Context Navigation

handler.h @ 8645c9d7

55-freebsd-126-freebsd-12

Last change on this file since 8645c9d7 was 8645c9d7, checked in by Christian Mauderer <christian.mauderer@…>, on 06/06/18 at 09:11:52

ipsec-tools: Apply patches from FreeBSD ports.

Source: https://svnweb.freebsd.org/ports/head/security/ipsec-tools/files/ revision 468617.

Property mode set to 100644

File size: 18.8 KB

Rev	Line
[8645c9d7]	1	/* $NetBSD: handler.h,v 1.26 2017/01/24 19:23:56 christos Exp $ */
[ff36f5e]	2
	3	/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
	4
	5	/*
	6	* Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
	7	* All rights reserved.
	8	*
	9	* Redistribution and use in source and binary forms, with or without
	10	* modification, are permitted provided that the following conditions
	11	* are met:
	12	* 1. Redistributions of source code must retain the above copyright
	13	* notice, this list of conditions and the following disclaimer.
	14	* 2. Redistributions in binary form must reproduce the above copyright
	15	* notice, this list of conditions and the following disclaimer in the
	16	* documentation and/or other materials provided with the distribution.
	17	* 3. Neither the name of the project nor the names of its contributors
	18	* may be used to endorse or promote products derived from this software
	19	* without specific prior written permission.
	20	*
	21	* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
	22	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
	23	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
	24	* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
	25	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
	26	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
	27	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
	28	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
	29	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
	30	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
	31	* SUCH DAMAGE.
	32	*/
	33
	34	#ifndef _HANDLER_H
	35	#define _HANDLER_H
	36
	37	#include <sys/queue.h>
	38	#include <openssl/rsa.h>
	39
	40	#include <sys/time.h>
	41
	42	#include "isakmp_var.h"
	43	#include "oakley.h"
	44	#include "schedule.h"
	45	#include "evt.h"
	46
	47	/* Phase 1 handler */
	48	/*
	49	* main mode:
	50	* initiator responder
	51	* 0 (---) (---)
	52	* 1 start start (1st msg received)
	53	* 2 (---) 1st valid msg received
	54	* 3 1st msg sent 1st msg sent
	55	* 4 1st valid msg received 2st valid msg received
	56	* 5 2nd msg sent 2nd msg sent
	57	* 6 2nd valid msg received 3rd valid msg received
	58	* 7 3rd msg sent 3rd msg sent
	59	* 8 3rd valid msg received (---)
	60	* 9 SA established SA established
	61	*
	62	* aggressive mode:
	63	* initiator responder
	64	* 0 (---) (---)
	65	* 1 start start (1st msg received)
	66	* 2 (---) 1st valid msg received
	67	* 3 1st msg sent 1st msg sent
	68	* 4 1st valid msg received 2st valid msg received
	69	* 5 (---) (---)
	70	* 6 (---) (---)
	71	* 7 (---) (---)
	72	* 8 (---) (---)
	73	* 9 SA established SA established
	74	*
	75	* base mode:
	76	* initiator responder
	77	* 0 (---) (---)
	78	* 1 start start (1st msg received)
	79	* 2 (---) 1st valid msg received
	80	* 3 1st msg sent 1st msg sent
	81	* 4 1st valid msg received 2st valid msg received
	82	* 5 2nd msg sent (---)
	83	* 6 (---) (---)
	84	* 7 (---) (---)
	85	* 8 (---) (---)
	86	* 9 SA established SA established
	87	*/
	88	#define PHASE1ST_SPAWN 0
	89	#define PHASE1ST_START 1
	90	#define PHASE1ST_MSG1RECEIVED 2
	91	#define PHASE1ST_MSG1SENT 3
	92	#define PHASE1ST_MSG2RECEIVED 4
	93	#define PHASE1ST_MSG2SENT 5
	94	#define PHASE1ST_MSG3RECEIVED 6
	95	#define PHASE1ST_MSG3SENT 7
	96	#define PHASE1ST_MSG4RECEIVED 8
	97	#define PHASE1ST_ESTABLISHED 9
	98	#define PHASE1ST_DYING 10
	99	#define PHASE1ST_EXPIRED 11
	100	#define PHASE1ST_MAX 12
	101
	102	/* About address semantics in each case.
