1 /* $NetBSD: handler.h,v 1.12 2008/03/06 00:34:11 mgrooms Exp $ */ 2 3 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #ifndef _HANDLER_H 35 #define _HANDLER_H 36 37 #include <sys/queue.h> 38 #include <openssl/rsa.h> 39 40 #include <sys/time.h> 41 42 #include "isakmp_var.h" 43 #include "oakley.h" 44 #include "evt.h" 45 46 /* Phase 1 handler */ 47 /* 48 * main mode: 49 * initiator responder 50 * 0 (---) (---) 51 * 1 start start (1st msg received) 52 * 2 (---) 1st valid msg received 53 * 3 1st msg sent 1st msg sent 54 * 4 1st valid msg received 2st valid msg received 55 * 5 2nd msg sent 2nd msg sent 56 * 6 2nd valid msg received 3rd valid msg received 57 * 7 3rd msg sent 3rd msg sent 58 * 8 3rd valid msg received (---) 59 * 9 SA established SA established 60 * 61 * aggressive mode: 62 * initiator responder 63 * 0 (---) (---) 64 * 1 start start (1st msg received) 65 * 2 (---) 1st valid msg received 66 * 3 1st msg sent 1st msg sent 67 * 4 1st valid msg received 2st valid msg received 68 * 5 (---) (---) 69 * 6 (---) (---) 70 * 7 (---) (---) 71 * 8 (---) (---) 72 * 9 SA established SA established 73 * 74 * base mode: 75 * initiator responder 76 * 0 (---) (---) 77 * 1 start start (1st msg received) 78 * 2 (---) 1st valid msg received 79 * 3 1st msg sent 1st msg sent 80 * 4 1st valid msg received 2st valid msg received 81 * 5 2nd msg sent (---) 82 * 6 (---) (---) 83 * 7 (---) (---) 84 * 8 (---) (---) 85 * 9 SA established SA established 86 */ 87 #define PHASE1ST_SPAWN 0 88 #define PHASE1ST_START 1 89 #define PHASE1ST_MSG1RECEIVED 2 90 #define PHASE1ST_MSG1SENT 3 91 #define PHASE1ST_MSG2RECEIVED 4 92 #define PHASE1ST_MSG2SENT 5 93 #define PHASE1ST_MSG3RECEIVED 6 94 #define PHASE1ST_MSG3SENT 7 95 #define PHASE1ST_MSG4RECEIVED 8 96 #define PHASE1ST_ESTABLISHED 9 97 #define PHASE1ST_EXPIRED 10 98 #define PHASE1ST_MAX 11 99 100 /* About address semantics in each case. 101 * initiator(addr=I) responder(addr=R) 102 * src dst src dst 103 * (local) (remote) (local) (remote) 104 * phase 1 handler I R R I 105 * phase 2 handler I R R I 106 * getspi msg R I I R 107 * acquire msg I R 108 * ID payload I R I R 109 */ 110 #ifdef ENABLE_HYBRID 111 struct isakmp_cfg_state; 112 #endif 113 struct ph1handle { 114 isakmp_index index; 115 116 int status; /* status of this SA */ 117 int side; /* INITIATOR or RESPONDER */ 118 119 struct sockaddr *remote; /* remote address to negosiate ph1 */ 120 struct sockaddr *local; /* local address to negosiate ph1 */ 121 /* XXX copy from rmconf due to anonymous configuration. 122 * If anonymous will be forbidden, we do delete them. */ 123 124 struct remoteconf *rmconf; /* pointer to remote configuration */ 125 126 struct isakmpsa *approval; /* pointer to SA(s) approved. */ 127 vchar_t *authstr; /* place holder of string for auth. */ 128 /* for example pre-shared key */ 129 130 u_int8_t version; /* ISAKMP version */ 131 u_int8_t etype; /* Exchange type actually for use */ 132 u_int8_t flags; /* Flags */ 133 u_int32_t msgid; /* message id */ 134 135 #ifdef ENABLE_NATT 136 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */ 137 u_int32_t natt_flags; /* NAT-T related flags */ 138 #endif 139 #ifdef ENABLE_FRAG 140 int frag; /* IKE phase 1 fragmentation */ 141 struct isakmp_frag_item *frag_chain; /* Received fragments */ 142 #endif 143 144 struct sched *sce; /* schedule for expire */ 145 146 struct sched *scr; /* schedule for resend */ 147 int retry_counter; /* for resend. */ 148 vchar_t *sendbuf; /* buffer for re-sending */ 149 150 vchar_t *dhpriv; /* DH; private value */ 151 vchar_t *dhpub; /* DH; public value */ 152 vchar_t *dhpub_p; /* DH; partner's public value */ 153 vchar_t *dhgxy; /* DH; shared secret */ 154 vchar_t *nonce; /* nonce value */ 155 vchar_t *nonce_p; /* partner's nonce value */ 156 vchar_t *skeyid; /* SKEYID */ 157 vchar_t *skeyid_d; /* SKEYID_d */ 158 vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */ 159 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */ 160 vchar_t *key; /* cipher key */ 161 vchar_t *hash; /* HASH minus general header */ 162 vchar_t *sig; /* SIG minus general header */ 163 vchar_t *sig_p; /* peer's SIG minus general header */ 164 cert_t *cert; /* CERT minus general header */ 165 cert_t *cert_p; /* peer's CERT minus general header */ 166 cert_t *crl_p; /* peer's CRL minus general header */ 167 cert_t *cr_p; /* peer's CR not including general */ 168 RSA *rsa; /* my RSA key */ 169 RSA *rsa_p; /* peer's RSA key */ 170 struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */ 171 vchar_t *id; /* ID minus gen header */ 172 vchar_t *id_p; /* partner's ID minus general header */ 173 /* i.e. struct ipsecdoi_id_b*. */ 174 struct isakmp_ivm *ivm; /* IVs */ 175 176 vchar_t *sa; /* whole SA payload to send/to be sent*/ 177 /* to calculate HASH */ 178 /* NOT INCLUDING general header. */ 179 180 vchar_t *sa_ret; /* SA payload to reply/to be replyed */ 181 /* NOT INCLUDING general header. */ 182 /* NOTE: Should be release after use. */ 183 184 #ifdef HAVE_GSSAPI 185 void *gssapi_state; /* GSS-API specific state. */ 186 /* Allocated when needed */ 187 vchar_t *gi_i; /* optional initiator GSS id */ 188 vchar_t *gi_r; /* optional responder GSS id */ 189 #endif 190 191 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */ 192 193 time_t created; /* timestamp for establish */ 194 #ifdef ENABLE_STATS 195 struct timeval start; 196 struct timeval end; 197 #endif 198 199 #ifdef ENABLE_DPD 200 int dpd_support; /* Does remote supports DPD ? */ 201 time_t dpd_lastack; /* Last ack received */ 202 u_int16_t dpd_seq; /* DPD seq number to receive */ 203 u_int8_t dpd_fails; /* number of failures */ 204 struct sched *dpd_r_u; 205 #endif 206 207 u_int32_t msgid2; /* msgid counter for Phase 2 */ 208 int ph2cnt; /* the number which is negotiated by this phase 1 */ 209 LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree; 210 211 LIST_ENTRY(ph1handle) chain; 212 #ifdef ENABLE_HYBRID 213 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ 214 #endif 215 EVT_LISTENER_LIST(evt_listeners); 216 }; 217 218 /* Phase 2 handler */ 219 /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */ 220 /* 221 * initiator responder 222 * 0 (---) (---) 223 * 1 start start (1st msg received) 224 * 2 acquire msg get 1st valid msg received 225 * 3 getspi request sent getspi request sent 226 * 4 getspi done getspi done 227 * 5 1st msg sent 1st msg sent 228 * 6 1st valid msg received 2nd valid msg received 229 * 7 (commit bit) (commit bit) 230 * 8 SAs added SAs added 231 * 9 SAs established SAs established 232 * 10 SAs expired SAs expired 233 */ 234 #define PHASE2ST_SPAWN 0 235 #define PHASE2ST_START 1 236 #define PHASE2ST_STATUS2 2 237 #define PHASE2ST_GETSPISENT 3 238 #define PHASE2ST_GETSPIDONE 4 239 #define PHASE2ST_MSG1SENT 5 240 #define PHASE2ST_STATUS6 6 241 #define PHASE2ST_COMMIT 7 242 #define PHASE2ST_ADDSA 8 243 #define PHASE2ST_ESTABLISHED 9 244 #define PHASE2ST_EXPIRED 10 245 #define PHASE2ST_MAX 11 246 247 struct ph2handle { 248 struct sockaddr *src; /* my address of SA. */ 249 struct sockaddr *dst; /* peer's address of SA. */ 250 251 /* 252 * copy ip address from ID payloads when ID type is ip address. 253 * In other case, they must be null. 254 */ 255 struct sockaddr *src_id; 256 struct sockaddr *dst_id; 257 #ifdef ENABLE_NATT 258 struct sockaddr *natoa_src; /* peer's view of my address */ 259 struct sockaddr *natoa_dst; /* peer's view of his address */ 260 #endif 261 262 u_int32_t spid; /* policy id by kernel */ 263 264 int status; /* ipsec sa status */ 265 u_int8_t side; /* INITIATOR or RESPONDER */ 266 267 struct sched *sce; /* schedule for expire */ 268 struct sched *scr; /* schedule for resend */ 269 int retry_counter; /* for resend. */ 270 vchar_t *sendbuf; /* buffer for re-sending */ 271 vchar_t *msg1; /* buffer for re-sending */ 272 /* used for responder's first message */ 273 274 int retry_checkph1; /* counter to wait phase 1 finished. */ 275 /* NOTE: actually it's timer. */ 276 277 u_int32_t seq; /* sequence number used by PF_KEY */ 278 /* 279 * NOTE: In responder side, we can't identify each SAs 280 * with same destination address for example, when 281 * socket based SA is required. So we set a identifier 282 * number to "seq", and sent kernel by pfkey. 