[8645c9d7] | 1 | /* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */ |
---|
[ff36f5e] | 2 | |
---|
| 3 | /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ |
---|
| 4 | |
---|
| 5 | /* |
---|
| 6 | * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. |
---|
| 7 | * All rights reserved. |
---|
| 8 | * |
---|
| 9 | * Redistribution and use in source and binary forms, with or without |
---|
| 10 | * modification, are permitted provided that the following conditions |
---|
| 11 | * are met: |
---|
| 12 | * 1. Redistributions of source code must retain the above copyright |
---|
| 13 | * notice, this list of conditions and the following disclaimer. |
---|
| 14 | * 2. Redistributions in binary form must reproduce the above copyright |
---|
| 15 | * notice, this list of conditions and the following disclaimer in the |
---|
| 16 | * documentation and/or other materials provided with the distribution. |
---|
| 17 | * 3. Neither the name of the project nor the names of its contributors |
---|
| 18 | * may be used to endorse or promote products derived from this software |
---|
| 19 | * without specific prior written permission. |
---|
| 20 | * |
---|
| 21 | * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND |
---|
| 22 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
---|
| 23 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
---|
| 24 | * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE |
---|
| 25 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
---|
| 26 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
---|
| 27 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
---|
| 28 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
---|
| 29 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
---|
| 30 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
---|
| 31 | * SUCH DAMAGE. |
---|
| 32 | */ |
---|
| 33 | |
---|
| 34 | #ifndef _HANDLER_H |
---|
| 35 | #define _HANDLER_H |
---|
| 36 | |
---|
| 37 | #include <sys/queue.h> |
---|
| 38 | #include <openssl/rsa.h> |
---|
| 39 | |
---|
| 40 | #include <sys/time.h> |
---|
| 41 | |
---|
| 42 | #include "isakmp_var.h" |
---|
| 43 | #include "oakley.h" |
---|
| 44 | #include "schedule.h" |
---|
| 45 | #include "evt.h" |
---|
| 46 | |
---|
| 47 | /* Phase 1 handler */ |
---|
| 48 | /* |
---|
| 49 | * main mode: |
---|
| 50 | * initiator responder |
---|
| 51 | * 0 (---) (---) |
---|
| 52 | * 1 start start (1st msg received) |
---|
| 53 | * 2 (---) 1st valid msg received |
---|
| 54 | * 3 1st msg sent 1st msg sent |
---|
| 55 | * 4 1st valid msg received 2st valid msg received |
---|
| 56 | * 5 2nd msg sent 2nd msg sent |
---|
| 57 | * 6 2nd valid msg received 3rd valid msg received |
---|
| 58 | * 7 3rd msg sent 3rd msg sent |
---|
| 59 | * 8 3rd valid msg received (---) |
---|
| 60 | * 9 SA established SA established |
---|
| 61 | * |
---|
| 62 | * aggressive mode: |
---|
| 63 | * initiator responder |
---|
| 64 | * 0 (---) (---) |
---|
| 65 | * 1 start start (1st msg received) |
---|
| 66 | * 2 (---) 1st valid msg received |
---|
| 67 | * 3 1st msg sent 1st msg sent |