	103	* initiator(addr=I) responder(addr=R)
	104	* src dst src dst
	105	* (local) (remote) (local) (remote)
	106	* phase 1 handler I R R I
	107	* phase 2 handler I R R I
	108	* getspi msg R I I R
	109	* acquire msg I R
	110	* ID payload I R I R
	111	*/
	112	#ifdef ENABLE_HYBRID
	113	struct isakmp_cfg_state;
	114	#endif
	115	struct ph1handle {
	116	isakmp_index index;
	117
	118	int status; /* status of this SA */
	119	int side; /* INITIATOR or RESPONDER */
	120
	121	struct sockaddr remote; / remote address to negosiate ph1 */
	122	struct sockaddr local; / local address to negosiate ph1 */
	123	/* XXX copy from rmconf due to anonymous configuration.
	124	* If anonymous will be forbidden, we do delete them. */
	125
	126	struct remoteconf rmconf; / pointer to remote configuration */
	127
	128	struct isakmpsa approval; / pointer to SA(s) approved. */
	129	vchar_t authstr; / place holder of string for auth. */
	130	/* for example pre-shared key */
	131
	132	u_int8_t version; /* ISAKMP version */
	133	u_int8_t etype; /* Exchange type actually for use */
	134	u_int8_t flags; /* Flags */
	135	u_int32_t msgid; /* message id */
	136
	137	u_int32_t vendorid_mask; /* bitmask of received supported vendor ids*/
	138	#ifdef ENABLE_NATT
	139	struct ph1natt_options natt_options; / Selected NAT-T IKE version */
	140	u_int32_t natt_flags; /* NAT-T related flags */
	141	#endif
	142	#ifdef ENABLE_FRAG
	143	int frag; /* IKE phase 1 fragmentation */
[8645c9d7]	144	int frag_last_index;
[ff36f5e]	145	struct isakmp_frag_item frag_chain; / Received fragments */
	146	#endif
	147
	148	struct sched sce; /* schedule for expire */
	149
	150	struct sched scr; /* schedule for resend */
	151	int retry_counter; /* for resend. */
	152	vchar_t sendbuf; / buffer for re-sending */
	153
	154	vchar_t dhpriv; / DH; private value */
	155	vchar_t dhpub; / DH; public value */
	156	vchar_t dhpub_p; / DH; partner's public value */
	157	vchar_t dhgxy; / DH; shared secret */
	158	vchar_t nonce; / nonce value */
	159	vchar_t nonce_p; / partner's nonce value */
	160	vchar_t skeyid; / SKEYID */
	161	vchar_t skeyid_d; / SKEYID_d */
	162	vchar_t skeyid_a; / SKEYID_a, i.e. hash */
	163	vchar_t skeyid_e; / SKEYID_e, i.e. encryption */
	164	vchar_t key; / cipher key */
	165	vchar_t hash; / HASH minus general header */
	166	vchar_t sig; / SIG minus general header */
	167	vchar_t sig_p; / peer's SIG minus general header */
	168	vchar_t cert; / CERT minus general header */
	169	vchar_t cert_p; / peer's CERT minus general header */
	170	vchar_t crl_p; / peer's CRL minus general header */
	171	vchar_t cr_p; / peer's CR not including general */
	172	RSA rsa; / my RSA key */
	173	RSA rsa_p; / peer's RSA key */
	174	struct genlist rsa_candidates; / possible candidates for peer's RSA key */
	175	vchar_t id; / ID minus gen header */
	176	vchar_t id_p; / partner's ID minus general header */
	177	/* i.e. struct ipsecdoi_id_b. /
	178	struct isakmp_ivm ivm; / IVs */
	179
	180	vchar_t sa; / whole SA payload to send/to be sent*/
	181	/* to calculate HASH */
	182	/* NOT INCLUDING general header. */
	183
	184	vchar_t sa_ret; / SA payload to reply/to be replyed */
	185	/* NOT INCLUDING general header. */
