[apple/network_cmds.git] / racoon.tproj / handler.h

/*	$KAME: handler.h,v 1.44 2002/07/10 23:22:03 itojun Exp $	*/

/*
 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
 * All rights reserved.
 * 
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 * 3. Neither the name of the project nor the names of its contributors
 *    may be used to endorse or promote products derived from this software
 *    without specific prior written permission.
 * 
 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
 * SUCH DAMAGE.
 */

/* Phase 1 handler */
/*
 * main mode:
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   (---)                   1st valid msg received
 *  3   1st msg sent	        1st msg sent
 *  4   1st valid msg received  2st valid msg received
 *  5   2nd msg sent            2nd msg sent
 *  6   2nd valid msg received  3rd valid msg received
 *  7   3rd msg sent            3rd msg sent
 *  8   3rd valid msg received  (---)
 *  9   SA established          SA established
 *
 * aggressive mode:
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   (---)                   1st valid msg received
 *  3   1st msg sent	        1st msg sent
 *  4   1st valid msg received  2st valid msg received
 *  5   (---)                   (---)
 *  6   (---)                   (---)
 *  7   (---)                   (---)
 *  8   (---)                   (---)
 *  9   SA established          SA established
 *
 * base mode:
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   (---)                   1st valid msg received
 *  3   1st msg sent	        1st msg sent
 *  4   1st valid msg received  2st valid msg received
 *  5   2nd msg sent            (---)
 *  6   (---)                   (---)
 *  7   (---)                   (---)
 *  8   (---)                   (---)
 *  9   SA established          SA established
 */
#define PHASE1ST_SPAWN			0
#define PHASE1ST_START			1
#define PHASE1ST_MSG1RECEIVED		2
#define PHASE1ST_MSG1SENT		3
#define PHASE1ST_MSG2RECEIVED		4
#define PHASE1ST_MSG2SENT		5
#define PHASE1ST_MSG3RECEIVED		6
#define PHASE1ST_MSG3SENT		7
#define PHASE1ST_MSG4RECEIVED		8
#define PHASE1ST_ESTABLISHED		9
#define PHASE1ST_EXPIRED		10
#define PHASE1ST_MAX			11

typedef enum {
	natt_remote_support	= 0x0001,
	natt_natd_received	= 0x0002,
	natt_no_remote_nat	= 0x0010,
	natt_no_local_nat	= 0x0020
} natt_flags_t;

/* About address semantics in each case.
 *			initiator(addr=I)	responder(addr=R)
 *			src	dst		src	dst
 *			(local)	(remote)	(local)	(remote)
 * phase 1 handler	I	R		R	I
 * phase 2 handler	I	R		R	I
 * getspi msg		R	I		I	R
 * acquire msg		I	R
 * ID payload		I	R		I	R
 */
struct ph1handle {
	isakmp_index index;

	int status;			/* status of this SA */
	int side;			/* INITIATOR or RESPONDER */

	struct sockaddr *remote;	/* remote address to negosiate ph1 */
	struct sockaddr *local;		/* local address to negosiate ph1 */
			/* XXX copy from rmconf due to anonymous configuration.
			 * If anonymous will be forbidden, we do delete them. */

	struct remoteconf *rmconf;	/* pointer to remote configuration */

	struct isakmpsa *approval;	/* pointer to SA(s) approved. */
	vchar_t *authstr;		/* place holder of string for auth. */
					/* for example pre-shared key */

	u_int8_t version;		/* ISAKMP version */
	u_int8_t etype;			/* Exchange type actually for use */
	u_int8_t flags;			/* Flags */
	u_int32_t msgid;		/* message id */

	struct sched *sce;		/* schedule for expire */

	struct sched *scr;		/* schedule for resend */
	int retry_counter;		/* for resend. */
	vchar_t *sendbuf;		/* buffer for re-sending */