---|
| 68 | * 4 1st valid msg received 2st valid msg received |
---|
| 69 | * 5 (---) (---) |
---|
| 70 | * 6 (---) (---) |
---|
| 71 | * 7 (---) (---) |
---|
| 72 | * 8 (---) (---) |
---|
| 73 | * 9 SA established SA established |
---|
| 74 | * |
---|
| 75 | * base mode: |
---|
| 76 | * initiator responder |
---|
| 77 | * 0 (---) (---) |
---|
| 78 | * 1 start start (1st msg received) |
---|
| 79 | * 2 (---) 1st valid msg received |
---|
| 80 | * 3 1st msg sent 1st msg sent |
---|
| 81 | * 4 1st valid msg received 2st valid msg received |
---|
| 82 | * 5 2nd msg sent (---) |
---|
| 83 | * 6 (---) (---) |
---|
| 84 | * 7 (---) (---) |
---|
| 85 | * 8 (---) (---) |
---|
| 86 | * 9 SA established SA established |
---|
| 87 | */ |
---|
| 88 | #define PHASE1ST_SPAWN 0 |
---|
| 89 | #define PHASE1ST_START 1 |
---|
| 90 | #define PHASE1ST_MSG1RECEIVED 2 |
---|
| 91 | #define PHASE1ST_MSG1SENT 3 |
---|
| 92 | #define PHASE1ST_MSG2RECEIVED 4 |
---|
| 93 | #define PHASE1ST_MSG2SENT 5 |
---|
| 94 | #define PHASE1ST_MSG3RECEIVED 6 |
---|
| 95 | #define PHASE1ST_MSG3SENT 7 |
---|
| 96 | #define PHASE1ST_MSG4RECEIVED 8 |
---|
| 97 | #define PHASE1ST_ESTABLISHED 9 |
---|
| 98 | #define PHASE1ST_DYING 10 |
---|
| 99 | #define PHASE1ST_EXPIRED 11 |
---|
| 100 | #define PHASE1ST_MAX 12 |
---|
| 101 | |
---|
| 102 | /* About address semantics in each case. |
---|
| 103 | * initiator(addr=I) responder(addr=R) |
---|
| 104 | * src dst src dst |
---|
| 105 | * (local) (remote) (local) (remote) |
---|
| 106 | * phase 1 handler I R R I |
---|
| 107 | * phase 2 handler I R R I |
---|
| 108 | * getspi msg R I I R |
---|
| 109 | * acquire msg I R |
---|
| 110 | * ID payload I R I R |
---|
| 111 | */ |
---|
| 112 | #ifdef ENABLE_HYBRID |
---|
| 113 | struct isakmp_cfg_state; |
---|
| 114 | #endif |
---|
| 115 | struct ph1handle { |
---|
| 116 | isakmp_index index; |
---|
| 117 | |
---|
| 118 | int status; /* status of this SA */ |
---|
| 119 | int side; /* INITIATOR or RESPONDER */ |
---|
| 120 | |
---|
| 121 | struct sockaddr *remote; /* remote address to negosiate ph1 */ |
---|
| 122 | struct sockaddr *local; /* local address to negosiate ph1 */ |
---|
| 123 | /* XXX copy from rmconf due to anonymous configuration. |
---|
| 124 | * If anonymous will be forbidden, we do delete them. */ |
---|
| 125 | |
---|
| 126 | struct remoteconf *rmconf; /* pointer to remote configuration */ |
---|
| 127 | |
---|
| 128 | struct isakmpsa *approval; /* pointer to SA(s) approved. */ |
---|
| 129 | vchar_t *authstr; /* place holder of string for auth. */ |
---|
| 130 | /* for example pre-shared key */ |
---|
| 131 | |
---|
| 132 | u_int8_t version; /* ISAKMP version */ |
---|
| 133 | u_int8_t etype; /* Exchange type actually for use */ |
---|
| 134 | u_int8_t flags; /* Flags */ |
---|
| 135 | u_int32_t msgid; /* message id */ |
---|
| 136 | |
---|
| 137 | u_int32_t vendorid_mask; /* bitmask of received supported vendor ids*/ |
---|
| 138 | #ifdef ENABLE_NATT |
---|
| 139 | struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */ |
---|
| 140 | u_int32_t natt_flags; /* NAT-T related flags */ |