	186	/* NOTE: Should be release after use. */
	187
	188	#ifdef HAVE_GSSAPI
	189	void gssapi_state; / GSS-API specific state. */
	190	/* Allocated when needed */
	191	vchar_t gi_i; / optional initiator GSS id */
	192	vchar_t gi_r; / optional responder GSS id */
	193	#endif
	194
	195	struct isakmp_pl_hash pl_hash; / pointer to hash payload */
	196
	197	time_t created; /* timestamp for establish */
	198	int initial_contact_received; /* set if initial contact received */
	199	#ifdef ENABLE_STATS
	200	struct timeval start;
	201	struct timeval end;
	202	#endif
	203
	204	#ifdef ENABLE_DPD
	205	int dpd_support; /* Does remote supports DPD ? */
	206	u_int32_t dpd_last_ack;
	207	u_int32_t dpd_seq; /* DPD seq number to receive */
	208	u_int8_t dpd_fails; /* number of failures */
	209	struct sched dpd_r_u;
	210	#endif
	211
	212	u_int32_t msgid2; /* msgid counter for Phase 2 */
	213	int ph2cnt; /* the number which is negotiated by this phase 1 */
	214	LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
	215
	216	LIST_ENTRY(ph1handle) chain;
	217	#ifdef ENABLE_HYBRID
	218	struct isakmp_cfg_state mode_cfg; / ISAKMP mode config state */
	219	#endif
	220	EVT_LISTENER_LIST(evt_listeners);
	221	};
	222
	223	/* For limiting enumeration of ph1 tree */
	224	struct ph1selector {
	225	struct sockaddr *local;
	226	struct sockaddr *remote;
	227	};
	228
	229	/* Phase 2 handler */
	230	/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
	231	/*
	232	* initiator responder
	233	* 0 (---) (---)
	234	* 1 start start (1st msg received)
	235	* 2 acquire msg get 1st valid msg received
	236	* 3 getspi request sent getspi request sent
	237	* 4 getspi done getspi done
	238	* 5 1st msg sent 1st msg sent
	239	* 6 1st valid msg received 2nd valid msg received
	240	* 7 (commit bit) (commit bit)
	241	* 8 SAs added SAs added
	242	* 9 SAs established SAs established
	243	* 10 SAs expired SAs expired
	244	*/
	245	#define PHASE2ST_SPAWN 0
	246	#define PHASE2ST_START 1
	247	#define PHASE2ST_STATUS2 2
	248	#define PHASE2ST_GETSPISENT 3
	249	#define PHASE2ST_GETSPIDONE 4
	250	#define PHASE2ST_MSG1SENT 5
	251	#define PHASE2ST_STATUS6 6
	252	#define PHASE2ST_COMMIT 7
	253	#define PHASE2ST_ADDSA 8
	254	#define PHASE2ST_ESTABLISHED 9
	255	#define PHASE2ST_EXPIRED 10
	256	#define PHASE2ST_MAX 11
	257
	258	struct ph2handle {
	259	/* source and destination addresses used for IKE exchange. Might
	260	* differ from source and destination of SA. On the initiator,
	261	* they are tweaked if a hint is available in the SPD (set by
	262	* MIGRATE for instance). Otherwise they are the source and
	263	* destination of SA for transport mode and the tunnel endpoints
	264	* for tunnel mode */
	265	struct sockaddr *src;
	266	struct sockaddr *dst;
	267
	268	/* source and destination addresses of the SA in the case addresses
	269	* used for IKE exchanges (src and dst) do differ. On the initiator,
	270	* they are set (if needed) in pk_recvacquire(). On the responder,
	271	* they are _derived_ from the local and remote parameters of the
	272	* SP, if available. */
	273	struct sockaddr *sa_src;
	274	struct sockaddr *sa_dst;
	275
	276	/* Store our Phase 2 ID and the peer ID (ID minus general header).