283 */ 284 u_int8_t satype; /* satype in PF_KEY */ 285 /* 286 * saved satype in the original PF_KEY request from 287 * the kernel in order to reply a error. 288 */ 289 290 u_int8_t flags; /* Flags for phase 2 */ 291 u_int32_t msgid; /* msgid for phase 2 */ 292 293 struct sainfo *sainfo; /* place holder of sainfo */ 294 struct saprop *proposal; /* SA(s) proposal. */ 295 struct saprop *approval; /* SA(s) approved. */ 296 caddr_t spidx_gen; /* policy from peer's proposal */ 297 298 struct dhgroup *pfsgrp; /* DH; prime number */ 299 vchar_t *dhpriv; /* DH; private value */ 300 vchar_t *dhpub; /* DH; public value */ 301 vchar_t *dhpub_p; /* DH; partner's public value */ 302 vchar_t *dhgxy; /* DH; shared secret */ 303 vchar_t *id; /* ID minus gen header */ 304 vchar_t *id_p; /* peer's ID minus general header */ 305 vchar_t *nonce; /* nonce value in phase 2 */ 306 vchar_t *nonce_p; /* partner's nonce value in phase 2 */ 307 308 vchar_t *sa; /* whole SA payload to send/to be sent*/ 309 /* to calculate HASH */ 310 /* NOT INCLUDING general header. */ 311 312 vchar_t *sa_ret; /* SA payload to reply/to be replyed */ 313 /* NOT INCLUDING general header. */ 314 /* NOTE: Should be release after use. */ 315 316 struct isakmp_ivm *ivm; /* IVs */ 317 318 int generated_spidx; /* mark handlers whith generated policy */ 319 320 #ifdef ENABLE_STATS 321 struct timeval start; 322 struct timeval end; 323 #endif 324 struct ph1handle *ph1; /* back pointer to isakmp status */ 325 326 LIST_ENTRY(ph2handle) chain; 327 LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ 328 EVT_LISTENER_LIST(evt_listeners); 329 }; 330 331 /* 332 * for handling initial contact. 333 */ 334 struct contacted { 335 struct sockaddr *remote; /* remote address to negosiate ph1 */ 336 LIST_ENTRY(contacted) chain; 337 }; 338 339 /* 340 * for checking a packet retransmited. 341 */ 342 struct recvdpkt { 343 struct sockaddr *remote; /* the remote address */ 344 struct sockaddr *local; /* the local address */ 345 vchar_t *hash; /* hash of the received packet */ 346 vchar_t *sendbuf; /* buffer for the response */ 347 int retry_counter; /* how many times to send */ 348 time_t time_send; /* timestamp to send a packet */ 349 time_t created; /* timestamp to create a queue */ 350 351 struct sched *scr; /* schedule for resend, may not used */ 352 353 LIST_ENTRY(recvdpkt) chain; 354 }; 355 356 /* for parsing ISAKMP header. */ 357 struct isakmp_parse_t { 358 u_char type; /* payload type of mine */ 359 int len; /* ntohs(ptr->len) */ 360 struct isakmp_gen *ptr; 361 }; 362 363 /* 364 * for IV management. 365 * 366 * - normal case 367 * initiator responder 368 * ------------------------- -------------------------- 369 * initialize iv(A), ive(A). initialize iv(A), ive(A). 370 * encode by ive(A). 371 * save to iv(B). ---[packet(B)]--> save to ive(B). 372 * decode by iv(A). 373 * packet consistency. 374 * sync iv(B) with ive(B). 375 * check auth, integrity. 376 * encode by ive(B). 377 * save to ive(C). <--[packet(C)]--- save to iv(C). 378 * decoded by iv(B). 379 * : 380 * 381 * - In the case that a error is found while cipher processing, 382 * initiator responder 383 * ------------------------- -------------------------- 384 * initialize iv(A), ive(A). initialize iv(A), ive(A). 385 * encode by ive(A). 386 * save to iv(B). ---[packet(B)]--> save to ive(B). 387 * decode by iv(A). 388 * packet consistency. 389 * sync iv(B) with ive(B). 390 * check auth, integrity. 391 * error found. 392 * create notify. 393 * get ive2(X) from iv(B). 394 * encode by ive2(X). 395 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y). 396 * save to ive2(Y). 397 * decoded by iv2(X). 398 * : 399 * 400 * The reason why the responder synchronizes iv with ive after checking the 401 * packet consistency is that it is required to leave the IV for decoding 402 * packet. Because there is a potential of error while checking the packet 403 * consistency. Also the reason why that is before authentication and 404 * integirty check is that the IV for informational exchange has to be made 405 * by the IV which is after packet decoded and checking the packet consistency. 406 * Otherwise IV mismatched happens between the intitiator and the responder. 407 */ 408 struct isakmp_ivm { 409 vchar_t *iv; /* for decoding packet */ 410 /* if phase 1, it's for computing phase2 iv */ 411 vchar_t *ive; /* for encoding packet */ 412 }; 413 414 /* for dumping */ 415 struct ph1dump { 416 isakmp_index index; 417 int status; 418 int side; 419 struct sockaddr_storage remote; 420 struct sockaddr_storage local; 421 u_int8_t version; 422 u_int8_t etype; 423 time_t created; 424 int ph2cnt; 425 }; 426 427 struct sockaddr; 428 struct ph1handle; 429 struct ph2handle; 430 struct policyindex; 431 432 extern struct ph1handle *getph1byindex __P((isakmp_index *)); 433 extern struct ph1handle *getph1byindex0 __P((isakmp_index *)); 434 extern struct ph1handle *getph1byaddr __P((struct sockaddr *, 435 struct sockaddr *, int)); 436 extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *, 437 struct sockaddr *)); 438 extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *)); 439 #ifdef ENABLE_HYBRID 440 struct ph1handle *getph1bylogin __P((char *)); 441 int purgeph1bylogin __P((char *)); 442 #endif 443 extern vchar_t *dumpph1 __P((void)); 444 extern struct ph1handle *newph1 __P((void)); 445 extern void delph1 __P((struct ph1handle *)); 446 extern int insph1 __P((struct ph1handle *)); 447 extern void remph1 __P((struct ph1handle *)); 448 extern void flushph1 __P((void)); 449 extern void initph1tree __P((void)); 450 451 extern struct ph2handle *getph2byspidx __P((struct policyindex *)); 452 extern struct ph2handle *getph2byspid __P((u_int32_t)); 453 extern struct ph2handle *getph2byseq __P((u_int32_t)); 454 extern struct ph2handle *getph2bysaddr __P((struct sockaddr *, 455 struct sockaddr *)); 456 extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t)); 457 extern struct ph2handle *getph2byid __P((struct sockaddr *, 458 struct sockaddr *, u_int32_t)); 459 extern struct ph2handle *getph2bysaidx __P((struct sockaddr *, 460 struct sockaddr *, u_int, u_int32_t)); 461 extern struct ph2handle *newph2 __P((void)); 462 extern void initph2 __P((struct ph2handle *)); 463 extern void delph2 __P((struct ph2handle *)); 464 extern int insph2 __P((struct ph2handle *)); 465 extern void remph2 __P((struct ph2handle *)); 466 extern void flushph2 __P((void)); 467 extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int)); 468 extern void initph2tree __P((void)); 469 470 extern void bindph12 __P((struct ph1handle *, struct ph2handle *)); 471 extern void unbindph12 __P((struct ph2handle *)); 472 473 extern struct contacted *getcontacted __P((struct sockaddr *)); 474 extern int inscontacted __P((struct sockaddr *)); 475 extern void initctdtree __P((void)); 476 477 extern int check_recvdpkt __P((struct sockaddr *, 478 struct sockaddr *, vchar_t *)); 479 extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *, 480 vchar_t *, vchar_t *)); 481 extern void init_recvdpkt __P((void)); 482 483 #ifdef ENABLE_HYBRID 484 extern int exclude_cfg_addr __P((const struct sockaddr *)); 485 #endif 486 487 extern int revalidate_ph12(void); 488 489 #endif /* _HANDLER_H */ 490