---|
| 141 | #endif |
---|
| 142 | #ifdef ENABLE_FRAG |
---|
| 143 | int frag; /* IKE phase 1 fragmentation */ |
---|
[8645c9d7] | 144 | int frag_last_index; |
---|
[ff36f5e] | 145 | struct isakmp_frag_item *frag_chain; /* Received fragments */ |
---|
| 146 | #endif |
---|
| 147 | |
---|
| 148 | struct sched sce; /* schedule for expire */ |
---|
| 149 | |
---|
| 150 | struct sched scr; /* schedule for resend */ |
---|
| 151 | int retry_counter; /* for resend. */ |
---|
| 152 | vchar_t *sendbuf; /* buffer for re-sending */ |
---|
| 153 | |
---|
| 154 | vchar_t *dhpriv; /* DH; private value */ |
---|
| 155 | vchar_t *dhpub; /* DH; public value */ |
---|
| 156 | vchar_t *dhpub_p; /* DH; partner's public value */ |
---|
| 157 | vchar_t *dhgxy; /* DH; shared secret */ |
---|
| 158 | vchar_t *nonce; /* nonce value */ |
---|
| 159 | vchar_t *nonce_p; /* partner's nonce value */ |
---|
| 160 | vchar_t *skeyid; /* SKEYID */ |
---|
| 161 | vchar_t *skeyid_d; /* SKEYID_d */ |
---|
| 162 | vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */ |
---|
| 163 | vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */ |
---|
| 164 | vchar_t *key; /* cipher key */ |
---|
| 165 | vchar_t *hash; /* HASH minus general header */ |
---|
| 166 | vchar_t *sig; /* SIG minus general header */ |
---|
| 167 | vchar_t *sig_p; /* peer's SIG minus general header */ |
---|
| 168 | vchar_t *cert; /* CERT minus general header */ |
---|
| 169 | vchar_t *cert_p; /* peer's CERT minus general header */ |
---|
| 170 | vchar_t *crl_p; /* peer's CRL minus general header */ |
---|
| 171 | vchar_t *cr_p; /* peer's CR not including general */ |
---|
| 172 | RSA *rsa; /* my RSA key */ |
---|
| 173 | RSA *rsa_p; /* peer's RSA key */ |
---|
| 174 | struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */ |
---|
| 175 | vchar_t *id; /* ID minus gen header */ |
---|
| 176 | vchar_t *id_p; /* partner's ID minus general header */ |
---|
| 177 | /* i.e. struct ipsecdoi_id_b*. */ |
---|
| 178 | struct isakmp_ivm *ivm; /* IVs */ |
---|
| 179 | |
---|
| 180 | vchar_t *sa; /* whole SA payload to send/to be sent*/ |
---|
| 181 | /* to calculate HASH */ |
---|
| 182 | /* NOT INCLUDING general header. */ |
---|
| 183 | |
---|
| 184 | vchar_t *sa_ret; /* SA payload to reply/to be replyed */ |
---|
| 185 | /* NOT INCLUDING general header. */ |
---|
| 186 | /* NOTE: Should be release after use. */ |
---|
| 187 | |
---|
| 188 | #ifdef HAVE_GSSAPI |
---|
| 189 | void *gssapi_state; /* GSS-API specific state. */ |
---|
| 190 | /* Allocated when needed */ |
---|
| 191 | vchar_t *gi_i; /* optional initiator GSS id */ |
---|
| 192 | vchar_t *gi_r; /* optional responder GSS id */ |
---|
| 193 | #endif |
---|
| 194 | |
---|
| 195 | struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */ |
---|
| 196 | |
---|
| 197 | time_t created; /* timestamp for establish */ |
---|
| 198 | int initial_contact_received; /* set if initial contact received */ |
---|
| 199 | #ifdef ENABLE_STATS |
---|
| 200 | struct timeval start; |
---|
| 201 | struct timeval end; |
---|
| 202 | #endif |
---|
| 203 | |