	277	* On the initiator, they are set during ACQUIRE processing.
	278	* On the responder, they are set from the content of ID payload
	279	* in quick_r1recv(). Then, if they are of type address or
	280	* tunnel, they are compared to sainfo selectors.
	281	*/
	282	vchar_t id; / ID minus gen header */
	283	vchar_t id_p; / peer's ID minus general header */
	284
	285	#ifdef ENABLE_NATT
	286	struct sockaddr natoa_src; / peer's view of my address */
	287	struct sockaddr natoa_dst; / peer's view of his address */
	288	#endif
	289
	290	u_int32_t spid; /* policy id by kernel */
	291
	292	int status; /* ipsec sa status */
	293	u_int8_t side; /* INITIATOR or RESPONDER */
	294
	295	struct sched sce; /* schedule for expire */
	296	struct sched scr; /* schedule for resend */
	297	int retry_counter; /* for resend. */
	298	vchar_t sendbuf; / buffer for re-sending */
	299	vchar_t msg1; / buffer for re-sending */
	300	/* used for responder's first message */
	301
	302	int retry_checkph1; /* counter to wait phase 1 finished. */
	303	/* NOTE: actually it's timer. */
	304
	305	u_int32_t seq; /* sequence number used by PF_KEY */
	306	/*
	307	* NOTE: In responder side, we can't identify each SAs
	308	* with same destination address for example, when
	309	* socket based SA is required. So we set a identifier
	310	* number to "seq", and sent kernel by pfkey.
	311	*/
	312	u_int8_t satype; /* satype in PF_KEY */
	313	/*
	314	* saved satype in the original PF_KEY request from
	315	* the kernel in order to reply a error.
	316	*/
	317
	318	u_int8_t flags; /* Flags for phase 2 */
	319	u_int32_t msgid; /* msgid for phase 2 */
	320
	321	struct sainfo sainfo; / place holder of sainfo */
	322	struct saprop proposal; / SA(s) proposal. */
	323	struct saprop approval; / SA(s) approved. */
	324	u_int32_t lifetime_secs; /* responder lifetime (seconds) */
	325	u_int32_t lifetime_kb; /* responder lifetime (kbytes) */
	326	caddr_t spidx_gen; /* policy from peer's proposal */
	327
	328	struct dhgroup pfsgrp; / DH; prime number */
	329	vchar_t dhpriv; / DH; private value */
	330	vchar_t dhpub; / DH; public value */
	331	vchar_t dhpub_p; / DH; partner's public value */
	332	vchar_t dhgxy; / DH; shared secret */
	333	vchar_t nonce; / nonce value in phase 2 */
	334	vchar_t nonce_p; / partner's nonce value in phase 2 */
	335
	336	vchar_t sa; / whole SA payload to send/to be sent*/
	337	/* to calculate HASH */
	338	/* NOT INCLUDING general header. */
	339
	340	vchar_t sa_ret; / SA payload to reply/to be replyed */
	341	/* NOT INCLUDING general header. */
	342	/* NOTE: Should be release after use. */
	343
	344	struct isakmp_ivm ivm; / IVs */
	345
	346	int generated_spidx; /* mark handlers whith generated policy */
	347
	348	#ifdef ENABLE_STATS
	349	struct timeval start;
	350	struct timeval end;
	351	#endif
	352	struct ph1handle ph1; / back pointer to isakmp status */
	353
	354	LIST_ENTRY(ph2handle) chain;
	355	LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
	356	EVT_LISTENER_LIST(evt_listeners);
	357	};
	358
	359	/* For limiting enumeration of ph2 tree */
	360	struct ph2selector {
	361	u_int32_t spid;
	362	struct sockaddr *src;
	363	struct sockaddr *dst;
	364	};
	365
	366	/*
	367	* for handling initial contact.
