handler.h revision 1.22
1/* $NetBSD: handler.h,v 1.22 2009/09/03 09:29:07 tteras Exp $ */ 2 3/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ 4 5/* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34#ifndef _HANDLER_H 35#define _HANDLER_H 36 37#include <sys/queue.h> 38#include <openssl/rsa.h> 39 40#include <sys/time.h> 41 42#include "isakmp_var.h" 43#include "oakley.h" 44#include "schedule.h" 45#include "evt.h" 46 47/* Phase 1 handler */ 48/* 49 * main mode: 50 * initiator responder 51 * 0 (---) (---) 52 * 1 start start (1st msg received) 53 * 2 (---) 1st valid msg received 54 * 3 1st msg sent 1st msg sent 55 * 4 1st valid msg received 2st valid msg received 56 * 5 2nd msg sent 2nd msg sent 57 * 6 2nd valid msg received 3rd valid msg received 58 * 7 3rd msg sent 3rd msg sent 59 * 8 3rd valid msg received (---) 60 * 9 SA established SA established 61 * 62 * aggressive mode: 63 * initiator responder 64 * 0 (---) (---) 65 * 1 start start (1st msg received) 66 * 2 (---) 1st valid msg received 67 * 3 1st msg sent 1st msg sent 68 * 4 1st valid msg received 2st valid msg received 69 * 5 (---) (---) 70 * 6 (---) (---) 71 * 7 (---) (---) 72 * 8 (---) (---) 73 * 9 SA established SA established 74 * 75 * base mode: 76 * initiator responder 77 * 0 (---) (---) 78 * 1 start start (1st msg received) 79 * 2 (---) 1st valid msg received 80 * 3 1st msg sent 1st msg sent 81 * 4 1st valid msg received 2st valid msg received 82 * 5 2nd msg sent (---) 83 * 6 (---) (---) 84 * 7 (---) (---) 85 * 8 (---) (---) 86 * 9 SA established SA established 87 */ 88#define PHASE1ST_SPAWN 0 89#define PHASE1ST_START 1 90#define PHASE1ST_MSG1RECEIVED 2 91#define PHASE1ST_MSG1SENT 3 92#define PHASE1ST_MSG2RECEIVED 4 93#define PHASE1ST_MSG2SENT 5 94#define PHASE1ST_MSG3RECEIVED 6 95#define PHASE1ST_MSG3SENT 7 96#define PHASE1ST_MSG4RECEIVED 8 97#define PHASE1ST_ESTABLISHED 9 98#define PHASE1ST_DYING 10 99#define PHASE1ST_EXPIRED 11 100#define PHASE1ST_MAX 12 101 102/* About address semantics in each case. 103 * initiator(addr=I) responder(addr=R) 104 * src dst src dst 105 * (local) (remote) (local) (remote) 106 * phase 1 handler I R R I 107 * phase 2 handler I R R I 108 * getspi msg R I I R 109 * acquire msg I R 110 * ID payload I R I R 111 */ 112#ifdef ENABLE_HYBRID 113struct isakmp_cfg_state; 114#endif 115struct ph1handle { 116 isakmp_index index; 117 118 int status; /* status of this SA */ 119 int side; /* INITIATOR or RESPONDER */ 120 121 struct sockaddr *remote; /* remote address to negosiate ph1 */ 122 struct sockaddr *local; /* local address to negosiate ph1 */ 123 /* XXX copy from rmconf due to anonymous configuration. 124 * If anonymous will be forbidden, we do delete them. */ 125 126 struct remoteconf *rmconf; /* pointer to remote configuration */ 127 128 struct isakmpsa *approval; /* pointer to SA(s) approved. */ 129 vchar_t *authstr; /* place holder of string for auth. */ 130 /* for example pre-shared key */ 131 132 u_int8_t version; /* ISAKMP version */ 133 u_int8_t etype; /* Exchange type actually for use */ 134 u_int8_t flags; /* Flags */ 135 u_int32_t msgid; /* message id */ 136 137 u_int32_t vendorid_mask; /* bitmask of received supported vendor ids*/ 138#ifdef ENABLE_NATT 139 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */ 140 u_int32_t natt_flags; /* NAT-T related flags */ 141#endif 142#ifdef ENABLE_FRAG 143 int frag; /* IKE phase 1 fragmentation */ 144 struct isakmp_frag_item *frag_chain; /* Received fragments */ 145#endif 146 147 struct sched sce; /* schedule for expire */ 148 149 struct sched scr; /* schedule for resend */ 150 int retry_counter; /* for resend. */ 151 vchar_t *sendbuf; /* buffer for re-sending */ 152 153 vchar_t *dhpriv; /* DH; private value */ 154 vchar_t *dhpub; /* DH; public value */ 155 vchar_t *dhpub_p; /* DH; partner's public value */ 156 vchar_t *dhgxy; /* DH; shared secret */ 157 vchar_t *nonce; /* nonce value */ 158 vchar_t *nonce_p; /* partner's nonce value */ 159 vchar_t *skeyid; /* SKEYID */ 160 vchar_t *skeyid_d; /* SKEYID_d */ 161 vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */ 162 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */ 163 vchar_t *key; /* cipher key */ 164 vchar_t *hash; /* HASH minus general header */ 165 vchar_t *sig; /* SIG minus general header */ 166 vchar_t *sig_p; /* peer's SIG minus general header */ 167 vchar_t *cert; /* CERT minus general header */ 168 vchar_t *cert_p; /* peer's CERT minus general header */ 169 vchar_t *crl_p; /* peer's CRL minus general header */ 170 vchar_t *cr_p; /* peer's CR not including general */ 171 RSA *rsa; /* my RSA key */ 172 RSA *rsa_p; /* peer's RSA key */ 173 struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */ 174 vchar_t *id; /* ID minus gen header */ 175 vchar_t *id_p; /* partner's ID minus general header */ 176 /* i.e. struct ipsecdoi_id_b*. */ 177 struct isakmp_ivm *ivm; /* IVs */ 178 179 vchar_t *sa; /* whole SA payload to send/to be sent*/ 180 /* to calculate HASH */ 181 /* NOT INCLUDING general header. */ 182 183 vchar_t *sa_ret; /* SA payload to reply/to be replyed */ 184 /* NOT INCLUDING general header. */ 185 /* NOTE: Should be release after use. */ 186 187#ifdef HAVE_GSSAPI 188 void *gssapi_state; /* GSS-API specific state. */ 189 /* Allocated when needed */ 190 vchar_t *gi_i; /* optional initiator GSS id */ 191 vchar_t *gi_r; /* optional responder GSS id */ 192#endif 193 194 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */ 195 196 time_t created; /* timestamp for establish */ 197 int initial_contact_received; /* set if initial contact received */ 198#ifdef ENABLE_STATS 199 struct timeval start; 200 struct timeval end; 201#endif 202 203#ifdef ENABLE_DPD 204 int dpd_support; /* Does remote supports DPD ? */ 205 u_int16_t dpd_seq; /* DPD seq number to receive */ 206 u_int8_t dpd_fails; /* number of failures */ 207 struct sched dpd_r_u; 208#endif 209 210 u_int32_t msgid2; /* msgid counter for Phase 2 */ 211 int ph2cnt; /* the number which is negotiated by this phase 1 */ 212 LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree; 213 214 LIST_ENTRY(ph1handle) chain; 215#ifdef ENABLE_HYBRID 216 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ 217#endif 218 EVT_LISTENER_LIST(evt_listeners); 219}; 220 221/* For limiting enumeration of ph1 tree */ 222struct ph1selector { 223 struct sockaddr *local; 224 struct sockaddr *remote; 225}; 226 227/* Phase 2 handler */ 228/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */ 229/* 230 * initiator responder 231 * 0 (---) (---) 232 * 1 start start (1st msg received) 233 * 2 acquire msg get 1st valid msg received 234 * 3 getspi request sent getspi request sent 235 * 4 getspi done getspi done 236 * 5 1st msg sent 1st msg sent 237 * 6 1st valid msg received 2nd valid msg received 238 * 7 (commit bit) (commit bit) 239 * 8 SAs added SAs added 240 * 9 SAs established SAs established 241 * 10 