---|
| 204 | #ifdef ENABLE_DPD |
---|
| 205 | int dpd_support; /* Does remote supports DPD ? */ |
---|
| 206 | u_int32_t dpd_last_ack; |
---|
| 207 | u_int32_t dpd_seq; /* DPD seq number to receive */ |
---|
| 208 | u_int8_t dpd_fails; /* number of failures */ |
---|
| 209 | struct sched dpd_r_u; |
---|
| 210 | #endif |
---|
| 211 | |
---|
| 212 | u_int32_t msgid2; /* msgid counter for Phase 2 */ |
---|
| 213 | int ph2cnt; /* the number which is negotiated by this phase 1 */ |
---|
| 214 | LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree; |
---|
| 215 | |
---|
| 216 | LIST_ENTRY(ph1handle) chain; |
---|
| 217 | #ifdef ENABLE_HYBRID |
---|
| 218 | struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ |
---|
| 219 | #endif |
---|
| 220 | EVT_LISTENER_LIST(evt_listeners); |
---|
| 221 | }; |
---|
| 222 | |
---|
| 223 | /* For limiting enumeration of ph1 tree */ |
---|
| 224 | struct ph1selector { |
---|
| 225 | struct sockaddr *local; |
---|
| 226 | struct sockaddr *remote; |
---|
| 227 | }; |
---|
| 228 | |
---|
| 229 | /* Phase 2 handler */ |
---|
| 230 | /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */ |
---|
| 231 | /* |
---|
| 232 | * initiator responder |
---|
| 233 | * 0 (---) (---) |
---|
| 234 | * 1 start start (1st msg received) |
---|
| 235 | * 2 acquire msg get 1st valid msg received |
---|
| 236 | * 3 getspi request sent getspi request sent |
---|
| 237 | * 4 getspi done getspi done |
---|
| 238 | * 5 1st msg sent 1st msg sent |
---|
| 239 | * 6 1st valid msg received 2nd valid msg received |
---|
| 240 | * 7 (commit bit) (commit bit) |
---|
| 241 | * 8 SAs added SAs added |
---|
| 242 | * 9 SAs established SAs established |
---|
| 243 | * 10 SAs expired SAs expired |
---|
| 244 | */ |
---|
| 245 | #define PHASE2ST_SPAWN 0 |
---|
| 246 | #define PHASE2ST_START 1 |
---|
| 247 | #define PHASE2ST_STATUS2 2 |
---|
| 248 | #define PHASE2ST_GETSPISENT 3 |
---|
| 249 | #define PHASE2ST_GETSPIDONE 4 |
---|
| 250 | #define PHASE2ST_MSG1SENT 5 |
---|
| 251 | #define PHASE2ST_STATUS6 6 |
---|
| 252 | #define PHASE2ST_COMMIT 7 |
---|
| 253 | #define PHASE2ST_ADDSA 8 |
---|
| 254 | #define PHASE2ST_ESTABLISHED 9 |
---|
| 255 | #define PHASE2ST_EXPIRED 10 |
---|
| 256 | #define PHASE2ST_MAX 11 |
---|
| 257 | |
---|
| 258 | struct ph2handle { |
---|
| 259 | /* source and destination addresses used for IKE exchange. Might |
---|
| 260 | * differ from source and destination of SA. On the initiator, |
---|
| 261 | * they are tweaked if a hint is available in the SPD (set by |
---|
| 262 | * MIGRATE for instance). Otherwise they are the source and |
---|
| 263 | * destination of SA for transport mode and the tunnel endpoints |
---|
| 264 | * for tunnel mode */ |
---|
| 265 | struct sockaddr *src; |
---|
| 266 | struct sockaddr *dst; |
---|
| 267 | |
---|
| 268 | /* source and destination addresses of the SA in the case addresses |
---|
| 269 | * used for IKE exchanges (src and dst) do differ. On the initiator, |
---|
| 270 | * they are set (if needed) in pk_recvacquire(). On the responder, |
---|