	368	*/
	369	struct contacted {
	370	struct sockaddr remote; / remote address to negosiate ph1 */
	371	LIST_ENTRY(contacted) chain;
	372	};
	373
	374	/*
	375	* for checking a packet retransmited.
	376	*/
	377	struct recvdpkt {
	378	struct sockaddr remote; / the remote address */
	379	struct sockaddr local; / the local address */
	380	vchar_t hash; / hash of the received packet */
	381	vchar_t sendbuf; / buffer for the response */
	382	int retry_counter; /* how many times to send */
	383	struct timeval time_send; /* timestamp of previous send */
	384
	385	LIST_ENTRY(recvdpkt) chain;
	386	};
	387
	388	/* for parsing ISAKMP header. */
	389	struct isakmp_parse_t {
	390	u_char type; /* payload type of mine */
	391	int len; /* ntohs(ptr->len) */
	392	struct isakmp_gen *ptr;
	393	};
	394
	395	/*
	396	* for IV management.
	397	*
	398	* - normal case
	399	* initiator responder
	400	* ------------------------- --------------------------
	401	* initialize iv(A), ive(A). initialize iv(A), ive(A).
	402	* encode by ive(A).
	403	* save to iv(B). ---[packet(B)]--> save to ive(B).
	404	* decode by iv(A).
	405	* packet consistency.
	406	* sync iv(B) with ive(B).
	407	* check auth, integrity.
	408	* encode by ive(B).
	409	* save to ive(C). <--[packet(C)]--- save to iv(C).
	410	* decoded by iv(B).
	411	* :
	412	*
	413	* - In the case that a error is found while cipher processing,
	414	* initiator responder
	415	* ------------------------- --------------------------
	416	* initialize iv(A), ive(A). initialize iv(A), ive(A).
	417	* encode by ive(A).
	418	* save to iv(B). ---[packet(B)]--> save to ive(B).
	419	* decode by iv(A).
	420	* packet consistency.
	421	* sync iv(B) with ive(B).
	422	* check auth, integrity.
	423	* error found.
	424	* create notify.
	425	* get ive2(X) from iv(B).
	426	* encode by ive2(X).
	427	* get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
	428	* save to ive2(Y).
	429	* decoded by iv2(X).
	430	* :
	431	*
	432	* The reason why the responder synchronizes iv with ive after checking the
	433	* packet consistency is that it is required to leave the IV for decoding
	434	* packet. Because there is a potential of error while checking the packet
	435	* consistency. Also the reason why that is before authentication and
	436	* integirty check is that the IV for informational exchange has to be made
	437	* by the IV which is after packet decoded and checking the packet consistency.
	438	* Otherwise IV mismatched happens between the intitiator and the responder.
