]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/handler.h
projects / apple / ipsec.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
ipsec-292.40.4.tar.gz
[apple/ipsec.git] / ipsec-tools / racoon / handler.h
1 /* $NetBSD: handler.h,v 1.9 2006/09/09 16:22:09 manu Exp $ */
2
3 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _HANDLER_H
35 #define _HANDLER_H
36
37 #include "config.h"
38 #include "racoon_types.h"
39
40 #include <sys/queue.h>
41 #ifdef HAVE_OPENSSL
42 #include <openssl/rsa.h>
43 #endif
44
45 #include <sys/time.h>
46
47 #include "isakmp_var.h"
48 #include "oakley.h"
49 #ifndef HAVE_OPENSSL
50 #include <Security/SecDH.h>
51 #endif
52 #include <sys/socket.h>
53
54 #include <schedule.h>
55 #include <network/nat64.h>
56
57 /* About address semantics in each case.
58 * initiator(addr=I) responder(addr=R)
59 * src dst src dst
60 * (local) (remote) (local) (remote)
61 * phase 1 handler I R R I
62 * phase 2 handler I R R I
63 * getspi msg R I I R
64 * acquire msg I R
65 * ID payload I R I R
66 */
67 #ifdef ENABLE_HYBRID
68 struct isakmp_cfg_state;
69 #endif
70
71 #define INVALID_MSGID 0xFFFFFFFF
72
73 //=======================================================================
74 // PHASE 1
75 //=======================================================================
76
77 struct phase1handle {
78 isakmp_index index;
79
80 int status; /* status of this SA */
81 int side; /* INITIATOR or RESPONDER */
82 int started_by_api; /* connection started by VPNControl API */
83
84 nw_nat64_prefix_t nat64_prefix; /* nat64 prefix to apply to addresses. */
85 struct sockaddr_storage *remote; /* remote address to negotiate ph1 */
86 struct sockaddr_storage *local; /* local address to negotiate ph1 */
87 /* XXX copy from rmconf due to anonymous configuration.
88 * If anonymous will be forbidden, we do delete them. */
89
90 struct remoteconf *rmconf; /* pointer to remote configuration */
91
92 struct isakmpsa *approval; /* pointer to SA(s) approved. */
93 /* for example pre-shared key */
94
95 u_int8_t version; /* ISAKMP version */
96 u_int8_t etype; /* Exchange type actually for use */
97 u_int8_t flags; /* Flags */
98 u_int32_t msgid; /* message id */
99
100 #ifdef ENABLE_NATT
101 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
102 u_int32_t natt_flags; /* NAT-T related flags */
103 #endif
104 #ifdef ENABLE_FRAG
105 int frag; /* IKE phase 1 fragmentation */
106 struct isakmp_frag_item *frag_chain; /* Received fragments */
107 #endif
108
109 schedule_ref sce; /* schedule for expire */
110 schedule_ref sce_rekey; /* schedule for rekey */
111
112 schedule_ref scr; /* schedule for resend */
113 int retry_counter; /* for resend. */
114 vchar_t *sendbuf; /* buffer for re-sending */
115
116 #ifndef HAVE_OPENSSL
117 SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
118 size_t publicKeySize;
119 #endif
120 vchar_t *dhpriv; /* DH; private value */
121 vchar_t *dhpub; /* DH; public value */
122 vchar_t *dhpub_p; /* DH; partner's public value */
123 vchar_t *dhgxy; /* DH; shared secret */
124 vchar_t *nonce; /* nonce value */
125 vchar_t *nonce_p; /* partner's nonce value */
126 vchar_t *skeyid; /* SKEYID */
127 vchar_t *skeyid_d; /* SKEYID_d */
128 vchar_t *skeyid_a; /* SKEYID_a, i.e. integrity protection */
129 vchar_t *skeyid_a_p; /* SKEYID_a_p, i.e. integrity protection */
130 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
131 vchar_t *skeyid_e_p; /* peer's SKEYID_e, i.e. encryption */
132 vchar_t *key; /* cipher key */
133 vchar_t *key_p; /* peer's cipher key */
134 vchar_t *hash; /* HASH minus general header */
135 vchar_t *sig; /* SIG minus general header */
136 vchar_t *sig_p; /* peer's SIG minus general header */