| 271 | * they are _derived_ from the local and remote parameters of the |
---|
| 272 | * SP, if available. */ |
---|
| 273 | struct sockaddr *sa_src; |
---|
| 274 | struct sockaddr *sa_dst; |
---|
| 275 | |
---|
| 276 | /* Store our Phase 2 ID and the peer ID (ID minus general header). |
---|
| 277 | * On the initiator, they are set during ACQUIRE processing. |
---|
| 278 | * On the responder, they are set from the content of ID payload |
---|
| 279 | * in quick_r1recv(). Then, if they are of type address or |
---|
| 280 | * tunnel, they are compared to sainfo selectors. |
---|
| 281 | */ |
---|
| 282 | vchar_t *id; /* ID minus gen header */ |
---|
| 283 | vchar_t *id_p; /* peer's ID minus general header */ |
---|
| 284 | |
---|
| 285 | #ifdef ENABLE_NATT |
---|
| 286 | struct sockaddr *natoa_src; /* peer's view of my address */ |
---|
| 287 | struct sockaddr *natoa_dst; /* peer's view of his address */ |
---|
| 288 | #endif |
---|
| 289 | |
---|
| 290 | u_int32_t spid; /* policy id by kernel */ |
---|
| 291 | |
---|
| 292 | int status; /* ipsec sa status */ |
---|
| 293 | u_int8_t side; /* INITIATOR or RESPONDER */ |
---|
| 294 | |
---|
| 295 | struct sched sce; /* schedule for expire */ |
---|
| 296 | struct sched scr; /* schedule for resend */ |
---|
| 297 | int retry_counter; /* for resend. */ |
---|
| 298 | vchar_t *sendbuf; /* buffer for re-sending */ |
---|
| 299 | vchar_t *msg1; /* buffer for re-sending */ |
---|
| 300 | /* used for responder's first message */ |
---|
| 301 | |
---|
| 302 | int retry_checkph1; /* counter to wait phase 1 finished. */ |
---|
| 303 | /* NOTE: actually it's timer. */ |
---|
| 304 | |
---|
| 305 | u_int32_t seq; /* sequence number used by PF_KEY */ |
---|
| 306 | /* |
---|
| 307 | * NOTE: In responder side, we can't identify each SAs |
---|
| 308 | * with same destination address for example, when |
---|
| 309 | * socket based SA is required. So we set a identifier |
---|
| 310 | * number to "seq", and sent kernel by pfkey. |
---|
| 311 | */ |
---|
| 312 | u_int8_t satype; /* satype in PF_KEY */ |
---|
| 313 | /* |
---|
| 314 | * saved satype in the original PF_KEY request from |
---|
| 315 | * the kernel in order to reply a error. |
---|
| 316 | */ |
---|
| 317 | |
---|
| 318 | u_int8_t flags; /* Flags for phase 2 */ |
---|
| 319 | u_int32_t msgid; /* msgid for phase 2 */ |
---|
| 320 | |
---|
| 321 | struct sainfo *sainfo; /* place holder of sainfo */ |
---|
| 322 | struct saprop *proposal; /* SA(s) proposal. */ |
---|
| 323 | struct saprop *approval; /* SA(s) approved. */ |
---|
| 324 | u_int32_t lifetime_secs; /* responder lifetime (seconds) */ |
---|
| 325 | u_int32_t lifetime_kb; /* responder lifetime (kbytes) */ |
---|
| 326 | caddr_t spidx_gen; /* policy from peer's proposal */ |
---|
| 327 | |
---|
| 328 | struct dhgroup *pfsgrp; /* DH; prime number */ |
---|
| 329 | vchar_t *dhpriv; /* DH; private value */ |
---|
| 330 | vchar_t *dhpub; /* DH; public value */ |
---|
| 331 | vchar_t *dhpub_p; /* DH; partner's public value */ |
---|
| 332 | vchar_t *dhgxy; /* DH; shared secret */ |
---|
| 333 | vchar_t *nonce; /* nonce value in phase 2 */ |