	439	*/
	440	struct isakmp_ivm {
	441	vchar_t iv; / for decoding packet */
	442	/* if phase 1, it's for computing phase2 iv */
	443	vchar_t ive; / for encoding packet */
	444	};
	445
	446	/* for dumping */
	447	struct ph1dump {
	448	isakmp_index index;
	449	int status;
	450	int side;
	451	struct sockaddr_storage remote;
	452	struct sockaddr_storage local;
	453	u_int8_t version;
	454	u_int8_t etype;
	455	time_t created;
	456	int ph2cnt;
	457	};
	458
	459	struct sockaddr;
	460	struct ph1handle;
	461	struct ph2handle;
	462	struct policyindex;
	463
	464	extern struct ph1handle getph1byindex __P((isakmp_index ));
	465	extern struct ph1handle getph1byindex0 __P((isakmp_index ));
	466
	467	extern int enumph1 __P((struct ph1selector *ph1sel,
	468	int (* enum_func)(struct ph1handle iph1, void arg),
	469	void *enum_arg));
	470
	471	#define GETPH1_F_ESTABLISHED 0x0001
	472
	473	extern struct ph1handle getph1 __P((struct ph1handle ph1hint,
	474	struct sockaddr *local,
	475	struct sockaddr *remote,
	476	int flags));
	477
	478	#define getph1byaddr(local, remote, est) \
	479	getph1(NULL, local, remote, est ? GETPH1_F_ESTABLISHED : 0)
	480	#define getph1bydstaddr(remote) \
	481	getph1(NULL, NULL, remote, 0)
	482
	483	#ifdef ENABLE_HYBRID
	484	struct ph1handle getph1bylogin __P((char ));
	485	int purgeph1bylogin __P((char *));
	486	#endif
	487	extern void migrate_ph12 __P((struct ph1handle old_iph1, struct ph1handle new_iph1));
	488	extern void migrate_dying_ph12 __P((struct ph1handle *iph1));
	489	extern vchar_t *dumpph1 __P((void));
	490	extern struct ph1handle *newph1 __P((void));
	491	extern void delph1 __P((struct ph1handle *));
	492	extern int insph1 __P((struct ph1handle *));
	493	extern void remph1 __P((struct ph1handle *));
	494	extern int resolveph1rmconf __P((struct ph1handle *));
	495	extern void flushph1 __P((void));
	496	extern void initph1tree __P((void));
	497	extern int ph1_rekey_enabled __P((struct ph1handle *));
	498
	499	extern int enumph2 __P((struct ph2selector *ph2sel,
	500	int (* enum_func)(struct ph2handle iph2, void arg),
	501	void *enum_arg));
	502	extern struct ph2handle *getph2byseq __P((u_int32_t));
	503	extern struct ph2handle getph2bysaddr __P((struct sockaddr ,
	504	struct sockaddr *));
	505	extern struct ph2handle getph2bymsgid __P((struct ph1handle , u_int32_t));
	506	extern struct ph2handle getph2byid __P((struct sockaddr ,
	507	struct sockaddr *, u_int32_t));
	508	extern struct ph2handle getph2bysaidx __P((struct sockaddr ,
	509	struct sockaddr *, u_int, u_int32_t));
	510	extern struct ph2handle *newph2 __P((void));
	511	extern void initph2 __P((struct ph2handle *));
	512	extern void delph2 __P((struct ph2handle *));
	513	extern int insph2 __P((struct ph2handle *));
	514	extern void remph2 __P((struct ph2handle *));
	515	extern void flushph2 __P((void));
	516	extern void deleteallph2 __P((struct sockaddr , struct sockaddr , u_int));
	517	extern void initph2tree __P((void));
	518
	519	extern void bindph12 __P((struct ph1handle , struct ph2handle ));
	520	extern void unbindph12 __P((struct ph2handle *));
	521
	522	extern struct contacted getcontacted __P((struct sockaddr ));
	523	extern int inscontacted __P((struct sockaddr *));
	524	extern void remcontacted __P((struct sockaddr *));
	525	extern void initctdtree __P((void));
	526
	527	extern int check_recvdpkt __P((struct sockaddr *,
	528	struct sockaddr , vchar_t ));
	529	extern int add_recvdpkt __P((struct sockaddr , struct sockaddr ,
	530	vchar_t , vchar_t ));
	531	extern void init_recvdpkt __P((void));
	532
	533	#ifdef ENABLE_HYBRID
	534	extern int exclude_cfg_addr __P((const struct sockaddr *));
	535	#endif
	536
	537	extern int revalidate_ph12(void);
	538
	539	#endif /* _HANDLER_H */

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: rtems-libbsd/ipsec-tools/src/racoon/handler.h @ 8645c9d7

Download in other formats: