1 /* $OpenBSD: iked.h,v 1.167 2020/10/03 20:23:08 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/tree.h> 22 #include <sys/queue.h> 23 #include <arpa/inet.h> 24 #include <limits.h> 25 #include <imsg.h> 26 27 #include <openssl/evp.h> 28 29 #include "types.h" 30 #include "dh.h" 31 32 #ifndef IKED_H 33 #define IKED_H 34 35 /* 36 * Common IKEv1/IKEv2 header 37 */ 38 39 struct ike_header { 40 uint64_t ike_ispi; /* Initiator cookie */ 41 uint64_t ike_rspi; /* Responder cookie */ 42 uint8_t ike_nextpayload; /* Next payload type */ 43 uint8_t ike_version; /* Major/Minor version number */ 44 uint8_t ike_exchange; /* Exchange type */ 45 uint8_t ike_flags; /* Message options */ 46 uint32_t ike_msgid; /* Message identifier */ 47 uint32_t ike_length; /* Total message length */ 48 } __packed; 49 50 /* 51 * Common daemon infrastructure, local imsg etc. 52 */ 53 54 struct imsgev { 55 struct imsgbuf ibuf; 56 void (*handler)(int, short, void *); 57 struct event ev; 58 struct privsep_proc *proc; 59 void *data; 60 short events; 61 const char *name; 62 }; 63 64 #define IMSG_SIZE_CHECK(imsg, p) do { \ 65 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 66 fatalx("bad length imsg received"); \ 67 } while (0) 68 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 69 70 #define IKED_ADDR_EQ(_a, _b) \ 71 ((_a)->addr_mask == (_b)->addr_mask && \ 72 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 73 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 74 75 #define IKED_ADDR_NEQ(_a, _b) \ 76 ((_a)->addr_mask != (_b)->addr_mask || \ 77 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 78 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 79 80 /* initially control.h */ 81 struct control_sock { 82 const char *cs_name; 83 struct event cs_ev; 84 struct event cs_evt; 85 int cs_fd; 86 int cs_restricted; 87 void *cs_env; 88 89 TAILQ_ENTRY(control_sock) cs_entry; 90 }; 91 TAILQ_HEAD(control_socks, control_sock); 92 93 struct ctl_conn { 94 TAILQ_ENTRY(ctl_conn) entry; 95 uint8_t flags; 96 #define CTL_CONN_NOTIFY 0x01 97 struct imsgev iev; 98 }; 99 TAILQ_HEAD(ctl_connlist, ctl_conn); 100 extern struct ctl_connlist ctl_conns; 101 102 enum privsep_procid privsep_process; 103 104 /* 105 * Runtime structures 106 */ 107 108 struct iked_timer { 109 struct event tmr_ev; 110 struct iked *tmr_env; 111 void (*tmr_cb)(struct iked *, void *); 112 void *tmr_cbarg; 113 }; 114 115 struct iked_spi { 116 uint64_t spi; 117 uint8_t spi_size; 118 uint8_t spi_protoid; 119 }; 120 121 struct iked_proposal { 122 uint8_t prop_id; 123 uint8_t prop_protoid; 124 125 struct iked_spi prop_localspi; 126 struct iked_spi prop_peerspi; 127 128 struct iked_transform *prop_xforms; 129 unsigned int prop_nxforms; 130 131 TAILQ_ENTRY(iked_proposal) prop_entry; 132 }; 133 TAILQ_HEAD(iked_proposals, iked_proposal); 134 135 struct iked_addr { 136 int addr_af; 137 struct sockaddr_storage addr; 138 uint8_t addr_mask; 139 int addr_net; 140 in_port_t addr_port; 141 }; 142 143 struct iked_ts { 144 struct iked_addr ts_addr; 145 uint8_t ts_ipproto; 146 TAILQ_ENTRY(iked_ts) ts_entry; 147 }; 148 TAILQ_HEAD(iked_tss, iked_ts); 149 150 struct iked_flow { 151 struct iked_addr flow_src; 152 struct iked_addr flow_dst; 153 unsigned int flow_dir; /* in/out */ 154 int flow_rdomain; 155 struct iked_addr flow_prenat; 156 157 unsigned int flow_loaded; /* pfkey done */ 158 159 uint8_t flow_saproto; 160 uint8_t flow_ipproto; 161 162 struct iked_addr *flow_local; /* outer source */ 163 struct iked_addr *flow_peer; /* outer dest */ 164 struct iked_sa *flow_ikesa; /* parent SA */ 165 166 RB_ENTRY(iked_flow) flow_node; 167 TAILQ_ENTRY(iked_flow) flow_entry; 168 }; 169 RB_HEAD(iked_flows, iked_flow); 170 TAILQ_HEAD(iked_saflows, iked_flow); 171 172 struct iked_childsa { 173 uint8_t csa_saproto; /* IPsec protocol */ 174 unsigned int csa_dir; /* in/out */ 175 176 uint64_t csa_peerspi; /* peer relation */ 177 uint8_t csa_loaded; /* pfkey done */ 178 uint8_t csa_rekey; /* will be deleted */ 179 uint8_t csa_allocated; /* from the kernel */ 180 uint8_t csa_persistent;/* do not rekey */ 181 uint8_t csa_esn; /* use ESN */ 182 uint8_t csa_transport; /* transport mode */ 183 uint8_t csa_acquired; /* no rekey for me */ 184 185 struct iked_spi csa_spi; 186 187 struct ibuf *csa_encrkey; /* encryption key */ 188 uint16_t csa_encrid; /* encryption xform id */ 189 190 struct ibuf *csa_integrkey; /* auth key */ 191 uint16_t csa_integrid; /* auth xform id */ 192 193 struct iked_addr *csa_local; /* outer source */ 194 struct iked_addr *csa_peer; /* outer dest */ 195 struct iked_sa *csa_ikesa; /* parent SA */ 196 197 struct iked_childsa *csa_peersa; /* peer */ 198 199 struct iked_childsa *csa_bundled; /* IPCOMP */ 200 201 RB_ENTRY(iked_childsa) csa_node; 202 TAILQ_ENTRY(iked_childsa) csa_entry; 203 }; 204 RB_HEAD(iked_activesas, iked_childsa); 205 TAILQ_HEAD(iked_childsas, iked_childsa); 206 207 208 struct iked_static_id { 209 uint8_t id_type; 210 uint8_t id_length; 211 uint8_t id_offset; 212 uint8_t id_data[IKED_ID_SIZE]; 213 }; 214 215 