---|
| 334 | vchar_t *nonce_p; /* partner's nonce value in phase 2 */ |
---|
| 335 | |
---|
| 336 | vchar_t *sa; /* whole SA payload to send/to be sent*/ |
---|
| 337 | /* to calculate HASH */ |
---|
| 338 | /* NOT INCLUDING general header. */ |
---|
| 339 | |
---|
| 340 | vchar_t *sa_ret; /* SA payload to reply/to be replyed */ |
---|
| 341 | /* NOT INCLUDING general header. */ |
---|
| 342 | /* NOTE: Should be release after use. */ |
---|
| 343 | |
---|
| 344 | struct isakmp_ivm *ivm; /* IVs */ |
---|
| 345 | |
---|
| 346 | int generated_spidx; /* mark handlers whith generated policy */ |
---|
| 347 | |
---|
| 348 | #ifdef ENABLE_STATS |
---|
| 349 | struct timeval start; |
---|
| 350 | struct timeval end; |
---|
| 351 | #endif |
---|
| 352 | struct ph1handle *ph1; /* back pointer to isakmp status */ |
---|
| 353 | |
---|
| 354 | LIST_ENTRY(ph2handle) chain; |
---|
| 355 | LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ |
---|
| 356 | EVT_LISTENER_LIST(evt_listeners); |
---|
| 357 | }; |
---|
| 358 | |
---|
| 359 | /* For limiting enumeration of ph2 tree */ |
---|
| 360 | struct ph2selector { |
---|
| 361 | u_int32_t spid; |
---|
| 362 | struct sockaddr *src; |
---|
| 363 | struct sockaddr *dst; |
---|
| 364 | }; |
---|
| 365 | |
---|
| 366 | /* |
---|
| 367 | * for handling initial contact. |
---|
| 368 | */ |
---|
| 369 | struct contacted { |
---|
| 370 | struct sockaddr *remote; /* remote address to negosiate ph1 */ |
---|
| 371 | LIST_ENTRY(contacted) chain; |
---|
| 372 | }; |
---|
| 373 | |
---|
| 374 | /* |
---|
| 375 | * for checking a packet retransmited. |
---|
| 376 | */ |
---|
| 377 | struct recvdpkt { |
---|
| 378 | struct sockaddr *remote; /* the remote address */ |
---|
| 379 | struct sockaddr *local; /* the local address */ |
---|
| 380 | vchar_t *hash; /* hash of the received packet */ |
---|
| 381 | vchar_t *sendbuf; /* buffer for the response */ |
---|
| 382 | int retry_counter; /* how many times to send */ |
---|
| 383 | struct timeval time_send; /* timestamp of previous send */ |
---|
| 384 | |
---|
| 385 | LIST_ENTRY(recvdpkt) chain; |
---|
| 386 | }; |
---|
| 387 | |
---|
| 388 | /* for parsing ISAKMP header. */ |
---|
| 389 | struct isakmp_parse_t { |
---|
| 390 | u_char type; /* payload type of mine */ |
---|
| 391 | int len; /* ntohs(ptr->len) */ |
---|
| 392 | struct isakmp_gen *ptr; |
---|
| 393 | }; |
---|
| 394 | |
---|
| 395 | /* |
---|
| 396 | * for IV management. |
---|
| 397 | * |
---|
| 398 | * - normal case |
---|
| 399 | * initiator responder |
---|
| 400 | * ------------------------- -------------------------- |
---|
| 401 | * initialize iv(A), ive(A). initialize iv(A), ive(A). |
---|
| 402 | * encode by ive(A). |
---|
| 403 | * save to iv(B). ---[packet(B)]--> save to ive(B). |
---|
| 404 | * decode by iv(A). |
---|
| 405 | * packet consistency. |
---|
| 406 | * sync iv(B) with ive(B). |
---|
| 407 | * check auth, integrity. |
---|
| 408 | * encode by ive(B). |
---|
| 409 | * save to ive(C). <--[packet(C)]--- save to iv(C). |
---|
| 410 | * decoded by iv(B). |
---|
| 411 | * : |
---|