137 cert_t *cert; /* CERT minus general header */
138 cert_t *cert_p; /* peer's CERT minus general header */
139 cert_t *crl_p; /* peer's CRL minus general header */
140 cert_t *cr_p; /* peer's CR not including general */
141 vchar_t *id; /* ID minus gen header */
142 vchar_t *id_p; /* partner's ID minus general header */
143 /* i.e. struct ipsecdoi_id_b*. */
144 struct isakmp_ivm *ivm; /* IVs */
145
146 vchar_t *sa; /* whole SA payload to send/to be sent*/
147 /* to calculate HASH */
148 /* NOT INCLUDING general header. */
149
150 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
151 /* NOT INCLUDING general header. */
152 /* NOTE: Should be release after use. */
153
154 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
155
156 time_t created; /* timestamp for establish */
157 #ifdef ENABLE_STATS
158 struct timeval start;
159 struct timeval end;
160 #endif
161
162 #ifdef ENABLE_DPD
163 int dpd_support; /* Does remote supports DPD ? */
164 time_t dpd_lastack; /* Last ack received */
165 u_int16_t dpd_seq; /* DPD seq number to receive */
166 u_int8_t dpd_fails; /* number of failures */
167 u_int8_t peer_sent_ike;
168 schedule_ref dpd_r_u;
169 #endif
170
171 #ifdef ENABLE_VPNCONTROL_PORT
172 schedule_ref ping_sched; /* for sending pings to keep FW open */
173 #endif
174
175 u_int32_t msgid2; /* msgid counter for Phase 2 */
176 int ph2cnt; /* the number which is negotiated by this phase 1 */
177 #ifdef ENABLE_HYBRID
178 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
179 u_int8_t pended_xauth_id; /* saved id for reply from vpn control socket */
180 u_int8_t xauth_awaiting_userinput; /* indicates we are waiting for user input */
181 vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */
182 #endif
183 int is_rekey:1;
184 int is_dying:1;
185 ike_session_t *parent_session;
186 LIST_HEAD(_ph2ofph1_, phase2handle) bound_ph2tree;
187 LIST_ENTRY(phase1handle) ph1ofsession_chain;
188 };
189
190 #define PHASE2_TYPE_SA 0
191 #define PHASE2_TYPE_INFO 1
192 #define PHASE2_TYPE_CFG 2
193
194 //=======================================================================
195 // PHASE 2
196 //=======================================================================
197 struct phase2handle {
198 struct sockaddr_storage *src; /* my address of SA. */
199 struct sockaddr_storage *dst; /* peer's address of SA. */
200 nw_nat64_prefix_t nat64_prefix; /* nat64 prefix to apply to addresses. */
201
202 /*
203 * copy ip address from ID payloads when ID type is ip address.
204 * In other case, they must be null.
205 */
206 struct sockaddr_storage *src_id;
207 struct sockaddr_storage *dst_id;
208
209 int phase2_type; /* what this phase2 struct is for - see defines for PHASE2_TYPE... */
210 u_int32_t spid; /* policy id by kernel */
211
212 int status; /* ipsec sa status */
213 u_int8_t side; /* INITIATOR or RESPONDER */
214 u_int8_t version; /* ISAKMP version */
215
216 schedule_ref sce; /* schedule for expire */
217 schedule_ref scr; /* schedule for resend */
218 int retry_counter; /* for resend. */
219 vchar_t *sendbuf; /* buffer for re-sending */
220 vchar_t *msg1; /* buffer for re-sending */
221 /* used for responder's first message */
222
223 int retry_checkph1; /* counter to wait phase 1 finished. */
224 /* NOTE: actually it's timer. */
225
226 u_int32_t seq; /* sequence number used by PF_KEY */
227 /*
228 * NOTE: In responder side, we can't identify each SAs
229 * with same destination address for example, when
230 * socket based SA is required. So we set a identifier
231 * number to "seq", and sent kernel by pfkey.
232 */
233 u_int8_t satype; /* satype in PF_KEY */
234 /*
235 * saved satype in the original PF_KEY request from
236 * the kernel in order to reply a error.
237 */
238
239 u_int8_t flags; /* Flags for phase 2 */
240 u_int32_t msgid; /* msgid for phase 2 */
241
242 struct sainfo *sainfo; /* place holder of sainfo */
243 struct saprop *proposal; /* SA(s) proposal. */
244 struct saprop *approval; /* SA(s) approved. */
245 struct policyindex * spidx_gen; /* policy from peer's proposal */
246
247 #ifndef HAVE_OPENSSL
248 SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
249 size_t publicKeySize;
250 #endif
251 struct dhgroup *pfsgrp; /* DH; prime number */
252 vchar_t *dhpriv; /* DH; private value */
253 vchar_t *dhpub; /* DH; public value */
254 vchar_t *dhpub_p; /* DH; partner's public value */
255 vchar_t *dhgxy; /* DH; shared secret */
256 vchar_t *id; /* ID minus gen header */
257 vchar_t *id_p; /* peer's ID minus general header */
258 vchar_t *nonce; /* nonce value in phase 2 */
259 vchar_t *nonce_p; /* partner's nonce value in phase 2 */
260
261 vchar_t *sa; /* whole SA payload to send/to be sent*/
262 /* to calculate HASH */
263 /* NOT INCLUDING general header. */
264
265 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
266 /* NOT INCLUDING general header. */
267 /* NOTE: Should be release after use. */
268
269 struct isakmp_ivm *ivm; /* IVs */
270
271 int generated_spidx; /* mark handlers whith generated policy */
272
273 #ifdef ENABLE_STATS
274 struct timeval start;
275 struct timeval end;
276 #endif
277 struct phase1handle *ph1; /* back pointer to isakmp status */
278 int is_rekey:1;
279 int is_dying:1;
280 int is_defunct:1;
281 ike_session_t *parent_session;
282 vchar_t *ext_nat_id;
283 vchar_t *ext_nat_id_p;
284 LIST_ENTRY(phase2handle) ph2ofsession_chain;
285 LIST_ENTRY(phase2handle) ph1bind_chain; /* chain to ph1handle */
286 };
287
288 /*
289 * for handling initial contact.
290 */
291 struct contacted {
292 struct sockaddr_storage *remote; /* remote address to negotiate ph1 */
293 LIST_ENTRY(contacted) chain;
294 };
295
296 /*
297 * for checking if a packet is retransmited.
298 */
299 struct recvdpkt {
300 struct sockaddr_storage *remote; /* the remote address */
301 struct sockaddr_storage *local; /* the local address */
302 vchar_t *hash; /* hash of the received packet */
303 vchar_t *sendbuf; /* buffer for the response */
304 int retry_counter; /* how many times to send */
305 time_t time_send; /* timestamp to send a packet */
306 time_t created; /* timestamp to create a queue */
307 time_t retry_interval;
308 #ifdef ENABLE_FRAG
309 u_int32_t frag_flags; /* IKE phase 1 fragmentation */
310 #endif
311
312 schedule_ref scr; /* schedule for resend, may not used */
313
314 LIST_ENTRY(recvdpkt) chain;
315 };
316
317 /* for parsing ISAKMP header. */
318 struct isakmp_parse_t {
319 u_char type; /* payload type of mine */
320 int len; /* ntohs(ptr->len) */
321 struct isakmp_gen *ptr;
322 };
323
324 /*
325 * for IV management.
326 *
327 * - normal case
328 * initiator responder
329 * ------------------------- --------------------------
330 * initialize iv(A), ive(A). initialize iv(A), ive(A).
331 * encode by ive(A).
332 * save to iv(B). ---[packet(B)]--> save to ive(B).
333 * decode by iv(A).
334 * packet consistency.
335 * sync iv(B) with ive(B).
336 * check auth, integrity.
337 * encode by ive(B).
338 * save to ive(C). <--[packet(C)]--- save to iv(C).
339 * decoded by iv(B).
340 * :
341 *
342 * - In the case that a error is found while cipher processing,
343 * initiator responder
344 * ------------------------- --------------------------
345 * initialize iv(A), ive(A). initialize iv(A), ive(A).
346 * encode by ive(A).
347 * save to iv(B). ---[packet(B)]--> save to ive(B).
348 * decode by iv(A).
349 * packet consistency.
350 * sync iv(B) with ive(B).
351 * check auth, integrity.
352 * error found.
353 * create notify.
354 * get ive2(X) from iv(B).
355 * encode by ive2(X).
356 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
357 * save to ive2(Y).
358 * decoded by iv2(X).
359 * :
360 *
361 * The reason why the responder synchronizes iv with ive after checking the
362 * packet consistency is that it is required to leave the IV for decoding
363 * packet. Because there is a potential of error while checking the packet
364 * consistency. Also the reason why that is before authentication and
365 * integirty check is that the IV for informational exchange has to be made
366 * by the IV which is after packet decoded and checking the packet consistency.
367 * Otherwise IV mismatched happens between the intitiator and the responder.
368 */
369 struct isakmp_ivm {
370 vchar_t *iv; /* for decoding packet */
371 /* if phase 1, it's for computing phase2 iv */
372 vchar_t *ive; /* for encoding packet */
373 };
374
375 /* for dumping */
376 struct ph1dump {
377 isakmp_index index;
378 int status;
379 int side;
380 struct sockaddr_storage remote;
381 struct sockaddr_storage local;
382 u_int8_t version;
383 u_int8_t etype;
384 time_t created;
385 int ph2cnt;
386 };
387
388 struct sockaddr_storage;
389 struct policyindex;
390
391 extern int ike_session_check_recvdpkt (struct sockaddr_storage *, struct sockaddr_storage *, vchar_t *);
392
393 extern void ike_session_flush_all_phase1_for_session(ike_session_t *, int);
394 extern void ike_session_flush_all_phase1 (int);
395
396 extern phase1_handle_t *ike_session_getph1byindex (ike_session_t *, isakmp_index *);
397 extern phase1_handle_t *ike_session_getph1byindex0 (ike_session_t *, isakmp_index *);
398 extern phase1_handle_t *ike_session_getph1byaddr (ike_session_t *, struct sockaddr_storage *,
399 struct sockaddr_storage *);
400 extern phase1_handle_t *ike_session_getph1byaddrwop (ike_session_t *, struct sockaddr_storage *,
401 struct sockaddr_storage *);
402 extern phase1_handle_t *ike_session_getph1bydstaddrwop (ike_session_t *, struct sockaddr_storage *);
403 extern int ike_session_islast_ph1 (phase1_handle_t *);
404
405 extern int ike_session_expire_session(ike_session_t *session);
406 extern int ike_session_purgephXbydstaddrwop (struct sockaddr_storage *);
407 extern void ike_session_purgephXbyspid (u_int32_t, int);
408
409 extern phase1_handle_t *ike_session_newph1 (unsigned int);
410 extern void ike_session_delph1 (phase1_handle_t *);
411
412 extern phase2_handle_t *ike_session_getph2byspidx (ike_session_t *, struct policyindex *);
413 extern phase2_handle_t *ike_session_getph2byspid (u_int32_t);
414 extern phase2_handle_t *ike_session_getph2byseq (u_int32_t);
415 //extern phase2_handle_t *ike_session_getph2bysaddr (struct sockaddr_storage *, struct sockaddr_storage *);
416 extern phase2_handle_t *ike_session_getph2bymsgid (phase1_handle_t *, u_int32_t);
417 extern phase2_handle_t *ike_session_getonlyph2(phase1_handle_t *iph1);
418 extern phase2_handle_t *ike_session_getph2byid (struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t);
419 extern phase2_handle_t *ike_session_getph2bysaidx (struct sockaddr_storage *, struct sockaddr_storage *, u_int, u_int32_t);
420 extern phase2_handle_t *ike_session_getph2bysaidx2(struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int proto_id, u_int32_t spi, u_int32_t *opposite_spi);
421 extern phase2_handle_t *ike_session_newph2 (unsigned int, int);
422 extern void ike_session_initph2 (phase2_handle_t *);
423 extern void ike_session_delph2 (phase2_handle_t *);
424 extern void ike_session_flush_all_phase2_for_session(ike_session_t *, int);
425 extern void ike_session_flush_all_phase2 (int);
426 extern void ike_session_deleteallph2 (struct sockaddr_storage *, struct sockaddr_storage *, u_int);
427 extern void ike_session_deleteallph1 (struct sockaddr_storage *, struct sockaddr_storage *);
428
429 #ifdef ENABLE_DPD
430 extern int ike_session_ph1_force_dpd (struct sockaddr_storage *);
431 #endif
432
433 //%%%%%%%%%%% don't know where the following will go yet - all these below could change
434 extern struct contacted *ike_session_getcontacted (struct sockaddr_storage *);
435 extern int ike_session_inscontacted (struct sockaddr_storage *);
436 extern void ike_session_clear_contacted (void);
437 extern void ike_session_initctdtree (void);
438
439 extern time_t ike_session_get_exp_retx_interval (int num_retries, int fixed_retry_interval);
440
441 extern int ike_session_add_recvdpkt (struct sockaddr_storage *, struct sockaddr_storage *,
442 vchar_t *, vchar_t *, size_t, u_int32_t);
443 extern void ike_session_clear_recvdpkt (void);
444 extern void ike_session_init_recvdpkt (void);
445
446 #ifdef ENABLE_HYBRID
447 //extern int ike_session_exclude_cfg_addr (const struct sockaddr_storage *);
448 #endif
449
450 extern void sweep_sleepwake (void);
451
452 extern uint32_t iph1_get_remote_v4_address(phase1_handle_t *iph1);
453
454 extern uint32_t iph2_get_remote_v4_address(phase2_handle_t *iph2);
455
456 #endif /* _HANDLER_H */
mirror of ipsec