struct iked_auth { 216 uint8_t auth_method; 217 uint8_t auth_eap; /* optional EAP */ 218 uint8_t auth_length; /* zero if EAP */ 219 uint8_t auth_data[IKED_PSK_SIZE]; 220 }; 221 222 struct iked_cfg { 223 uint8_t cfg_action; 224 uint16_t cfg_type; 225 union { 226 struct iked_addr address; 227 } cfg; 228 }; 229 230 TAILQ_HEAD(iked_sapeers, iked_sa); 231 232 struct iked_lifetime { 233 uint64_t lt_bytes; 234 uint64_t lt_seconds; 235 }; 236 237 struct iked_policy { 238 unsigned int pol_id; 239 char pol_name[IKED_ID_SIZE]; 240 241 #define IKED_SKIP_FLAGS 0 242 #define IKED_SKIP_AF 1 243 #define IKED_SKIP_PROTO 2 244 #define IKED_SKIP_SRC_ADDR 3 245 #define IKED_SKIP_DST_ADDR 4 246 #define IKED_SKIP_COUNT 5 247 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 248 249 uint8_t pol_flags; 250 #define IKED_POLICY_PASSIVE 0x00 251 #define IKED_POLICY_DEFAULT 0x01 252 #define IKED_POLICY_ACTIVE 0x02 253 #define IKED_POLICY_REFCNT 0x04 254 #define IKED_POLICY_QUICK 0x08 255 #define IKED_POLICY_SKIP 0x10 256 #define IKED_POLICY_IPCOMP 0x20 257 #define IKED_POLICY_TRANSPORT 0x40 258 259 int pol_refcnt; 260 261 uint8_t pol_certreqtype; 262 263 int pol_af; 264 int pol_rdomain; 265 uint8_t pol_saproto; 266 unsigned int pol_ipproto; 267 268 struct iked_addr pol_peer; 269 struct iked_static_id pol_peerid; 270 uint32_t pol_peerdh; 271 272 struct iked_addr pol_local; 273 struct iked_static_id pol_localid; 274 275 struct iked_auth pol_auth; 276 277 char pol_tag[IKED_TAG_SIZE]; 278 unsigned int pol_tap; 279 280 struct iked_proposals pol_proposals; 281 size_t pol_nproposals; 282 283 struct iked_flows pol_flows; 284 size_t pol_nflows; 285 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 286 size_t pol_tssrc_count; 287 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 288 size_t pol_tsdst_count; 289 290 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 291 unsigned int pol_ncfg; 292 293 uint32_t pol_rekey; /* ike SA lifetime */ 294 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 295 296 struct iked_sapeers pol_sapeers; 297 298 TAILQ_ENTRY(iked_policy) pol_entry; 299 }; 300 TAILQ_HEAD(iked_policies, iked_policy); 301 302 struct iked_hash { 303 uint8_t hash_type; /* PRF or INTEGR */ 304 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 305 const void *hash_priv; /* Identifying the hash alg */ 306 void *hash_ctx; /* Context of the current invocation */ 307 int hash_fixedkey; /* Requires fixed key length */ 308 struct ibuf *hash_key; /* MAC key derived from key seed */ 309 size_t hash_length; /* Output length */ 310 size_t hash_trunc; /* Truncate the output length */ 311 struct iked_hash *hash_prf; /* PRF pointer */ 312 int hash_isaead; 313 }; 314 315 struct iked_cipher { 316 uint8_t encr_type; /* ENCR */ 317 uint16_t encr_id; /* IKE ENCR hash id */ 318 const void *encr_priv; /* Identifying the hash alg */ 319 void *encr_ctx; /* Context of the current invocation */ 320 int encr_fixedkey; /* Requires fixed key length */ 321 struct ibuf *encr_key; /* MAC key derived from key seed */ 322 struct ibuf *encr_iv; /* Initialization Vector */ 323 size_t encr_ivlength; /* IV length */ 324 size_t encr_length; /* Block length */ 325 size_t encr_saltlength; /* IV salt length */ 326 uint16_t encr_authid; /* ID of associated authentication */ 327 }; 328 329 struct iked_dsa { 330 uint8_t dsa_method; /* AUTH method */ 331 const void *dsa_priv; /* PRF or signature hash function */ 332 void *dsa_ctx; /* PRF or signature hash ctx */ 333 struct ibuf *dsa_keydata; /* public, private or shared key */ 334 void *dsa_key; /* parsed public or private key */ 335 int dsa_hmac; /* HMAC or public/private key */ 336 int dsa_sign; /* Sign or verify operation */ 337 }; 338 339 struct iked_id { 340 uint8_t id_type; 341 uint8_t id_offset; 342 struct ibuf *id_buf; 343 }; 344 345 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 346 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 347 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 348 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 349 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 350 #define IKED_REQ_SA 0x0020 /* SA available */ 351 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 352 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 353 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 354 355 #define IKED_REQ_BITS \ 356 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 357 "\10CHILDSA\11INF" 358 359 TAILQ_HEAD(iked_msgqueue, iked_message); 360 361 struct iked_sahdr { 362 uint64_t sh_ispi; /* Initiator SPI */ 363 uint64_t sh_rspi; /* Responder SPI */ 364 unsigned int sh_initiator; /* Is initiator? */ 365 } __packed; 366 367 struct iked_kex { 368 struct ibuf *kex_inonce; /* Ni */ 369 struct ibuf *kex_rnonce; /* Nr */ 370 371 struct group *kex_dhgroup; /* DH group */ 372 struct ibuf *kex_dhiexchange; 373 struct ibuf *kex_dhrexchange; 374 struct ibuf *kex_dhpeer; /* pointer to i or r */ 375 }; 376 377 struct iked_frag_entry { 378 uint8_t *frag_data; 379 size_t frag_size; 380 }; 381 382 