| 412 | * |
---|
| 413 | * - In the case that a error is found while cipher processing, |
---|
| 414 | * initiator responder |
---|
| 415 | * ------------------------- -------------------------- |
---|
| 416 | * initialize iv(A), ive(A). initialize iv(A), ive(A). |
---|
| 417 | * encode by ive(A). |
---|
| 418 | * save to iv(B). ---[packet(B)]--> save to ive(B). |
---|
| 419 | * decode by iv(A). |
---|
| 420 | * packet consistency. |
---|
| 421 | * sync iv(B) with ive(B). |
---|
| 422 | * check auth, integrity. |
---|
| 423 | * error found. |
---|
| 424 | * create notify. |
---|
| 425 | * get ive2(X) from iv(B). |
---|
| 426 | * encode by ive2(X). |
---|
| 427 | * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y). |
---|
| 428 | * save to ive2(Y). |
---|
| 429 | * decoded by iv2(X). |
---|
| 430 | * : |
---|
| 431 | * |
---|
| 432 | * The reason why the responder synchronizes iv with ive after checking the |
---|
| 433 | * packet consistency is that it is required to leave the IV for decoding |
---|
| 434 | * packet. Because there is a potential of error while checking the packet |
---|
| 435 | * consistency. Also the reason why that is before authentication and |
---|
| 436 | * integirty check is that the IV for informational exchange has to be made |
---|
| 437 | * by the IV which is after packet decoded and checking the packet consistency. |
---|
| 438 | * Otherwise IV mismatched happens between the intitiator and the responder. |
---|
| 439 | */ |
---|
| 440 | struct isakmp_ivm { |
---|
| 441 | vchar_t *iv; /* for decoding packet */ |
---|
| 442 | /* if phase 1, it's for computing phase2 iv */ |
---|
| 443 | vchar_t *ive; /* for encoding packet */ |
---|
| 444 | }; |
---|
| 445 | |
---|
| 446 | /* for dumping */ |
---|
| 447 | struct ph1dump { |
---|
| 448 | isakmp_index index; |
---|
| 449 | int status; |
---|
| 450 | int side; |
---|
| 451 | struct sockaddr_storage remote; |
---|
| 452 | struct sockaddr_storage local; |
---|
| 453 | u_int8_t version; |
---|
| 454 | u_int8_t etype; |
---|
| 455 | time_t created; |
---|
| 456 | int ph2cnt; |
---|
| 457 | }; |
---|
| 458 | |
---|
| 459 | struct sockaddr; |
---|
| 460 | struct ph1handle; |
---|
| 461 | struct ph2handle; |
---|
| 462 | struct policyindex; |
---|
| 463 | |
---|
| 464 | extern struct ph1handle *getph1byindex __P((isakmp_index *)); |
---|
| 465 | extern struct ph1handle *getph1byindex0 __P((isakmp_index *)); |
---|
| 466 | |
---|
| 467 | extern int enumph1 __P((struct ph1selector *ph1sel, |
---|
| 468 | int (* enum_func)(struct ph1handle *iph1, void *arg), |
---|
| 469 | void *enum_arg)); |
---|
| 470 | |
---|
| 471 | #define GETPH1_F_ESTABLISHED 0x0001 |
---|
| 472 | |
---|
| 473 | extern struct ph1handle *getph1 __P((struct ph1handle *ph1hint, |
---|
| 474 | struct sockaddr *local, |
---|
| 475 | struct sockaddr *remote, |
---|
| 476 | int flags)); |
---|
| 477 | |
---|
| 478 | #define getph1byaddr(local, remote, est) \ |
---|
| 479 | getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0) |
---|
| 480 | #define getph1bydstaddr(remote) \ |
---|
| 481 | getph1(NULL, NULL, remote, 0) |