	vchar_t *dhpriv;		/* DH; private value */
	vchar_t *dhpub;			/* DH; public value */
	vchar_t *dhpub_p;		/* DH; partner's public value */
	vchar_t *dhgxy;			/* DH; shared secret */
	vchar_t *nonce;			/* nonce value */
	vchar_t *nonce_p;		/* partner's nonce value */
	vchar_t *skeyid;		/* SKEYID */
	vchar_t *skeyid_d;		/* SKEYID_d */
	vchar_t *skeyid_a;		/* SKEYID_a, i.e. hash */
	vchar_t *skeyid_e;		/* SKEYID_e, i.e. encryption */
	vchar_t *key;			/* cipher key */
	vchar_t *hash;			/* HASH minus general header */
	vchar_t *sig;			/* SIG minus general header */
	vchar_t *sig_p;			/* peer's SIG minus general header */
	cert_t *cert;			/* CERT minus general header */
	cert_t *cert_p;			/* peer's CERT minus general header */
	cert_t *crl_p;			/* peer's CRL minus general header */
	cert_t *cr_p;			/* peer's CR not including general */
	vchar_t *id;			/* ID minus gen header */
	vchar_t *id_p;			/* partner's ID minus general header */
					/* i.e. strut ipsecdoi_id_b*. */
	struct isakmp_ivm *ivm;		/* IVs */

	vchar_t *sa;			/* whole SA payload to send/to be sent*/
					/* to calculate HASH */
					/* NOT INCLUDING general header. */

	vchar_t *sa_ret;		/* SA payload to reply/to be replyed */
					/* NOT INCLUDING general header. */
					/* NOTE: Should be release after use. */

#ifdef HAVE_GSSAPI
	void *gssapi_state;		/* GSS-API specific state. */
					/* Allocated when needed */
	vchar_t *gi_i;			/* optional initiator GSS id */
	vchar_t *gi_r;			/* optional responder GSS id */
#endif

	struct isakmp_pl_hash *pl_hash;	/* pointer to hash payload */

	time_t created;			/* timestamp for establish */
#ifdef ENABLE_STATS
	struct timeval start;
	struct timeval end;
#endif

#ifdef IKE_NAT_T
	natt_flags_t	natt_flags;
	vchar_t			*local_natd;
	vchar_t			*remote_natd;
#endif

	u_int32_t msgid2;		/* msgid counter for Phase 2 */
	int ph2cnt;	/* the number which is negotiated by this phase 1 */
	LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;

	LIST_ENTRY(ph1handle) chain;
};

/* Phase 2 handler */
/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
/*
 *      initiator               responder
 *  0   (---)                   (---)
 *  1   start                   start (1st msg received)
 *  2   acquire msg get         1st valid msg received
 *  3   getspi request sent     getspi request sent
 *  4   getspi done             getspi done
 *  5   1st msg sent            1st msg sent
 *  6   1st valid msg received  2nd valid msg received
 *  7   (commit bit)            (commit bit)
 *  8   SAs added               SAs added
 *  9   SAs established         SAs established
 * 10   SAs expired             SAs expired
 */
#define PHASE2ST_SPAWN		0
#define PHASE2ST_START		1
#define PHASE2ST_STATUS2	2
#define PHASE2ST_GETSPISENT	3
#define PHASE2ST_GETSPIDONE	4
#define PHASE2ST_MSG1SENT	5
#define PHASE2ST_STATUS6	6
#define PHASE2ST_COMMIT		7
#define PHASE2ST_ADDSA		8
#define PHASE2ST_ESTABLISHED	9
#define PHASE2ST_EXPIRED	10
#define PHASE2ST_MAX		11

struct ph2handle {
	struct sockaddr *src;		/* my address of SA. */
	struct sockaddr *dst;		/* peer's address of SA. */