struct iked_frag { 383 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 384 size_t frag_count; /* number of fragments received */ 385 #define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 386 size_t frag_total; /* total numbe of fragments */ 387 size_t frag_total_size; 388 uint8_t frag_nextpayload; 389 390 }; 391 392 struct iked_ipcomp { 393 uint16_t ic_cpi_out; /* outgoing CPI */ 394 uint16_t ic_cpi_in; /* incoming CPI */ 395 uint8_t ic_transform; /* transform */ 396 }; 397 398 struct iked_sa { 399 struct iked_sahdr sa_hdr; 400 uint32_t sa_msgid; /* Last request rcvd */ 401 int sa_msgid_set; /* msgid initialized */ 402 uint32_t sa_msgid_current; /* Current requested rcvd */ 403 uint32_t sa_reqid; /* Next request sent */ 404 405 int sa_type; 406 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 407 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 408 409 struct iked_addr sa_peer; 410 struct iked_addr sa_peer_loaded;/* MOBIKE */ 411 struct iked_addr sa_local; 412 int sa_fd; 413 414 struct iked_frag sa_fragments; 415 416 int sa_natt; /* for IKE messages */ 417 int sa_udpencap; /* for pfkey */ 418 int sa_usekeepalive;/* NAT-T keepalive */ 419 420 int sa_state; 421 unsigned int sa_stateflags; 422 unsigned int sa_stateinit; /* SA_INIT */ 423 unsigned int sa_statevalid; /* IKE_AUTH */ 424 425 int sa_cp; /* XXX */ 426 427 struct iked_policy *sa_policy; 428 struct timeval sa_timecreated; 429 struct timeval sa_timeused; 430 431 char *sa_tag; 432 const char *sa_reason; /* reason for close */ 433 434 struct iked_kex sa_kex; 435 /* XXX compat defines until everything is converted */ 436 #define sa_inonce sa_kex.kex_inonce 437 #define sa_rnonce sa_kex.kex_rnonce 438 #define sa_dhgroup sa_kex.kex_dhgroup 439 #define sa_dhiexchange sa_kex.kex_dhiexchange 440 #define sa_dhrexchange sa_kex.kex_dhrexchange 441 #define sa_dhpeer sa_kex.kex_dhpeer 442 443 struct iked_hash *sa_prf; /* PRF alg */ 444 struct iked_hash *sa_integr; /* integrity alg */ 445 struct iked_cipher *sa_encr; /* encryption alg */ 446 447 struct ibuf *sa_key_d; /* SK_d */ 448 struct ibuf *sa_key_iauth; /* SK_ai */ 449 struct ibuf *sa_key_rauth; /* SK_ar */ 450 struct ibuf *sa_key_iencr; /* SK_ei */ 451 struct ibuf *sa_key_rencr; /* SK_er */ 452 struct ibuf *sa_key_iprf; /* SK_pi */ 453 struct ibuf *sa_key_rprf; /* SK_pr */ 454 455 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 456 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 457 struct iked_id sa_localauth; /* local AUTH message */ 458 struct iked_id sa_peerauth; /* peer AUTH message */ 459 int sa_sigsha2; /* use SHA2 for signatures */ 460 461 struct iked_id sa_iid; /* initiator id */ 462 struct iked_id sa_rid; /* responder id */ 463 struct iked_id sa_icert; /* initiator cert */ 464 struct iked_id sa_rcert; /* responder cert */ 465 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 466 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 467 468 char *sa_eapid; /* EAP identity */ 469 struct iked_id sa_eap; /* EAP challenge */ 470 struct ibuf *sa_eapmsk; /* EAK session key */ 471 472 struct iked_proposals sa_proposals; /* SA proposals */ 473 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 474 struct iked_saflows sa_flows; /* IPsec flows */ 475 476 struct iked_sa *sa_nexti; /* initiated IKE SA */ 477 struct iked_sa *sa_previ; /* matching back pointer */ 478 struct iked_sa *sa_nextr; /* simultaneous rekey */ 479 struct iked_sa *sa_prevr; /* matching back pointer */ 480 uint64_t sa_rekeyspi; /* peerspi CSA rekey*/ 481 struct ibuf *sa_simult; /* simultaneous rekey */ 482 483 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 484 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 485 486 int sa_mobike; /* MOBIKE */ 487 int sa_frag; /* fragmentation */ 488 489 int sa_use_transport_mode; /* peer requested */ 490 int sa_used_transport_mode; /* we enabled */ 491 492 struct iked_timer sa_timer; /* SA timeouts */ 493 #define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 494 #define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 495 #define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 496 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 497 498 struct iked_timer sa_keepalive; /* keepalive timer */ 499 #define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 500 501 struct iked_timer sa_rekey; /* rekey timeout */ 502 int sa_tmpfail; 503 504 struct iked_msgqueue sa_requests; /* request queue */ 505 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 506 507 struct iked_msgqueue sa_responses; /* response queue */ 508 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 509 510 TAILQ_ENTRY(iked_sa) sa_peer_entry; 511 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 512 513 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 514 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 515 516 struct iked_addr *sa_addrpool; /* address from pool */ 517 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 518 519 struct iked_addr *sa_addrpool6; /* address from pool */ 520 