---|
| 482 | |
---|
| 483 | #ifdef ENABLE_HYBRID |
---|
| 484 | struct ph1handle *getph1bylogin __P((char *)); |
---|
| 485 | int purgeph1bylogin __P((char *)); |
---|
| 486 | #endif |
---|
| 487 | extern void migrate_ph12 __P((struct ph1handle *old_iph1, struct ph1handle *new_iph1)); |
---|
| 488 | extern void migrate_dying_ph12 __P((struct ph1handle *iph1)); |
---|
| 489 | extern vchar_t *dumpph1 __P((void)); |
---|
| 490 | extern struct ph1handle *newph1 __P((void)); |
---|
| 491 | extern void delph1 __P((struct ph1handle *)); |
---|
| 492 | extern int insph1 __P((struct ph1handle *)); |
---|
| 493 | extern void remph1 __P((struct ph1handle *)); |
---|
| 494 | extern int resolveph1rmconf __P((struct ph1handle *)); |
---|
| 495 | extern void flushph1 __P((void)); |
---|
| 496 | extern void initph1tree __P((void)); |
---|
| 497 | extern int ph1_rekey_enabled __P((struct ph1handle *)); |
---|
| 498 | |
---|
| 499 | extern int enumph2 __P((struct ph2selector *ph2sel, |
---|
| 500 | int (* enum_func)(struct ph2handle *iph2, void *arg), |
---|
| 501 | void *enum_arg)); |
---|
| 502 | extern struct ph2handle *getph2byseq __P((u_int32_t)); |
---|
| 503 | extern struct ph2handle *getph2bysaddr __P((struct sockaddr *, |
---|
| 504 | struct sockaddr *)); |
---|
| 505 | extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t)); |
---|
| 506 | extern struct ph2handle *getph2byid __P((struct sockaddr *, |
---|
| 507 | struct sockaddr *, u_int32_t)); |
---|
| 508 | extern struct ph2handle *getph2bysaidx __P((struct sockaddr *, |
---|
| 509 | struct sockaddr *, u_int, u_int32_t)); |
---|
| 510 | extern struct ph2handle *newph2 __P((void)); |
---|
| 511 | extern void initph2 __P((struct ph2handle *)); |
---|
| 512 | extern void delph2 __P((struct ph2handle *)); |
---|
| 513 | extern int insph2 __P((struct ph2handle *)); |
---|
| 514 | extern void remph2 __P((struct ph2handle *)); |
---|
| 515 | extern void flushph2 __P((void)); |
---|
| 516 | extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int)); |
---|
| 517 | extern void initph2tree __P((void)); |
---|
| 518 | |
---|
| 519 | extern void bindph12 __P((struct ph1handle *, struct ph2handle *)); |
---|
| 520 | extern void unbindph12 __P((struct ph2handle *)); |
---|
| 521 | |
---|
| 522 | extern struct contacted *getcontacted __P((struct sockaddr *)); |
---|
| 523 | extern int inscontacted __P((struct sockaddr *)); |
---|
| 524 | extern void remcontacted __P((struct sockaddr *)); |
---|
| 525 | extern void initctdtree __P((void)); |
---|
| 526 | |
---|
| 527 | extern int check_recvdpkt __P((struct sockaddr *, |
---|
| 528 | struct sockaddr *, vchar_t *)); |
---|
| 529 | extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *, |
---|
| 530 | vchar_t *, vchar_t *)); |
---|
| 531 | extern void init_recvdpkt __P((void)); |
---|
| 532 | |
---|
| 533 | #ifdef ENABLE_HYBRID |
---|
| 534 | extern int exclude_cfg_addr __P((const struct sockaddr *)); |
---|
| 535 | #endif |
---|
| 536 | |
---|
| 537 | extern int revalidate_ph12(void); |
---|
| 538 | |
---|
| 539 | #endif /* _HANDLER_H */ |
---|