		/*
		 * copy ip address from ID payloads when ID type is ip address.
		 * In other case, they must be null.
		 */
	struct sockaddr *src_id;
	struct sockaddr *dst_id;

	u_int32_t spid;			/* policy id by kernel */

	int status;			/* ipsec sa status */
	u_int8_t side;			/* INITIATOR or RESPONDER */

	struct sched *sce;		/* schedule for expire */
	struct sched *scr;		/* schedule for resend */
	int retry_counter;		/* for resend. */
	vchar_t *sendbuf;		/* buffer for re-sending */
	vchar_t *msg1;			/* buffer for re-sending */
				/* used for responder's first message */

	int retry_checkph1;		/* counter to wait phase 1 finished. */
					/* NOTE: actually it's timer. */

	u_int32_t seq;			/* sequence number used by PF_KEY */
			/*
			 * NOTE: In responder side, we can't identify each SAs
			 * with same destination address for example, when
			 * socket based SA is required.  So we set a identifier
			 * number to "seq", and sent kernel by pfkey.
			 */
	u_int8_t satype;		/* satype in PF_KEY */
			/*
			 * saved satype in the original PF_KEY request from
			 * the kernel in order to reply a error.
			 */

	u_int8_t flags;			/* Flags for phase 2 */
	u_int32_t msgid;		/* msgid for phase 2 */

	struct sainfo *sainfo;		/* place holder of sainfo */
	struct saprop *proposal;	/* SA(s) proposal. */
	struct saprop *approval;	/* SA(s) approved. */
	caddr_t spidx_gen;		/* policy from peer's proposal */

	struct dhgroup *pfsgrp;		/* DH; prime number */
	vchar_t *dhpriv;		/* DH; private value */
	vchar_t *dhpub;			/* DH; public value */
	vchar_t *dhpub_p;		/* DH; partner's public value */
	vchar_t *dhgxy;			/* DH; shared secret */
	vchar_t *id;			/* ID minus gen header */
	vchar_t *id_p;			/* peer's ID minus general header */
	vchar_t *nonce;			/* nonce value in phase 2 */
	vchar_t *nonce_p;		/* partner's nonce value in phase 2 */

	vchar_t *sa;			/* whole SA payload to send/to be sent*/
					/* to calculate HASH */
					/* NOT INCLUDING general header. */

	vchar_t *sa_ret;		/* SA payload to reply/to be replyed */
					/* NOT INCLUDING general header. */
					/* NOTE: Should be release after use. */

	struct isakmp_ivm *ivm;		/* IVs */

#ifdef ENABLE_STATS
	struct timeval start;
	struct timeval end;
#endif
	struct ph1handle *ph1;	/* back pointer to isakmp status */

	LIST_ENTRY(ph2handle) chain;
	LIST_ENTRY(ph2handle) ph1bind;	/* chain to ph1handle */
};

/*
 * for handling initial contact.
 */
struct contacted {
	struct sockaddr *remote;	/* remote address to negosiate ph1 */
	LIST_ENTRY(contacted) chain;
};

/*
 * for checking a packet retransmited.
 */
struct recvdpkt {
	struct sockaddr *remote;	/* the remote address */
	struct sockaddr *local;		/* the local address */
	vchar_t *hash;			/* hash of the received packet */
	vchar_t *sendbuf;		/* buffer for the response */
	int retry_counter;		/* how many times to send */
	time_t time_send;		/* timestamp to send a packet */
	time_t created;			/* timestamp to create a queue */

	struct sched *scr;		/* schedule for resend, may not used */

	LIST_ENTRY(recvdpkt) chain;
};

/* for parsing ISAKMP header. */
struct isakmp_parse_t {
	u_char type;		/* payload type of mine */
	int len;		/* ntohs(ptr->len) */
	struct isakmp_gen *ptr;
};