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 521 time_t sa_last_recvd; 522 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 523 }; 524 RB_HEAD(iked_sas, iked_sa); 525 RB_HEAD(iked_dstid_sas, iked_sa); 526 RB_HEAD(iked_addrpool, iked_sa); 527 RB_HEAD(iked_addrpool6, iked_sa); 528 529 struct iked_certreq { 530 struct ibuf *cr_data; 531 uint8_t cr_type; 532 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 533 }; 534 SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 535 536 #define EAP_STATE_IDENTITY (1) 537 #define EAP_STATE_MSCHAPV2_CHALLENGE (2) 538 #define EAP_STATE_MSCHAPV2_SUCCESS (3) 539 #define EAP_STATE_SUCCESS (4) 540 541 struct eap_msg { 542 char *eam_identity; 543 char *eam_user; 544 int eam_type; 545 uint8_t eam_id; 546 uint8_t eam_msrid; 547 int eam_success; 548 int eam_found; 549 int eam_response; 550 uint8_t eam_challenge[16]; 551 uint8_t eam_ntresponse[24]; 552 uint32_t eam_state; 553 }; 554 555 struct iked_message { 556 struct ibuf *msg_data; 557 size_t msg_offset; 558 559 struct sockaddr_storage msg_local; 560 socklen_t msg_locallen; 561 562 struct sockaddr_storage msg_peer; 563 socklen_t msg_peerlen; 564 565 struct iked_socket *msg_sock; 566 567 int msg_fd; 568 int msg_response; 569 int msg_responded; 570 int msg_valid; 571 int msg_natt; 572 int msg_natt_rcvd; 573 int msg_nat_detected; 574 int msg_error; 575 int msg_e; 576 struct iked_message *msg_parent; 577 578 /* Associated policy and SA */ 579 struct iked_policy *msg_policy; 580 struct iked_sa *msg_sa; 581 582 uint32_t msg_msgid; 583 uint8_t msg_exchange; 584 585 /* Parsed information */ 586 struct iked_proposals msg_proposals; 587 struct iked_certreqs msg_certreqs; 588 struct iked_spi msg_rekey; 589 struct ibuf *msg_nonce; /* dh NONCE */ 590 uint16_t msg_dhgroup; /* dh group */ 591 struct ibuf *msg_ke; /* dh key exchange */ 592 struct iked_id msg_auth; /* AUTH payload */ 593 struct iked_id msg_id; 594 struct iked_id msg_cert; 595 struct ibuf *msg_cookie; 596 uint16_t msg_group; 597 uint16_t msg_cpi; 598 uint8_t msg_transform; 599 uint16_t msg_flags; 600 struct eap_msg msg_eap; 601 size_t msg_del_spisize; 602 size_t msg_del_cnt; 603 struct ibuf *msg_del_buf; 604 int msg_del_protoid; 605 606 /* MOBIKE */ 607 int msg_update_sa_addresses; 608 struct ibuf *msg_cookie2; 609 610 /* Parse stack */ 611 struct iked_proposal *msg_prop; 612 uint16_t msg_attrlength; 613 614 /* Retransmit queue */ 615 struct iked_timer msg_timer; 616 TAILQ_ENTRY(iked_message) 617 msg_entry; 618 int msg_tries; /* retransmits sent */ 619 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 620 }; 621 622 #define IKED_MSG_NAT_SRC_IP 0x01 623 #define IKED_MSG_NAT_DST_IP 0x02 624 625 #define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 626 #define IKED_MSG_FLAGS_MOBIKE 0x0002 627 #define IKED_MSG_FLAGS_SIGSHA2 0x0004 628 #define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 629 #define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 630 #define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 631 #define IKED_MSG_FLAGS_INVALID_KE 0x0040 632 #define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 633 #define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 634 #define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 635 636 637 struct iked_user { 638 char usr_name[LOGIN_NAME_MAX]; 639 char usr_pass[IKED_PASSWORD_SIZE]; 640 RB_ENTRY(iked_user) usr_entry; 641 }; 642 RB_HEAD(iked_users, iked_user); 643 644 struct privsep_pipes { 645 int *pp_pipes[PROC_MAX]; 646 }; 647 648 struct privsep { 649 struct privsep_pipes *ps_pipes[PROC_MAX]; 650 struct privsep_pipes *ps_pp; 651 652 struct imsgev *ps_ievs[PROC_MAX]; 653 const char *ps_title[PROC_MAX]; 654 pid_t ps_pid[PROC_MAX]; 655 struct passwd *ps_pw; 656 int ps_noaction; 657 658 struct control_sock ps_csock; 659 struct control_socks ps_rcsocks; 660 661 unsigned int ps_instances[PROC_MAX]; 662 unsigned int ps_ninstances; 663 unsigned int ps_instance; 664 665 /* Event and signal handlers */ 666 struct event ps_evsigint; 667 struct event ps_evsigterm; 668 struct event ps_evsigchld; 669 struct event ps_evsighup; 670 struct event ps_evsigpipe; 671 struct event ps_evsigusr1; 672 673 struct iked *ps_env; 674 }; 675 676 struct privsep_proc { 677 const char *p_title; 678 enum privsep_procid p_id; 679 int (*p_cb)(int, struct privsep_proc *, 680 struct imsg *); 681 pid_t (*p_init)(struct privsep *, 682 struct privsep_proc *); 683 const char *p_chroot; 684 struct privsep *p_ps; 685 struct iked *p_env; 686 void (*p_shutdown)(struct privsep_proc *); 687 unsigned int p_instance; 688 }; 689 690 struct iked_ocsp_entry { 691 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 692 void *ioe_ocsp; /* private ocsp request data */ 693 }; 694 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 695 696 /* 697 * Daemon configuration 698 */ 699 700 enum natt_mode { 701 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 702 NATT_DISABLE, /* send/recv with only :500 */ 703 NATT_FORCE, /* send/recv with only NAT-T port */ 704 }; 705 706 struct iked_static { 707 uint64_t st_alive_timeout; 708 int st_enforcesingleikesa; 709 uint8_t st_frag; /* fragmentation */ 710 uint8_t st_mobike; /* MOBIKE */ 711 in_port_t st_nattport; 712 }; 713 714 struct iked { 715 char sc_conffile[PATH_MAX]; 716 717 uint32_t sc_opts; 718 enum natt_mode sc_nattmode; 719 uint8_t sc_passive; 720 uint8_t sc_decoupled; 721 722 struct iked_static sc_static; 723 724 #define sc_alive_timeout sc_static.st_alive_timeout 725 #define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 726 #define sc_frag sc_static.st_frag 727 #define sc_mobike sc_static.st_mobike 728 #define sc_nattport sc_static.st_nattport 729 730 struct iked_policies sc_policies; 731 struct iked_policy *sc_defaultcon; 732 733 struct iked_sas sc_sas; 734 struct iked_dstid_sas sc_dstid_sas; 735 struct iked_activesas sc_activesas; 736 struct iked_flows sc_activeflows; 737 struct iked_users sc_users; 738 739 void *sc_priv; /* per-process */ 740 741 int sc_pfkey; /* ike process */ 742 struct event sc_pfkeyev; 743 uint8_t sc_certreqtype; 744 struct ibuf *sc_certreq; 745 746 struct iked_socket *sc_sock4[2]; 747 struct iked_socket *sc_sock6[2]; 748 749 struct iked_timer sc_inittmr; 750 #define IKED_INITIATOR_INITIAL 2 751 #define IKED_INITIATOR_INTERVAL 60 752 753 struct privsep sc_ps; 754 755 struct iked_ocsp_requests sc_ocsp; 756 char *sc_ocsp_url; 757 long sc_ocsp_tolerate; 758 long sc_ocsp_maxage; 759 760 struct iked_addrpool sc_addrpool; 761 struct iked_addrpool6 sc_addrpool6; 762 763 int sc_cert_partial_chain; 764 }; 765 766 struct iked_socket { 767 int sock_fd; 768 struct event sock_ev; 769 struct iked *sock_env; 770 struct sockaddr_storage sock_addr; 771 }; 772 773 /* iked.c */ 774 void parent_reload(struct iked *, int, const char *); 775 776 /* control.c */ 777 pid_t control(struct privsep *, struct privsep_proc *); 778 int control_init(struct privsep *, struct control_sock *); 779 int control_listen(struct control_sock *); 780 781 /* config.c */ 782 struct iked_policy * 783 config_new_policy(struct iked *); 784 void config_free_kex(struct iked_kex *); 785 void config_free_fragments(struct iked_frag *); 786 void config_free_sa(struct iked *, struct iked_sa *); 787 struct iked_sa * 788 config_new_sa(struct iked *, int); 789 struct iked_user * 790 config_new_user(struct iked *, struct iked_user *); 791 uint64_t 792 config_getspi(void); 793 struct iked_transform * 794 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 795 void config_free_policy(struct iked *, struct iked_policy *); 796 struct iked_proposal * 797 config_add_proposal(struct iked_proposals *, unsigned int, 798 unsigned int); 799 void config_free_proposals(struct iked_proposals *, unsigned int); 800 void config_free_flows(struct iked *, struct iked_flows *); 801 void config_free_childsas(struct iked *, struct iked_childsas *, 802 struct iked_spi *, struct iked_spi *); 803 struct iked_transform * 804 config_add_transform(struct iked_proposal *, 805 unsigned int, unsigned int, unsigned int, unsigned int); 806 int config_setcoupled(struct iked *, unsigned int); 807 int config_getcoupled(struct iked *, unsigned int); 808 int config_setmode(struct iked *, unsigned int); 809 int config_getmode(struct iked *, unsigned int); 810 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 811 int config_getreset(struct iked *, struct imsg *); 812 int config_setpolicy(struct iked *, struct iked_policy *, 813 enum privsep_procid); 814 int config_getpolicy(struct iked *, struct imsg *); 815 int config_setflow(struct iked *, struct iked_policy *, 816 enum privsep_procid); 817 int config_getflow(struct iked *, struct imsg *); 818 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 819 enum privsep_procid); 820 int config_getsocket(struct iked *env, struct imsg *, 821 void (*cb)(int, short, void *)); 822 int config_setpfkey(struct iked *, enum privsep_procid); 823 int config_getpfkey(struct iked *, struct imsg *); 824 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 825 int config_getuser(struct iked *, struct imsg *); 826 int config_setcompile(struct iked *, enum privsep_procid); 827 int config_getcompile(struct iked *); 828 int config_setocsp(struct iked *); 829 int config_getocsp(struct iked *, struct imsg *); 830 int config_setkeys(struct iked *); 831 int config_getkey(struct iked *, struct imsg *); 832 int config_setstatic(struct iked *); 833 int config_getstatic(struct iked *, struct imsg *); 834 int config_setcertpartialchain(struct iked *); 835 int config_getcertpartialchain(struct iked *, struct imsg *); 836 837 /* policy.c */ 838 void policy_init(struct iked *); 839 int policy_lookup(struct iked *, struct iked_message *, 840 struct iked_proposals *proposals); 841 struct iked_policy * 842 policy_test(struct iked *, struct iked_policy *); 843 int policy_generate_ts(struct iked_policy *); 844 void policy_calc_skip_steps(struct iked_policies *); 845 void policy_ref(struct iked *, struct iked_policy *); 846 void policy_unref(struct iked *, struct iked_policy *); 847 void sa_state(struct iked *, struct iked_sa *, int); 848 void sa_stateflags(struct iked_sa *, unsigned int); 849 int sa_stateok(struct iked_sa *, int); 850 struct iked_sa * 851 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 852 struct iked_policy *); 853 void sa_free(struct iked *, struct iked_sa *); 854 void sa_free_flows(struct iked *, struct iked_saflows *); 855 int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 856 void childsa_free(struct iked_childsa *); 857 struct iked_childsa * 858 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 859 void flow_free(struct iked_flow *); 860 int flow_equal(struct iked_flow *, struct iked_flow *); 861 struct iked_sa * 862 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 863 struct iked_user * 864 user_lookup(struct iked *, const char *); 865 struct iked_sa * 866 sa_dstid_lookup(struct iked *, struct iked_sa *); 867 struct iked_sa * 868 sa_dstid_insert(struct iked *, struct iked_sa *); 869 void sa_dstid_remove(struct iked *, struct iked_sa *); 870 int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 871 struct iked_proposals *, int); 872 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 873 RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 874 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 875 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 876 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 877 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 878 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 879 880 /* crypto.c */ 881 struct iked_hash * 882 hash_new(uint8_t, uint16_t); 883 struct ibuf * 884 hash_setkey(struct iked_hash *, void *, size_t); 885 void hash_free(struct iked_hash *); 886 void hash_init(struct iked_hash *); 887 void hash_update(struct iked_hash *, void *, size_t); 888 void hash_final(struct iked_hash *, void *, size_t *); 889 size_t hash_keylength(struct iked_hash *); 890 size_t hash_length(struct iked_hash *); 891 892 struct iked_cipher * 893 cipher_new(uint8_t, uint16_t, uint16_t); 894 struct ibuf * 895 cipher_setkey(struct iked_cipher *, void *, size_t); 896 struct ibuf * 897 cipher_setiv(struct iked_cipher *, void *, size_t); 898 int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 899 int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 900 void cipher_free(struct iked_cipher *); 901 int cipher_init(struct iked_cipher *, int); 902 int cipher_init_encrypt(struct iked_cipher *); 903 int cipher_init_decrypt(struct iked_cipher *); 904 void cipher_aad(struct iked_cipher *, void *, size_t, size_t *); 905 int cipher_update(struct iked_cipher *, void *, size_t, void *, size_t *); 906 int cipher_final(struct iked_cipher *); 907 size_t cipher_length(struct iked_cipher *); 908 size_t cipher_keylength(struct iked_cipher *); 909 size_t cipher_ivlength(struct iked_cipher *); 910 size_t cipher_outlength(struct iked_cipher *, size_t); 911 912 struct iked_dsa * 913 dsa_new(uint16_t, struct iked_hash *, int); 914 struct iked_dsa * 915 dsa_sign_new(uint16_t, struct iked_hash *); 916 struct iked_dsa * 917 dsa_verify_new(uint16_t, struct iked_hash *); 918 struct ibuf * 919 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 920 void dsa_free(struct iked_dsa *); 921 int dsa_init(struct iked_dsa *, const void *, size_t); 922 size_t dsa_prefix(struct iked_dsa *); 923 size_t dsa_length(struct iked_dsa *); 924 int dsa_update(struct iked_dsa *, const void *, size_t); 925 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 926 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 927 928 /* ikev2.c */ 929 pid_t ikev2(struct privsep *, struct privsep_proc *); 930 void ikev2_recv(struct iked *, struct iked_message *); 931 void ikev2_init_ike_sa(struct iked *, void *); 932 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 933 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 934 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 935 uint8_t, uint64_t, uint64_t *, int); 936 void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 937 void ikev2_ike_sa_timeout(struct iked *env, void *); 938 void ikev2_ike_sa_setreason(struct iked_sa *, char *); 939 void ikev2_reset_alive_timer(struct iked *); 940 int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 941 942 struct ibuf * 943 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 944 size_t); 945 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 946 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 947 void *, size_t, unsigned int); 948 int ikev2_send_informational(struct iked *, struct iked_message *); 949 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 950 uint8_t, uint8_t, int); 951 struct ike_header * 952 ikev2_add_header(struct ibuf *, struct iked_sa *, 953 uint32_t, uint8_t, uint8_t, uint8_t); 954 int ikev2_set_header(struct ike_header *, size_t); 955 struct ikev2_payload * 956 ikev2_add_payload(struct ibuf *); 957 int ikev2_next_payload(struct ikev2_payload *, size_t, 958 uint8_t); 959 int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 960 