]> git.saurik.com Git - apple/ipsec.git/blob - ipsec-tools/racoon/handler.h
projects / apple / ipsec.git / blob
? search:


dbef8b743aa0d1168f1185c8e77a7713f74c6d3e
[apple/ipsec.git] / ipsec-tools / racoon / handler.h
1 /* $NetBSD: handler.h,v 1.9 2006/09/09 16:22:09 manu Exp $ */
2
3 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
4
5 /*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 * may be used to endorse or promote products derived from this software
19 * without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34 #ifndef _HANDLER_H
35 #define _HANDLER_H
36
37 #include "config.h"
38 #include "racoon_types.h"
39
40 #include <sys/queue.h>
41 #ifdef HAVE_OPENSSL
42 #include <openssl/rsa.h>
43 #endif
44
45 #include <sys/time.h>
46
47 #include "isakmp_var.h"
48 #include "oakley.h"
49 #ifndef HAVE_OPENSSL
50 #include <Security/SecDH.h>
51 #endif
52 #include <sys/socket.h>
53
54 #include <schedule.h>
55
56 #if __has_include(<nw/private.h>)
57 #include <nw/private.h>
58 #else
59 #include <network/nat64.h>
60 #endif
61
62 /* About address semantics in each case.
63 * initiator(addr=I) responder(addr=R)
64 * src dst src dst
65 * (local) (remote) (local) (remote)
66 * phase 1 handler I R R I
67 * phase 2 handler I R R I
68 * getspi msg R I I R
69 * acquire msg I R
70 * ID payload I R I R
71 */
72 #ifdef ENABLE_HYBRID
73 struct isakmp_cfg_state;
74 #endif
75
76 #define INVALID_MSGID 0xFFFFFFFF
77
78 //=======================================================================
79 // PHASE 1
80 //=======================================================================
81
82 struct phase1handle {
83 isakmp_index index;
84
85 int status; /* status of this SA */
86 int side; /* INITIATOR or RESPONDER */
87 int started_by_api; /* connection started by VPNControl API */
88
89 nw_nat64_prefix_t nat64_prefix; /* nat64 prefix to apply to addresses. */
90 struct sockaddr_storage *remote; /* remote address to negotiate ph1 */
91 struct sockaddr_storage *local; /* local address to negotiate ph1 */
92 /* XXX copy from rmconf due to anonymous configuration.
93 * If anonymous will be forbidden, we do delete them. */
94
95 struct remoteconf *rmconf; /* pointer to remote configuration */
96
97 struct isakmpsa *approval; /* pointer to SA(s) approved. */
98 /* for example pre-shared key */
99
100 u_int8_t version; /* ISAKMP version */
101 u_int8_t etype; /* Exchange type actually for use */
102 u_int8_t flags; /* Flags */
103 u_int32_t msgid; /* message id */
104
105 #ifdef ENABLE_NATT
106 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
107 u_int32_t natt_flags; /* NAT-T related flags */
108 #endif
109 #ifdef ENABLE_FRAG
110 int frag; /* IKE phase 1 fragmentation */
111 struct isakmp_frag_item *frag_chain; /* Received fragments */
112 #endif
113
114 schedule_ref sce; /* schedule for expire */
115 schedule_ref sce_rekey; /* schedule for rekey */
116
117 schedule_ref scr; /* schedule for resend */
118 int retry_counter; /* for resend. */
119 vchar_t *sendbuf; /* buffer for re-sending */
120
121 #ifndef HAVE_OPENSSL
122 SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
123 size_t publicKeySize;
124 #endif
125 vchar_t *dhpriv; /* DH; private value */
126 vchar_t *dhpub; /* DH; public value */
127 vchar_t *dhpub_p; /* DH; partner's public value */
128 vchar_t *dhgxy; /* DH; shared secret */
129 vchar_t *nonce; /* nonce value */
130 vchar_t *nonce_p; /* partner's nonce value */
131 vchar_t *skeyid; /* SKEYID */
132 vchar_t *skeyid_d; /* SKEYID_d */
133 vchar_t *skeyid_a; /* SKEYID_a, i.e. integrity protection */
134 vchar_t *skeyid_a_p; /* SKEYID_a_p, i.e. integrity protection */
135 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
136 vchar_t *skeyid_e_p; /* peer's SKEYID_e, i.e. encryption */
137 vchar_t *key; /* cipher key */
138 vchar_t *key_p; /* peer's cipher key */
139 vchar_t *hash; /* HASH minus general header */
140 vchar_t *sig; /* SIG minus general header */
141 vchar_t *sig_p; /* peer's SIG minus general header */
142 cert_t *cert; /* CERT minus general header */
143 cert_t *cert_p; /* peer's CERT minus general header */
144 cert_t *crl_p; /* peer's CRL minus general header */
145 cert_t *cr_p; /* peer's CR not including general */
146 vchar_t *id; /* ID minus gen header */
147 vchar_t *id_p; /* partner's ID minus general header */
148 /* i.e. struct ipsecdoi_id_b*. */
149 struct isakmp_ivm *ivm; /* IVs */
150
151 vchar_t *sa; /* whole SA payload to send/to be sent*/
152 /* to calculate HASH */
153 /* NOT INCLUDING general header. */
154
155 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
156 /* NOT INCLUDING general header. */
157 /* NOTE: Should be release after use. */
158
159 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
160
161 time_t created; /* timestamp for establish */
162 #ifdef ENABLE_STATS
163 struct timeval start;
164 struct timeval end;
165 #endif
166
167 #ifdef ENABLE_DPD
168 int dpd_support; /* Does remote supports DPD ? */
169 time_t dpd_lastack; /* Last ack received */
170 u_int16_t dpd_seq; /* DPD seq number to receive */
171 u_int8_t dpd_fails; /* number of failures */
172 u_int8_t peer_sent_ike;
173 schedule_ref dpd_r_u;
174 #endif
175
176 #ifdef ENABLE_VPNCONTROL_PORT
177 schedule_ref ping_sched; /* for sending pings to keep FW open */
178 #endif
179
180 u_int32_t msgid2; /* msgid counter for Phase 2 */
181 int ph2cnt; /* the number which is negotiated by this phase 1 */
182 #ifdef ENABLE_HYBRID
183 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */
184 u_int8_t pended_xauth_id; /* saved id for reply from vpn control socket */
185 u_int8_t xauth_awaiting_userinput; /* indicates we are waiting for user input */
186 vchar_t *xauth_awaiting_userinput_msg; /* tracks the last packet that triggered XAUTH */
187 #endif
188 int is_rekey:1;
189 int is_dying:1;
190 ike_session_t *parent_session;
191 LIST_HEAD(_ph2ofph1_, phase2handle) bound_ph2tree;
192 LIST_ENTRY(phase1handle) ph1ofsession_chain;
193 };
194
195 #define PHASE2_TYPE_SA 0
196 #define PHASE2_TYPE_INFO 1
197 #define PHASE2_TYPE_CFG 2
198
199 //=======================================================================
200 // PHASE 2
201 //=======================================================================
202 struct phase2handle {
203 struct sockaddr_storage *src; /* my address of SA. */
204 struct sockaddr_storage *dst; /* peer's address of SA. */
205 nw_nat64_prefix_t nat64_prefix; /* nat64 prefix to apply to addresses. */
206
207 /*
208 * copy ip address from ID payloads when ID type is ip address.
209 * In other case, they must be null.
210 */
211 struct sockaddr_storage *src_id;
212 struct sockaddr_storage *dst_id;
213
214 int phase2_type; /* what this phase2 struct is for - see defines for PHASE2_TYPE... */
215 u_int32_t spid; /* policy id by kernel */
216
217 int status; /* ipsec sa status */
218 u_int8_t side; /* INITIATOR or RESPONDER */
219 u_int8_t version; /* ISAKMP version */
220
221 schedule_ref sce; /* schedule for expire */
222 schedule_ref scr; /* schedule for resend */
223 int retry_counter; /* for resend. */
224 vchar_t *sendbuf; /* buffer for re-sending */
225 vchar_t *msg1; /* buffer for re-sending */
226 /* used for responder's first message */
227
228 int retry_checkph1; /* counter to wait phase 1 finished. */
229 /* NOTE: actually it's timer. */
230
231 u_int32_t seq; /* sequence number used by PF_KEY */
232 /*
233 * NOTE: In responder side, we can't identify each SAs
234 * with same destination address for example, when
235 * socket based SA is required. So we set a identifier
236 * number to "seq", and sent kernel by pfkey.
237 */
238 u_int8_t satype; /* satype in PF_KEY */
239 /*
240 * saved satype in the original PF_KEY request from
241 * the kernel in order to reply a error.
242 */
243
244 u_int8_t flags; /* Flags for phase 2 */
245 u_int32_t msgid; /* msgid for phase 2 */
246
247 struct sainfo *sainfo; /* place holder of sainfo */
248 struct saprop *proposal; /* SA(s) proposal. */
249 struct saprop *approval; /* SA(s) approved. */
250 struct policyindex * spidx_gen; /* policy from peer's proposal */
251
252 #ifndef HAVE_OPENSSL
253 SecDHContext dhC; /* Context for Security Framework Diffie-Hellman calculations */
254 size_t publicKeySize;
255 #endif
256 struct dhgroup *pfsgrp; /* DH; prime number */
257 vchar_t *dhpriv; /* DH; private value */
258 vchar_t *dhpub; /* DH; public value */
259 vchar_t *dhpub_p; /* DH; partner's public value */
260 vchar_t *dhgxy; /* DH; shared secret */
261 vchar_t *id; /* ID minus gen header */
262 vchar_t *id_p; /* peer's ID minus general header */
263 vchar_t *nonce; /* nonce value in phase 2 */
264 vchar_t *nonce_p; /* partner's nonce value in phase 2 */
265
266 vchar_t *sa; /* whole SA payload to send/to be sent*/
267 /* to calculate HASH */
268 /* NOT INCLUDING general header. */
269
270 vchar_t *sa_ret; /* SA payload to reply/to be replyed */
271 /* NOT INCLUDING general header. */
272 /* NOTE: Should be release after use. */
273
274 struct isakmp_ivm *ivm; /* IVs */
275
276 int generated_spidx; /* mark handlers whith generated policy */
277
278 #ifdef ENABLE_STATS
279 struct timeval start;
280 struct timeval end;
281 #endif
282 struct phase1handle *ph1; /* back pointer to isakmp status */
283 int is_rekey:1;
284 int is_dying:1;
285 int is_defunct:1;
286 ike_session_t *parent_session;
287 vchar_t *ext_nat_id;
288 vchar_t *ext_nat_id_p;
289 LIST_ENTRY(phase2handle) ph2ofsession_chain;
290 LIST_ENTRY(phase2handle) ph1bind_chain; /* chain to ph1handle */
291 };
292
293 /*
294 * for handling initial contact.
295 */
296 struct contacted {
297 struct sockaddr_storage *remote; /* remote address to negotiate ph1 */
298 LIST_ENTRY(contacted) chain;
299 };
300
301 /*
302 * for checking if a packet is retransmited.
303 */
304 struct recvdpkt {
305 struct sockaddr_storage *remote; /* the remote address */
306 struct sockaddr_storage *local; /* the local address */
307 vchar_t *hash; /* hash of the received packet */
308 vchar_t *sendbuf; /* buffer for the response */
309 int retry_counter; /* how many times to send */
310 time_t time_send; /* timestamp to send a packet */
311 time_t created; /* timestamp to create a queue */
312 time_t retry_interval;
313 #ifdef ENABLE_FRAG
314 u_int32_t frag_flags; /* IKE phase 1 fragmentation */
315 #endif
316
317 schedule_ref scr; /* schedule for resend, may not used */
318
319 LIST_ENTRY(recvdpkt) chain;
320 };
321
322 /* for parsing ISAKMP header. */
323 struct isakmp_parse_t {
324 u_char type; /* payload type of mine */
325 int len; /* ntohs(ptr->len) */
326 struct isakmp_gen *ptr;
327 };
328
329 /*
330 * for IV management.
331 *
332 * - normal case
333 * initiator responder
334 * ------------------------- --------------------------
335 * initialize iv(A), ive(A). initialize iv(A), ive(A).
336 * encode by ive(A).
337 * save to iv(B). ---[packet(B)]--> save to ive(B).
338 * decode by iv(A).
339 * packet consistency.
340 * sync iv(B) with ive(B).
341 * check auth, integrity.
342 * encode by ive(B).
343 * save to ive(C). <--[packet(C)]--- save to iv(C).
344 * decoded by iv(B).
345 * :
346 *
347 * - In the case that a error is found while cipher processing,
348 * initiator responder
349 * ------------------------- --------------------------
350 * initialize iv(A), ive(A). initialize iv(A), ive(A).
351 * encode by ive(A).
352 * save to iv(B). ---[packet(B)]--> save to ive(B).
353 * decode by iv(A).
354 * packet consistency.
355 * sync iv(B) with ive(B).
356 * check auth, integrity.
357 * error found.
358 * create notify.
359 * get ive2(X) from iv(B).
360 * encode by ive2(X).
361 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
362 * save to ive2(Y).
363 * decoded by iv2(X).
364 * :
365 *
366 * The reason why the responder synchronizes iv with ive after checking the
367 * packet consistency is that it is required to leave the IV for decoding
368 * packet. Because there is a potential of error while checking the packet
369 * consistency. Also the reason why that is before authentication and
370 * integirty check is that the IV for informational exchange has to be made
371 * by the IV which is after packet decoded and checking the packet consistency.
372 * Otherwise IV mismatched happens between the intitiator and the responder.
373 */
374 struct isakmp_ivm {
375 vchar_t *iv; /* for decoding packet */
376 /* if phase 1, it's for computing phase2 iv */
377 vchar_t *ive; /* for encoding packet */
378 };
379
380 /* for dumping */
381 struct ph1dump {
382 isakmp_index index;
383 int status;
384 int side;
385 struct sockaddr_storage remote;
386 struct sockaddr_storage local;
387 u_int8_t version;
388 u_int8_t etype;
389 time_t created;
390 int ph2cnt;
391 };
392
393 struct sockaddr_storage;
394 struct policyindex;
395
396 extern int ike_session_check_recvdpkt (struct sockaddr_storage *, struct sockaddr_storage *, vchar_t *);
397
398 extern void ike_session_flush_all_phase1_for_session(ike_session_t *, int);
399 extern void ike_session_flush_all_phase1 (int);
400
401 extern phase1_handle_t *ike_session_getph1byindex (ike_session_t *, isakmp_index *);
402 extern phase1_handle_t *ike_session_getph1byindex0 (ike_session_t *, isakmp_index *);
403 extern phase1_handle_t *ike_session_getph1byaddr (ike_session_t *, struct sockaddr_storage *,
404 struct sockaddr_storage *);
405 extern phase1_handle_t *ike_session_getph1byaddrwop (ike_session_t *, struct sockaddr_storage *,
406 struct sockaddr_storage *);
407 extern phase1_handle_t *ike_session_getph1bydstaddrwop (ike_session_t *, struct sockaddr_storage *);
408 extern int ike_session_islast_ph1 (phase1_handle_t *);
409
410 extern int ike_session_expire_session(ike_session_t *session);
411 extern int ike_session_purgephXbydstaddrwop (struct sockaddr_storage *);
412 extern void ike_session_purgephXbyspid (u_int32_t, int);
413
414 extern phase1_handle_t *ike_session_newph1 (unsigned int);
415 extern void ike_session_delph1 (phase1_handle_t *);
416
417 extern phase2_handle_t *ike_session_getph2byspidx (ike_session_t *, struct policyindex *);
418 extern phase2_handle_t *ike_session_getph2byspid (u_int32_t);
419 extern phase2_handle_t *ike_session_getph2byseq (u_int32_t);
420 //extern phase2_handle_t *ike_session_getph2bysaddr (struct sockaddr_storage *, struct sockaddr_storage *);
421 extern phase2_handle_t *ike_session_getph2bymsgid (phase1_handle_t *, u_int32_t);
422 extern phase2_handle_t *ike_session_getonlyph2(phase1_handle_t *iph1);
423 extern phase2_handle_t *ike_session_getph2byid (struct sockaddr_storage *, struct sockaddr_storage *, u_int32_t);
424 extern phase2_handle_t *ike_session_getph2bysaidx (struct sockaddr_storage *, struct sockaddr_storage *, u_int, u_int32_t);
425 extern phase2_handle_t *ike_session_getph2bysaidx2(struct sockaddr_storage *src, struct sockaddr_storage *dst, u_int proto_id, u_int32_t spi, u_int32_t *opposite_spi);
426 extern phase2_handle_t *ike_session_newph2 (unsigned int, int);
427 extern void ike_session_initph2 (phase2_handle_t *);
428 extern void ike_session_delph2 (phase2_handle_t *);
429 extern void ike_session_flush_all_phase2_for_session(ike_session_t *, int);
430 extern void ike_session_flush_all_phase2 (int);
431 extern void ike_session_deleteallph2 (struct sockaddr_storage *, struct sockaddr_storage *, u_int);
432 extern void ike_session_deleteallph1 (struct sockaddr_storage *, struct sockaddr_storage *);
433
434 #ifdef ENABLE_DPD
435 extern int ike_session_ph1_force_dpd (struct sockaddr_storage *);
436 #endif
437
438 //%%%%%%%%%%% don't know where the following will go yet - all these below could change
439 extern struct contacted *ike_session_getcontacted (struct sockaddr_storage *);
440 extern int ike_session_inscontacted (struct sockaddr_storage *);
441 extern void ike_session_clear_contacted (void);
442 extern void ike_session_initctdtree (void);
443
444 extern time_t ike_session_get_exp_retx_interval (int num_retries, int fixed_retry_interval);
445
446 extern int ike_session_add_recvdpkt (struct sockaddr_storage *, struct sockaddr_storage *,
447 vchar_t *, vchar_t *, size_t, u_int32_t);
448 extern void ike_session_clear_recvdpkt (void);
449 extern void ike_session_init_recvdpkt (void);
450
451 #ifdef ENABLE_HYBRID
452 //extern int ike_session_exclude_cfg_addr (const struct sockaddr_storage *);
453 #endif
454
455 extern void sweep_sleepwake (void);
456
457 extern uint32_t iph1_get_remote_v4_address(phase1_handle_t *iph1);
458
459 extern uint32_t iph2_get_remote_v4_address(phase2_handle_t *iph2);
460
461 #endif /* _HANDLER_H */
mirror of ipsec