/*
 * for IV management.
 *
 * - normal case
 * initiator                                     responder
 * -------------------------                     --------------------------
 * initialize iv(A), ive(A).                     initialize iv(A), ive(A).
 * encode by ive(A).
 * save to iv(B).            ---[packet(B)]-->   save to ive(B).
 *                                               decode by iv(A).
 *                                               packet consistency.
 *                                               sync iv(B) with ive(B).
 *                                               check auth, integrity.
 *                                               encode by ive(B).
 * save to ive(C).          <--[packet(C)]---    save to iv(C).
 * decoded by iv(B).
 *      :
 *
 * - In the case that a error is found while cipher processing,
 * initiator                                     responder
 * -------------------------                     --------------------------
 * initialize iv(A), ive(A).                     initialize iv(A), ive(A).
 * encode by ive(A).
 * save to iv(B).            ---[packet(B)]-->   save to ive(B).
 *                                               decode by iv(A).
 *                                               packet consistency.
 *                                               sync iv(B) with ive(B).
 *                                               check auth, integrity.
 *                                               error found.
 *                                               create notify.
 *                                               get ive2(X) from iv(B).
 *                                               encode by ive2(X).
 * get iv2(X) from iv(B).   <--[packet(Y)]---    save to iv2(Y).
 * save to ive2(Y).
 * decoded by iv2(X).
 *      :
 *
 * The reason why the responder synchronizes iv with ive after checking the
 * packet consistency is that it is required to leave the IV for decoding
 * packet.  Because there is a potential of error while checking the packet
 * consistency.  Also the reason why that is before authentication and
 * integirty check is that the IV for informational exchange has to be made
 * by the IV which is after packet decoded and checking the packet consistency.
 * Otherwise IV mismatched happens between the intitiator and the responder.
 */
struct isakmp_ivm {
	vchar_t *iv;	/* for decoding packet */
			/* if phase 1, it's for computing phase2 iv */
	vchar_t *ive;	/* for encoding packet */
};

/* for dumping */
struct ph1dump {
	isakmp_index index;
	int status;
	int side;
	struct sockaddr_storage remote;
	struct sockaddr_storage local;
	u_int8_t version;
	u_int8_t etype;	
	time_t created;
	int ph2cnt;
};

struct sockaddr;
struct ph1handle;
struct ph2handle;
struct policyindex;

extern struct ph1handle *getph1byindex __P((isakmp_index *));
extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
	struct sockaddr *));
extern vchar_t *dumpph1 __P((void));
extern struct ph1handle *newph1 __P((void));
extern void delph1 __P((struct ph1handle *));
extern int insph1 __P((struct ph1handle *));
extern void remph1 __P((struct ph1handle *));
extern void flushph1 __P((void));
extern void initph1tree __P((void));

extern struct ph2handle *getph2byspidx __P((struct policyindex *));
extern struct ph2handle *getph2byspid __P((u_int32_t));
extern struct ph2handle *getph2byseq __P((u_int32_t));
extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
	struct sockaddr *, u_int, u_int32_t));
extern struct ph2handle *newph2 __P((void));
extern void initph2 __P((struct ph2handle *));
extern void delph2 __P((struct ph2handle *));
extern int insph2 __P((struct ph2handle *));
extern void remph2 __P((struct ph2handle *));
extern void flushph2 __P((void));
extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
extern void initph2tree __P((void));

extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
extern void unbindph12 __P((struct ph2handle *));

extern struct contacted *getcontacted __P((struct sockaddr *));
extern int inscontacted __P((struct sockaddr *));
extern void initctdtree __P((void));

extern int check_recvdpkt __P((struct sockaddr *,
	struct sockaddr *, vchar_t *));
extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
	vchar_t *, vchar_t *));
extern void init_recvdpkt __P((void));
Commit	Line	Data
ac2f15b3	1	/* $KAME: handler.h,v 1.44 2002/07/10 23:22:03 itojun Exp $ */
7ba0088d A	2
	3	/*
	4	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	5	* All rights reserved.
	6	*
	7	* Redistribution and use in source and binary forms, with or without
	8	* modification, are permitted provided that the following conditions
	9	* are met:
	10	* 1. Redistributions of source code must retain the above copyright
	11	* notice, this list of conditions and the following disclaimer.
	12	* 2. Redistributions in binary form must reproduce the above copyright
	13	* notice, this list of conditions and the following disclaimer in the
	14	* documentation and/or other materials provided with the distribution.
	15	* 3. Neither the name of the project nor the names of its contributors
	16	* may be used to endorse or promote products derived from this software
	17	* without specific prior written permission.
	18	*
	19	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	20	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	21	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	22	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	23	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	24	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	25	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	26	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	27	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	28	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	29	* SUCH DAMAGE.
	30	*/
	31
	32	/* Phase 1 handler */
	33	/*
	34	* main mode:
	35	* initiator responder
	36	* 0 (---) (---)
	37	* 1 start start (1st msg received)
	38	* 2 (---) 1st valid msg received
	39	* 3 1st msg sent 1st msg sent
	40	* 4 1st valid msg received 2st valid msg received
	41	* 5 2nd msg sent 2nd msg sent
	42	* 6 2nd valid msg received 3rd valid msg received
	43	* 7 3rd msg sent 3rd msg sent
	44	* 8 3rd valid msg received (---)
	45	* 9 SA established SA established
	46	*
	47	* aggressive mode:
	48	* initiator responder
	49	* 0 (---) (---)
	50	* 1 start start (1st msg received)
	51	* 2 (---) 1st valid msg received
	52	* 3 1st msg sent 1st msg sent
	53	* 4 1st valid msg received 2st valid msg received
	54	* 5 (---) (---)
	55	* 6 (---) (---)
	56	* 7 (---) (---)
	57	* 8 (---) (---)
	58	* 9 SA established SA established
	59	*
	60	* base mode:
	61	* initiator responder
	62	* 0 (---) (---)
	63	* 1 start start (1st msg received)
	64	* 2 (---) 1st valid msg received
	65	* 3 1st msg sent 1st msg sent
66	* 4 1st valid msg received 2st valid msg received
67	* 5 2nd msg sent (---)
68	* 6 (---) (---)
69	* 7 (---) (---)
70	* 8 (---) (---)
71	* 9 SA established SA established
72	*/
73	#define PHASE1ST_SPAWN 0
74	#define PHASE1ST_START 1
75	#define PHASE1ST_MSG1RECEIVED 2
76	#define PHASE1ST_MSG1SENT 3
77	#define PHASE1ST_MSG2RECEIVED 4
78	#define PHASE1ST_MSG2SENT 5
79	#define PHASE1ST_MSG3RECEIVED 6
80	#define PHASE1ST_MSG3SENT 7
81	#define PHASE1ST_MSG4RECEIVED 8
82	#define PHASE1ST_ESTABLISHED 9
83	#define PHASE1ST_EXPIRED 10
84	#define PHASE1ST_MAX 11
85
ac2f15b3 A	86	typedef enum {
	87	natt_remote_support = 0x0001,
	88	natt_natd_received = 0x0002,
	89	natt_no_remote_nat = 0x0010,
	90	natt_no_local_nat = 0x0020
	91	} natt_flags_t;
	92
7ba0088d A	93	/* About address semantics in each case.
	94	* initiator(addr=I) responder(addr=R)
	95	* src dst src dst
	96	* (local) (remote) (local) (remote)
	97	* phase 1 handler I R R I
	98	* phase 2 handler I R R I
	99	* getspi msg R I I R
ac2f15b3	100	* acquire msg I R
7ba0088d A	101	* ID payload I R I R
	102	*/
	103	struct ph1handle {
	104	isakmp_index index;
	105
	106	int status; /* status of this SA */
	107	int side; /* INITIATOR or RESPONDER */
	108
	109	struct sockaddr remote; / remote address to negosiate ph1 */
	110	struct sockaddr local; / local address to negosiate ph1 */
	111	/* XXX copy from rmconf due to anonymous configuration.
	112	* If anonymous will be forbidden, we do delete them. */
	113
	114	struct remoteconf rmconf; / pointer to remote configuration */
	115
	116	struct isakmpsa approval; / pointer to SA(s) approved. */
	117	vchar_t authstr; / place holder of string for auth. */
	118	/* for example pre-shared key */
	119
	120	u_int8_t version; /* ISAKMP version */
	121	u_int8_t etype; /* Exchange type actually for use */
	122	u_int8_t flags; /* Flags */
	123	u_int32_t msgid; /* message id */
	124
	125	struct sched sce; / schedule for expire */
	126
	127	struct sched scr; / schedule for resend */
	128	int retry_counter; /* for resend. */
	129	vchar_t sendbuf; / buffer for re-sending */
	130
	131	vchar_t dhpriv; / DH; private value */
	132	vchar_t dhpub; / DH; public value */
	133	vchar_t dhpub_p; / DH; partner's public value */
	134	vchar_t dhgxy; / DH; shared secret */
	135	vchar_t nonce; / nonce value */
	136	vchar_t nonce_p; / partner's nonce value */
	137	vchar_t skeyid; / SKEYID */
	138	vchar_t skeyid_d; / SKEYID_d */
	139	vchar_t skeyid_a; / SKEYID_a, i.e. hash */
	140	vchar_t skeyid_e; / SKEYID_e, i.e. encryption */
	141	vchar_t key; / cipher key */
	142	vchar_t hash; / HASH minus general header */
	143	vchar_t sig; / SIG minus general header */
	144	vchar_t sig_p; / peer's SIG minus general header */
	145	cert_t cert; / CERT minus general header */
	146	cert_t cert_p; / peer's CERT minus general header */
	147	cert_t crl_p; / peer's CRL minus general header */
	148	cert_t cr_p; / peer's CR not including general */
	149	vchar_t id; / ID minus gen header */
	150	vchar_t id_p; / partner's ID minus general header */
	151	/* i.e. strut ipsecdoi_id_b. /
	152	struct isakmp_ivm ivm; / IVs */
	153
	154	vchar_t sa; / whole SA payload to send/to be sent*/
	155	/* to calculate HASH */
	156	/* NOT INCLUDING general header. */
	157
	158	vchar_t sa_ret; / SA payload to reply/to be replyed */
	159	/* NOT INCLUDING general header. */
	160	/* NOTE: Should be release after use. */
	161
	162	#ifdef HAVE_GSSAPI
	163	void gssapi_state; / GSS-API specific state. */
	164	/* Allocated when needed */
165	vchar_t gi_i; / optional initiator GSS id */
166	vchar_t gi_r; / optional responder GSS id */
167	#endif
168
169	struct isakmp_pl_hash pl_hash; / pointer to hash payload */
170
171	time_t created; /* timestamp for establish */
172	#ifdef ENABLE_STATS
173	struct timeval start;
174	struct timeval end;
175	#endif
176
ac2f15b3 A	177	#ifdef IKE_NAT_T
	178	natt_flags_t natt_flags;
	179	vchar_t *local_natd;
	180	vchar_t *remote_natd;
	181	#endif
	182
7ba0088d A	183	u_int32_t msgid2; /* msgid counter for Phase 2 */
	184	int ph2cnt; /* the number which is negotiated by this phase 1 */
	185	LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
	186
	187	LIST_ENTRY(ph1handle) chain;
	188	};
	189
	190	/* Phase 2 handler */
	191	/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
	192	/*
	193	* initiator responder
	194	* 0 (---) (---)
	195	* 1 start start (1st msg received)
	196	* 2 acquire msg get 1st valid msg received
	197	* 3 getspi request sent getspi request sent
	198	* 4 getspi done getspi done
	199	* 5 1st msg sent 1st msg sent
	200	* 6 1st valid msg received 2nd valid msg received
	201	* 7 (commit bit) (commit bit)
	202	* 8 SAs added SAs added
	203	* 9 SAs established SAs established
	204	* 10 SAs expired SAs expired
	205	*/
	206	#define PHASE2ST_SPAWN 0
	207	#define PHASE2ST_START 1
	208	#define PHASE2ST_STATUS2 2
	209	#define PHASE2ST_GETSPISENT 3
	210	#define PHASE2ST_GETSPIDONE 4
	211	#define PHASE2ST_MSG1SENT 5
	212	#define PHASE2ST_STATUS6 6
	213	#define PHASE2ST_COMMIT 7
	214	#define PHASE2ST_ADDSA 8
	215	#define PHASE2ST_ESTABLISHED 9
	216	#define PHASE2ST_EXPIRED 10
	217	#define PHASE2ST_MAX 11
	218
	219	struct ph2handle {
	220	struct sockaddr src; / my address of SA. */
	221	struct sockaddr dst; / peer's address of SA. */
	222
	223	/*
	224	* copy ip address from ID payloads when ID type is ip address.
	225	* In other case, they must be null.
	226	*/
	227	struct sockaddr *src_id;
	228	struct sockaddr *dst_id;
	229
	230	u_int32_t spid; /* policy id by kernel */
	231
	232	int status; /* ipsec sa status */
	233	u_int8_t side; /* INITIATOR or RESPONDER */
	234
	235	struct sched sce; / schedule for expire */
	236	struct sched scr; / schedule for resend */
	237	int retry_counter; /* for resend. */
	238	vchar_t sendbuf; / buffer for re-sending */
	239	vchar_t msg1; / buffer for re-sending */
	240	/* used for responder's first message */
	241
	242	int retry_checkph1; /* counter to wait phase 1 finished. */
	243	/* NOTE: actually it's timer. */
	244
	245	u_int32_t seq; /* sequence number used by PF_KEY */
	246	/*
247	* NOTE: In responder side, we can't identify each SAs
248	* with same destination address for example, when
249	* socket based SA is required. So we set a identifier
250	* number to "seq", and sent kernel by pfkey.
251	*/
252	u_int8_t satype; /* satype in PF_KEY */
253	/*
254	* saved satype in the original PF_KEY request from
255	* the kernel in order to reply a error.
256	*/
257
258	u_int8_t flags; /* Flags for phase 2 */
259	u_int32_t msgid; /* msgid for phase 2 */
260
261	struct sainfo sainfo; / place holder of sainfo */
262	struct saprop proposal; / SA(s) proposal. */
263	struct saprop approval; / SA(s) approved. */
264	caddr_t spidx_gen; /* policy from peer's proposal */
265
266	struct dhgroup pfsgrp; / DH; prime number */
267	vchar_t dhpriv; / DH; private value */
268	vchar_t dhpub; / DH; public value */
269	vchar_t dhpub_p; / DH; partner's public value */
270	vchar_t dhgxy; / DH; shared secret */
271	vchar_t id; / ID minus gen header */
272	vchar_t id_p; / peer's ID minus general header */
273	vchar_t nonce; / nonce value in phase 2 */
274	vchar_t nonce_p; / partner's nonce value in phase 2 */
275
276	vchar_t sa; / whole SA payload to send/to be sent*/
277	/* to calculate HASH */
278	/* NOT INCLUDING general header. */
279
280	vchar_t sa_ret; / SA payload to reply/to be replyed */
281	/* NOT INCLUDING general header. */
282	/* NOTE: Should be release after use. */
283
284	struct isakmp_ivm ivm; / IVs */
285
286	#ifdef ENABLE_STATS
287	struct timeval start;
288	struct timeval end;
289	#endif
290	struct ph1handle ph1; / back pointer to isakmp status */
291
292	LIST_ENTRY(ph2handle) chain;
293	LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
294	};
295
296	/*
297	* for handling initial contact.
298	*/
299	struct contacted {
300	struct sockaddr remote; / remote address to negosiate ph1 */
301	LIST_ENTRY(contacted) chain;
302	};
303
304	/*
305	* for checking a packet retransmited.
306	*/
307	struct recvdpkt {
308	struct sockaddr remote; / the remote address */
309	struct sockaddr local; / the local address */
310	vchar_t hash; / hash of the received packet */
311	vchar_t sendbuf; / buffer for the response */
312	int retry_counter; /* how many times to send */
313	time_t time_send; /* timestamp to send a packet */
314	time_t created; /* timestamp to create a queue */
315
316	struct sched scr; / schedule for resend, may not used */
317
318	LIST_ENTRY(recvdpkt) chain;
319	};
320
321	/* for parsing ISAKMP header. */
322	struct isakmp_parse_t {
323	u_char type; /* payload type of mine */
324	int len; /* ntohs(ptr->len) */
325	struct isakmp_gen *ptr;
326	};
327
328	/*
329	* for IV management.
330	*
331	* - normal case
332	* initiator responder
333	* ------------------------- --------------------------
334	* initialize iv(A), ive(A). initialize iv(A), ive(A).