int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 961 int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 962 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 963 int ikev2_print_id(struct iked_id *, char *, size_t); 964 int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 965 966 const char *ikev2_ikesa_info(uint64_t, const char *msg); 967 #define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 968 #define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 969 #define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 970 971 /* ikev2_msg.c */ 972 void ikev2_msg_cb(int, short, void *); 973 struct ibuf * 974 ikev2_msg_init(struct iked *, struct iked_message *, 975 struct sockaddr_storage *, socklen_t, 976 struct sockaddr_storage *, socklen_t, int); 977 struct iked_message * 978 ikev2_msg_copy(struct iked *, struct iked_message *); 979 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 980 uint32_t 981 ikev2_msg_id(struct iked *, struct iked_sa *); 982 struct ibuf 983 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 984 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 985 struct iked_auth *, struct ibuf *); 986 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 987 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 988 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 989 struct iked_message *); 990 int ikev2_msg_send(struct iked *, struct iked_message *); 991 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 992 struct ibuf **, uint8_t, uint8_t, int); 993 struct ibuf 994 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 995 struct ibuf *); 996 struct ibuf * 997 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 998 struct ibuf *, struct ibuf *); 999 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1000 int ikev2_msg_frompeer(struct iked_message *); 1001 struct iked_socket * 1002 ikev2_msg_getsocket(struct iked *, int, int); 1003 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1004 struct iked_message *); 1005 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1006 struct iked_message *); 1007 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1008 struct iked_message *); 1009 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1010 struct iked_message * 1011 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1012 struct iked_message *, struct ike_header *); 1013 void ikev2_msg_lookup_dispose_all(struct iked *env, 1014 struct iked_msgqueue *queue, struct iked_message *msg, 1015 struct ike_header *hdr); 1016 int ikev2_msg_lookup_retransmit_all(struct iked *env, 1017 struct iked_msgqueue *queue, struct iked_message *msg, 1018 struct ike_header *hdr, struct iked_sa *sa); 1019 1020 /* ikev2_pld.c */ 1021 int ikev2_pld_parse(struct iked *, struct ike_header *, 1022 struct iked_message *, size_t); 1023 1024 /* eap.c */ 1025 int eap_parse(struct iked *, struct iked_sa *, struct iked_message*, 1026 void *, int); 1027 int eap_success(struct iked *, struct iked_sa *, int); 1028 int eap_identity_request(struct iked *, struct iked_sa *); 1029 int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1030 uint8_t *, size_t); 1031 int eap_mschap_success(struct iked *, struct iked_sa *, int); 1032 int eap_challenge_request(struct iked *, struct iked_sa *, int); 1033 1034 /* pfkey.c */ 1035 int pfkey_couple(int, struct iked_sas *, int); 1036 int pfkey_flow_add(int fd, struct iked_flow *); 1037 int pfkey_flow_delete(int fd, struct iked_flow *); 1038 int pfkey_sa_init(int, struct iked_childsa *, uint32_t *); 1039 int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *); 1040 int pfkey_sa_update_addresses(int, struct iked_childsa *); 1041 int pfkey_sa_delete(int, struct iked_childsa *); 1042 int pfkey_sa_last_used(int, struct iked_childsa *, uint64_t *); 1043 int pfkey_flush(int); 1044 int pfkey_socket(void); 1045 void pfkey_init(struct iked *, int fd); 1046 1047 /* ca.c */ 1048 pid_t caproc(struct privsep *, struct privsep_proc *); 1049 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1050 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1051 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1052 uint8_t, uint8_t *, size_t, enum privsep_procid); 1053 int ca_setauth(struct iked *, struct iked_sa *, 1054 struct ibuf *, enum privsep_procid); 1055 void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1056 int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1057 int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1058 void ca_sslinit(void); 1059 void ca_sslerror(const char *); 1060 char *ca_asn1_name(uint8_t *, size_t); 1061 void *ca_x509_name_parse(char *); 1062 void ca_cert_info(const char *, X509 *); 1063 1064 /* timer.c */ 1065 void timer_set(struct iked *, struct iked_timer *, 1066 void (*)(struct iked *, void *), void *); 1067 void timer_add(struct iked *, struct iked_timer *, int); 1068 void timer_del(struct iked *, struct iked_timer *); 1069 1070 /* proc.c */ 1071 void proc_init(struct privsep *, struct privsep_proc *, unsigned int); 1072 void proc_kill(struct privsep *); 1073 void proc_listen(struct privsep *, struct privsep_proc *, size_t); 1074 void proc_dispatch(int, short event, void *); 1075 pid_t proc_run(struct privsep *, struct privsep_proc *, 1076 struct privsep_proc *, unsigned int, 1077 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1078 void imsg_event_add(struct imsgev *); 1079 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1080 pid_t, int, void *, uint16_t); 1081 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1082 pid_t, int, const struct iovec *, int); 1083 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1084 u_int16_t, u_int32_t, int, void *, u_int16_t); 1085 int proc_compose(struct privsep *, enum privsep_procid, 1086 uint16_t, void *, uint16_t); 1087 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1088 u_int16_t, u_int32_t, int, const struct iovec *, int); 1089 int proc_composev(struct privsep *, enum privsep_procid, 1090 uint16_t, const struct iovec *, int); 1091 int proc_forward_imsg(struct privsep *, struct imsg *, 1092 enum privsep_procid, int); 1093 struct imsgbuf * 1094 proc_ibuf(struct privsep *, enum privsep_procid, int); 1095 struct imsgev * 1096 proc_iev(struct privsep *, enum privsep_procid, int); 1097 1098 /* util.c */ 1099 int socket_af(struct sockaddr *, in_port_t); 1100 in_port_t 1101 socket_getport(struct sockaddr *); 1102 int socket_setport(struct sockaddr *, in_port_t); 1103 int socket_getaddr(int, struct sockaddr_storage *); 1104 int socket_bypass(int, struct sockaddr *); 1105 int udp_bind(struct sockaddr *, in_port_t); 1106 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1107 socklen_t, struct sockaddr *, socklen_t); 1108 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1109 socklen_t *, struct sockaddr *, socklen_t *); 1110 const char * 1111 print_spi(uint64_t, int); 1112 const char * 1113 print_map(unsigned int, struct iked_constmap *); 1114 void lc_idtype(char *); 1115 void print_hex(const uint8_t *, off_t, size_t); 1116 void print_hexval(const uint8_t *, off_t, size_t); 1117 const char * 1118 print_bits(unsigned short, unsigned char *); 1119 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1120 uint8_t mask2prefixlen(struct sockaddr *); 1121 uint8_t mask2prefixlen6(struct sockaddr *); 1122 struct in6_addr * 1123 prefixlen2mask6(uint8_t, uint32_t *); 1124 uint32_t 1125 prefixlen2mask(uint8_t); 1126 const char * 1127 print_host(struct sockaddr *, char *, size_t); 1128 char *get_string(uint8_t *, size_t); 1129 const char * 1130 print_proto(uint8_t); 1131 int expand_string(char *, size_t, const char *, const char *); 1132 uint8_t *string2unicode(const char *, size_t *); 1133 void print_debug(const char *, ...) 1134 __attribute__((format(printf, 1, 2))); 1135 void print_verbose(const char *, ...) 1136 __attribute__((format(printf, 1, 2))); 1137 1138 /* imsg_util.c */ 1139 struct ibuf * 1140 ibuf_new(const void *, size_t); 1141 struct ibuf * 1142 ibuf_static(void); 1143 int ibuf_cat(struct ibuf *, struct ibuf *); 1144 void ibuf_release(struct ibuf *); 1145 size_t ibuf_length(struct ibuf *); 1146 int ibuf_setsize(struct ibuf *, size_t); 1147 uint8_t * 1148 ibuf_data(struct ibuf *); 1149 void *ibuf_getdata(struct ibuf *, size_t); 1150 struct ibuf * 1151 ibuf_get(struct ibuf *, size_t); 1152 struct ibuf * 1153 ibuf_dup(struct ibuf *); 1154 struct ibuf * 1155 ibuf_random(size_t); 1156 int ibuf_prepend(struct ibuf *, void *, size_t); 1157 void *ibuf_advance(struct ibuf *, size_t); 1158 void ibuf_zero(struct ibuf *); 1159 int ibuf_strcat(struct ibuf **, const char *); 1160 int ibuf_strlen(struct ibuf *); 1161 1162 /* log.c */ 1163 void log_init(int, int); 1164 void log_procinit(const char *); 1165 void log_setverbose(int); 1166 int log_getverbose(void); 1167 void log_warn(const char *, ...) 1168 __attribute__((__format__ (printf, 1, 2))); 1169 void log_warnx(const char *, ...) 1170 __attribute__((__format__ (printf, 1, 2))); 1171 void log_info(const char *, ...) 1172 __attribute__((__format__ (printf, 1, 2))); 1173 void log_debug(const char *, ...) 1174 __attribute__((__format__ (printf, 1, 2))); 1175 void logit(int, const char *, ...) 1176 __attribute__((__format__ (printf, 2, 3))); 1177 void vlog(int, const char *, va_list) 1178 __attribute__((__format__ (printf, 2, 0))); 1179 __dead void fatal(const char *, ...) 1180 __attribute__((__format__ (printf, 1, 2))); 1181 __dead void fatalx(const char *, ...) 1182 __attribute__((__format__ (printf, 1, 2))); 1183 1184 /* ocsp.c */ 1185 int ocsp_connect(struct iked *env, struct imsg *); 1186 int ocsp_receive_fd(struct iked *, struct imsg *); 1187 int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1188 uint8_t, X509 *); 1189 1190 /* parse.y */ 1191 int parse_config(const char *, struct iked *); 1192 void print_user(struct iked_user *); 1193 void print_policy(struct iked_policy *); 1194 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1195 size_t noncelength_xf(unsigned int, unsigned int); 1196 int cmdline_symset(char *); 1197 int encxf_noauth(unsigned int); 1198 1199 #endif /* IKED_H */ 1200