A).
403 * save to iv(B). ---[packet(B)]--> save to ive(B).
404 * decode by iv(A).
405 * packet consistency.
406 * sync iv(B) with ive(B).
407 * check auth, integrity.
408 * error found.
409 * create notify.
410 * get ive2(X) from iv(B).
411 * encode by ive2(X).
412 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
413 * save to ive2(Y).
414 * decoded by iv2(X).
415 * :
416 *
417 * The reason why the responder synchronizes iv with ive after checking the
418 * packet consistency is that it is required to leave the IV for decoding
419 * packet. Because there is a potential of error while checking the packet
420 * consistency. Also the reason why that is before authentication and
421 * integirty check is that the IV for informational exchange has to be made
422 * by the IV which is after packet decoded and checking the packet consistency.
423 * Otherwise IV mismatched happens between the intitiator and the responder.
424 */
425 struct isakmp_ivm {
426 vchar_t *iv; /* for decoding packet */
427 /* if phase 1, it's for computing phase2 iv */
428 vchar_t *ive; /* for encoding packet */
429 };
430
431 /* for dumping */
432 struct ph1dump {
433 isakmp_index index;
434 int status;
435 int side;
436 struct sockaddr_storage remote;
437 struct sockaddr_storage local;
438 u_int8_t version;
439 u_int8_t etype;
440 time_t created;
441 int ph2cnt;
442 };
443
444 struct sockaddr;
445 struct ph1handle;
446 struct ph2handle;
447 struct policyindex;
448
449 extern struct ph1handle *getph1byindex __P((isakmp_index *));
450 extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
451 extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
452 struct sockaddr *));
453 extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
454 struct sockaddr *));
455 extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
456 extern int islast_ph1 __P((struct ph1handle *));
457 struct ph1handle *ph1;
458 #ifdef ENABLE_HYBRID
459 struct ph1handle *getph1bylogin __P((char *));
460 int purgeph1bylogin __P((char *));
461 #endif
462 extern int purgephXbydstaddrwop __P((struct sockaddr *));
463 extern void purgephXbyspid __P((u_int32_t, int));
464
465 extern vchar_t *dumpph1 __P((void));
466 extern struct ph1handle *newph1 __P((void));
467 extern void delph1 __P((struct ph1handle *));
468 extern int insph1 __P((struct ph1handle *));
469 extern void remph1 __P((struct ph1handle *));
470 extern void flushph1 __P((int));
471 extern void initph1tree __P((void));
472
473 extern struct ph2handle *getph2byspidx __P((struct policyindex *));
474 extern struct ph2handle *getph2byspid __P((u_int32_t));
475 extern struct ph2handle *getph2byseq __P((u_int32_t));
476 extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
477 struct sockaddr *));
478 extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
479 extern struct ph2handle *getph2byid __P((struct sockaddr *,
480 struct sockaddr *, u_int32_t));
481 extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
482 struct sockaddr *, u_int, u_int32_t));
483 extern struct ph2handle *newph2 __P((void));
484 extern void initph2 __P((struct ph2handle *));
485 extern void delph2 __P((struct ph2handle *));
486 extern int insph2 __P((struct ph2handle *));
487 extern void remph2 __P((struct ph2handle *));
488 extern void flushph2 __P((int));
489 extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
490 extern void deleteallph1 __P((struct sockaddr *, struct sockaddr *));
491 extern void initph2tree __P((void));
492
493 extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
494 extern void unbindph12 __P((struct ph2handle *));
495 extern void rebindph12 __P((struct ph1handle *, struct ph2handle *));
496
497 extern struct contacted *getcontacted __P((struct sockaddr *));
498 extern int inscontacted __P((struct sockaddr *));
499 extern void clear_contacted __P((void));
500 extern void initctdtree __P((void));
501
502 extern int check_recvdpkt __P((struct sockaddr *,
503 struct sockaddr *, vchar_t *));
504 extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
505 vchar_t *, vchar_t *, size_t));
506 extern void clear_recvdpkt __P((void));
507 extern void init_recvdpkt __P((void));
508
509 #ifdef ENABLE_HYBRID
510 extern int exclude_cfg_addr __P((const struct sockaddr *));
511 #endif
512
513 #ifdef ENABLE_DPD
514 extern int ph1_force_dpd __P((struct sockaddr *));
515 #endif
516
517 #endif /* _HANDLER_H */
mirror of ipsec