335	* encode by ive(A).
336	* save to iv(B). ---[packet(B)]--> save to ive(B).
337	* decode by iv(A).
338	* packet consistency.
339	* sync iv(B) with ive(B).
340	* check auth, integrity.
341	* encode by ive(B).
342	* save to ive(C). <--[packet(C)]--- save to iv(C).
343	* decoded by iv(B).
344	* :
345	*
346	* - In the case that a error is found while cipher processing,
347	* initiator responder
348	* ------------------------- --------------------------
349	* initialize iv(A), ive(A). initialize iv(A), ive(A).
350	* encode by ive(A).
351	* save to iv(B). ---[packet(B)]--> save to ive(B).
352	* decode by iv(A).
353	* packet consistency.
354	* sync iv(B) with ive(B).
355	* check auth, integrity.
356	* error found.
357	* create notify.
358	* get ive2(X) from iv(B).
359	* encode by ive2(X).
360	* get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
361	* save to ive2(Y).
362	* decoded by iv2(X).
363	* :
364	*
365	* The reason why the responder synchronizes iv with ive after checking the
366	* packet consistency is that it is required to leave the IV for decoding
367	* packet. Because there is a potential of error while checking the packet
368	* consistency. Also the reason why that is before authentication and
369	* integirty check is that the IV for informational exchange has to be made
370	* by the IV which is after packet decoded and checking the packet consistency.
371	* Otherwise IV mismatched happens between the intitiator and the responder.
372	*/
373	struct isakmp_ivm {
374	vchar_t iv; / for decoding packet */
375	/* if phase 1, it's for computing phase2 iv */
376	vchar_t ive; / for encoding packet */
377	};
378
379	/* for dumping */
380	struct ph1dump {
381	isakmp_index index;
382	int status;
383	int side;
384	struct sockaddr_storage remote;
385	struct sockaddr_storage local;
386	u_int8_t version;
387	u_int8_t etype;
388	time_t created;
389	int ph2cnt;
390	};
391
392	struct sockaddr;
393	struct ph1handle;
394	struct ph2handle;
395	struct policyindex;
396
397	extern struct ph1handle getph1byindex __P((isakmp_index ));
398	extern struct ph1handle getph1byindex0 __P((isakmp_index ));
399	extern struct ph1handle getph1byaddr __P((struct sockaddr ,
400	struct sockaddr *));
401	extern vchar_t *dumpph1 __P((void));
402	extern struct ph1handle *newph1 __P((void));
403	extern void delph1 __P((struct ph1handle *));
404	extern int insph1 __P((struct ph1handle *));
405	extern void remph1 __P((struct ph1handle *));
406	extern void flushph1 __P((void));
407	extern void initph1tree __P((void));
408
409	extern struct ph2handle getph2byspidx __P((struct policyindex ));
410	extern struct ph2handle *getph2byspid __P((u_int32_t));
411	extern struct ph2handle *getph2byseq __P((u_int32_t));
412	extern struct ph2handle getph2bymsgid __P((struct ph1handle , u_int32_t));
413	extern struct ph2handle getph2bysaidx __P((struct sockaddr ,
414	struct sockaddr *, u_int, u_int32_t));
415	extern struct ph2handle *newph2 __P((void));
416	extern void initph2 __P((struct ph2handle *));
417	extern void delph2 __P((struct ph2handle *));
418	extern int insph2 __P((struct ph2handle *));
419	extern void remph2 __P((struct ph2handle *));
420	extern void flushph2 __P((void));
421	extern void deleteallph2 __P((struct sockaddr , struct sockaddr , u_int));
422	extern void initph2tree __P((void));
423
424	extern void bindph12 __P((struct ph1handle , struct ph2handle ));
425	extern void unbindph12 __P((struct ph2handle *));
426
427	extern struct contacted getcontacted __P((struct sockaddr ));
428	extern int inscontacted __P((struct sockaddr *));
429	extern void initctdtree __P((void));
430
431	extern int check_recvdpkt __P((struct sockaddr *,
432	struct sockaddr , vchar_t ));
433	extern int add_recvdpkt __P((struct sockaddr , struct sockaddr ,
434	vchar_t , vchar_t ));
435	extern void init_recvdpkt __P((void));