SAs expired SAs expired 242 */ 243#define PHASE2ST_SPAWN 0 244#define PHASE2ST_START 1 245#define PHASE2ST_STATUS2 2 246#define PHASE2ST_GETSPISENT 3 247#define PHASE2ST_GETSPIDONE 4 248#define PHASE2ST_MSG1SENT 5 249#define PHASE2ST_STATUS6 6 250#define PHASE2ST_COMMIT 7 251#define PHASE2ST_ADDSA 8 252#define PHASE2ST_ESTABLISHED 9 253#define PHASE2ST_EXPIRED 10 254#define PHASE2ST_MAX 11 255 256struct ph2handle { 257 /* source and destination addresses used for IKE exchange. Might 258 * differ from source and destination of SA. On the initiator, 259 * they are tweaked if a hint is available in the SPD (set by 260 * MIGRATE for instance). Otherwise they are the source and 261 * destination of SA for transport mode and the tunnel endpoints 262 * for tunnel mode */ 263 struct sockaddr *src; 264 struct sockaddr *dst; 265 266 /* source and destination addresses of the SA in the case addresses 267 * used for IKE exchanges (src and dst) do differ. On the initiator, 268 * they are set (if needed) in pk_recvacquire(). On the responder, 269 * they are _derived_ from the local and remote parameters of the 270 * SP, if available. */ 271 struct sockaddr *sa_src; 272 struct sockaddr *sa_dst; 273 274 /* Store our Phase 2 ID and the peer ID (ID minus general header). 275 * On the initiator, they are set during ACQUIRE processing. 276 * On the responder, they are set from the content of ID payload 277 * in quick_r1recv(). Then, if they are of type address or 278 * tunnel, they are compared to sainfo selectors. 279 */ 280 vchar_t *id; /* ID minus gen header */ 281 vchar_t *id_p; /* peer's ID minus general header */ 282 283#ifdef ENABLE_NATT 284 struct sockaddr *natoa_src; /* peer's view of my address */ 285 struct sockaddr *natoa_dst; /* peer's view of his address */ 286#endif 287 288 u_int32_t spid; /* policy id by kernel */ 289 290 int status; /* ipsec sa status */ 291 u_int8_t side; /* INITIATOR or RESPONDER */ 292 293 struct sched sce; /* schedule for expire */ 294 struct sched scr; /* schedule for resend */ 295 int retry_counter; /* for resend. */ 296 vchar_t *sendbuf; /* buffer for re-sending */ 297 vchar_t *msg1; /* buffer for re-sending */ 298 /* used for responder's first message */ 299 300 int retry_checkph1; /* counter to wait phase 1 finished. */ 301 /* NOTE: actually it's timer. */ 302 303 u_int32_t seq; /* sequence number used by PF_KEY */ 304 /* 305 * NOTE: In responder side, we can't identify each SAs 306 * with same destination address for example, when 307 * socket based SA is required. So we set a identifier 308 * number to "seq", and sent kernel by pfkey. 309 */ 310 u_int8_t satype; /* satype in PF_KEY */ 311 /* 312 * saved satype in the original PF_KEY request from 313 * the kernel in order to reply a error. 314 */ 315 316 u_int8_t flags; /* Flags for phase 2 */ 317 u_int32_t msgid; /* msgid for phase 2 */ 318 319 struct sainfo *sainfo; /* place holder of sainfo */ 320 struct saprop *proposal; /* SA(s) proposal. */ 321 struct saprop *approval; /* SA(s) approved. */ 322 u_int32_t lifetime_secs; /* responder lifetime (seconds) */ 323 u_int32_t lifetime_kb; /* responder lifetime (kbytes) */ 324 caddr_t spidx_gen; /* policy from peer's proposal */ 325 326 struct dhgroup *pfsgrp; /* DH; prime number */ 327 vchar_t *dhpriv; /* DH; private value */ 328 vchar_t *dhpub; /* DH; public value */ 329 vchar_t *dhpub_p; /* DH; partner's public value */ 330 vchar_t *dhgxy; /* DH; shared secret */ 331 vchar_t *nonce; /* nonce value in phase 2 */ 332 vchar_t *nonce_p; /* partner's nonce value in phase 2 */ 333 334 vchar_t *sa; /* whole SA payload to send/to be sent*/ 335 /* to calculate HASH */ 336 /* NOT INCLUDING general header. */ 337 338 vchar_t *sa_ret; /* SA payload to reply/to be replyed */ 339 /* NOT INCLUDING general header. */ 340 /* NOTE: Should be release after use. */ 341 342 struct isakmp_ivm *ivm; /* IVs */ 343 344 int generated_spidx; /* mark handlers whith generated policy */ 345 346#ifdef ENABLE_STATS 347 struct timeval start; 348 struct timeval end; 349#endif 350 struct ph1handle *ph1; /* back pointer to isakmp status */ 351 352 LIST_ENTRY(ph2handle) chain; 353 LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ 354 EVT_LISTENER_LIST(evt_listeners); 355}; 356 357/* For limiting enumeration of ph2 tree */ 358struct ph2selector { 359 u_int32_t spid; 360 struct sockaddr *src; 361 struct sockaddr *dst; 362}; 363 364/* 365 * for handling initial contact. 366 */ 367struct contacted { 368 struct sockaddr *remote; /* remote address to negosiate ph1 */ 369 LIST_ENTRY(contacted) chain; 370}; 371 372/* 373 * for checking a packet retransmited. 374 */ 375struct recvdpkt { 376 struct sockaddr *remote; /* the remote address */ 377 struct sockaddr *local; /* the local address */ 378 vchar_t *hash; /* hash of the received packet */ 379 vchar_t *sendbuf; /* buffer for the response */ 380 int retry_counter; /* how many times to send */ 381 struct timeval time_send; /* timestamp of previous send */ 382 383 LIST_ENTRY(recvdpkt) chain; 384}; 385 386/* for parsing ISAKMP header. */ 387struct isakmp_parse_t { 388 u_char type; /* payload type of mine */ 389 int len; /* ntohs(ptr->len) */ 390 struct isakmp_gen *ptr; 391}; 392 393/* 394 * for IV management. 395 * 396 * - normal case 397 * initiator responder 398 * ------------------------- -------------------------- 399 * initialize iv(A), ive(A). initialize iv(A), ive(A). 400 * encode by ive(A). 401 * save to iv(B). ---[packet(B)]--> save to ive(B). 402 * decode by iv(A). 403 * packet consistency. 404 * sync iv(B) with ive(B). 405 * check auth, integrity. 406 * encode by ive(B). 407 * save to ive(C). <--[packet(C)]--- save to iv(C). 408 * decoded by iv(B). 409 * : 410 * 411 * - In the case that a error is found while cipher processing, 412 * initiator responder 413 * ------------------------- -------------------------- 414 * initialize iv(A), ive(A). initialize iv(A), ive(A). 415 * encode by ive(A). 416 * save to iv(B). ---[packet(B)]--> save to ive(B). 417 * decode by iv(A). 418 * packet consistency. 419 * sync iv(B) with ive(B). 420 * check auth, integrity. 421 * error found. 422 * create notify. 423 * get ive2(X) from iv(B). 424 * encode by ive2(X). 425 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y). 426 * save to ive2(Y). 427 * decoded by iv2(X). 428 * : 429 * 430 * The reason why the responder synchronizes iv with ive after checking the 431 * packet consistency is that it is required to leave the IV for decoding 432 * packet. Because there is a potential of error while checking the packet 433 * consistency. Also the reason why that is before authentication and 434 * integirty check is that the IV for informational exchange has to be made 435 * by the IV which is after packet decoded and checking the packet consistency. 436 * Otherwise IV mismatched happens between the intitiator and the responder. 437 */ 438struct isakmp_ivm { 439 vchar_t *iv; /* for decoding packet */ 440 /* if phase 1, it's for computing phase2 iv */ 441 vchar_t *ive; /* for encoding packet */ 442}; 443 444/* for dumping */ 445struct ph1dump { 446 isakmp_index index; 447 int status; 448 int side; 449 struct sockaddr_storage remote; 450 struct sockaddr_storage local; 451 u_int8_t version; 452 u_int8_t etype; 453 time_t created; 454 int ph2cnt; 455}; 456 457struct sockaddr; 458struct ph1handle; 459struct ph2handle; 460struct policyindex; 461 462extern struct ph1handle *getph1byindex __P((isakmp_index *)); 463extern struct ph1handle *getph1byindex0 __P((isakmp_index *)); 464 465extern int enumph1 __P((struct ph1selector *ph1sel, 466 int (* enum_func)(struct ph1handle *iph1, void *arg), 467 void *enum_arg)); 468 469#define GETPH1_F_ESTABLISHED 0x0001 470 471extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, 472 struct sockaddr *local, 473 struct sockaddr *remote, 474 int flags)); 475 476#define getph1byaddr(local, remote, est) \ 477 getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0) 478#define getph1bydstaddr(remote) \ 479 getph1(NULL, NULL, remote, 0) 480 481#ifdef ENABLE_HYBRID 482struct ph1handle *getph1bylogin __P((char *)); 483int purgeph1bylogin __P((char *)); 484#endif 485extern void migrate_ph12 __P((struct ph1handle *old_iph1, struct ph1handle *new_iph1)); 486extern void migrate_dying_ph12 __P((struct ph1handle *iph1)); 487extern vchar_t *dumpph1 __P((void)); 488extern struct ph1handle *newph1 __P((void)); 489extern void delph1 __P((struct ph1handle *)); 490extern int insph1 __P((struct ph1handle *)); 491extern void remph1 __P((struct ph1handle *)); 492extern int resolveph1rmconf __P((struct ph1handle *)); 493extern void flushph1 __P((void)); 494extern void initph1tree __P((void)); 495 496extern int enumph2 __P((struct ph2selector *ph2sel, 497 int (* enum_func)(struct ph2handle *iph2, void *arg), 498 void *enum_arg)); 499extern struct ph2handle *getph2byseq __P((u_int32_t)); 500extern struct ph2handle *getph2bysaddr __P((struct sockaddr *, 501 struct sockaddr *)); 502extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t)); 503extern struct ph2handle *getph2byid __P((struct sockaddr *, 504 struct sockaddr *, u_int32_t)); 505extern struct ph2handle *getph2bysaidx __P((struct sockaddr *, 506 struct sockaddr *, u_int, u_int32_t)); 507extern struct ph2handle *newph2 __P((void)); 508extern void initph2 __P((struct ph2handle *)); 509extern void delph2 __P((struct ph2handle *)); 510extern int insph2 __P((struct ph2handle *)); 511extern void remph2 __P((struct ph2handle *)); 512extern void flushph2 __P((void)); 513extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int)); 514extern void initph2tree __P((void)); 515 516extern void bindph12 __P((struct ph1handle *, struct ph2handle *)); 517extern void unbindph12 __P((struct ph2handle *)); 518 519extern struct contacted *getcontacted __P((struct sockaddr *)); 520extern int inscontacted __P((struct sockaddr *)); 521extern void initctdtree __P((void)); 522 523extern int check_recvdpkt __P((struct sockaddr *, 524 struct sockaddr *, vchar_t *)); 525extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *, 526 vchar_t *, vchar_t *)); 527extern void init_recvdpkt __P((void)); 528 529#ifdef ENABLE_HYBRID 530extern int exclude_cfg_addr __P((const struct sockaddr *)); 531#endif 532 533extern int revalidate_ph12(void); 534 535#endif /* _HANDLER_H */ 536