handler.h revision c91307af2622f6625525f3c1f9c954376df950ad 
1/*	$NetBSD: handler.h,v 1.9.6.1 2008/01/11 14:12:01 vanhu Exp $	*/
2
3/* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */
4
5/*
6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
7 * All rights reserved.
8 *
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
11 * are met:
12 * 1. Redistributions of source code must retain the above copyright
13 *    notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 *    notice, this list of conditions and the following disclaimer in the
16 *    documentation and/or other materials provided with the distribution.
17 * 3. Neither the name of the project nor the names of its contributors
18 *    may be used to endorse or promote products derived from this software
19 *    without specific prior written permission.
20 *
21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
24 * ARE DISCLAIMED.  IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
31 * SUCH DAMAGE.
32 */
33
34#ifndef _HANDLER_H
35#define _HANDLER_H
36
37#include <sys/queue.h>
38#include <openssl/rsa.h>
39
40#include <sys/time.h>
41
42#include "isakmp_var.h"
43#include "oakley.h"
44
45/* Phase 1 handler */
46/*
47 * main mode:
48 *      initiator               responder
49 *  0   (---)                   (---)
50 *  1   start                   start (1st msg received)
51 *  2   (---)                   1st valid msg received
52 *  3   1st msg sent	        1st msg sent
53 *  4   1st valid msg received  2st valid msg received
54 *  5   2nd msg sent            2nd msg sent
55 *  6   2nd valid msg received  3rd valid msg received
56 *  7   3rd msg sent            3rd msg sent
57 *  8   3rd valid msg received  (---)
58 *  9   SA established          SA established
59 *
60 * aggressive mode:
61 *      initiator               responder
62 *  0   (---)                   (---)
63 *  1   start                   start (1st msg received)
64 *  2   (---)                   1st valid msg received
65 *  3   1st msg sent	        1st msg sent
66 *  4   1st valid msg received  2st valid msg received
67 *  5   (---)                   (---)
68 *  6   (---)                   (---)
69 *  7   (---)                   (---)
70 *  8   (---)                   (---)
71 *  9   SA established          SA established
72 *
73 * base mode:
74 *      initiator               responder
75 *  0   (---)                   (---)
76 *  1   start                   start (1st msg received)
77 *  2   (---)                   1st valid msg received
78 *  3   1st msg sent	        1st msg sent
79 *  4   1st valid msg received  2st valid msg received
80 *  5   2nd msg sent            (---)
81 *  6   (---)                   (---)
82 *  7   (---)                   (---)
83 *  8   (---)                   (---)
84 *  9   SA established          SA established
85 */
86#define PHASE1ST_SPAWN			0
87#define PHASE1ST_START			1
88#define PHASE1ST_MSG1RECEIVED		2
89#define PHASE1ST_MSG1SENT		3
90#define PHASE1ST_MSG2RECEIVED		4
91#define PHASE1ST_MSG2SENT		5
92#define PHASE1ST_MSG3RECEIVED		6
93#define PHASE1ST_MSG3SENT		7
94#define PHASE1ST_MSG4RECEIVED		8
95#define PHASE1ST_ESTABLISHED		9
96#define PHASE1ST_EXPIRED		10
97#define PHASE1ST_MAX			11
98
99/* About address semantics in each case.
100 *			initiator(addr=I)	responder(addr=R)
101 *			src	dst		src	dst
102 *			(local)	(remote)	(local)	(remote)
103 * phase 1 handler	I	R		R	I
104 * phase 2 handler	I	R		R	I
105 * getspi msg		R	I		I	R
106 * acquire msg		I	R
107 * ID payload		I	R		I	R
108 */
109#ifdef ENABLE_HYBRID
110struct isakmp_cfg_state;
111#endif
112struct ph1handle {
113	isakmp_index index;
114
115	int status;			/* status of this SA */
116	int side;			/* INITIATOR or RESPONDER */
117
118	struct sockaddr *remote;	/* remote address to negosiate ph1 */
119	struct sockaddr *local;		/* local address to negosiate ph1 */
120			/* XXX copy from rmconf due to anonymous configuration.
121			 * If anonymous will be forbidden, we do delete them. */
122
123	struct remoteconf *rmconf;	/* pointer to remote configuration */
124
125	struct isakmpsa *approval;	/* pointer to SA(s) approved. */
126	vchar_t *authstr;		/* place holder of string for auth. */
127					/* for example pre-shared key */
128
129	u_int8_t version;		/* ISAKMP version */
130	u_int8_t etype;			/* Exchange type actually for use */
131	u_int8_t flags;			/* Flags */
132	u_int32_t msgid;		/* message id */
133
134#ifdef ENABLE_NATT
135	struct ph1natt_options *natt_options;	/* Selected NAT-T IKE version */
136	u_int32_t natt_flags;		/* NAT-T related flags */
137#endif
138#ifdef ENABLE_FRAG
139	int frag;			/* IKE phase 1 fragmentation */
140	struct isakmp_frag_item *frag_chain;	/* Received fragments */
141#endif
142
143	struct sched *sce;		/* schedule for expire */
144
145	struct sched *scr;		/* schedule for resend */
146	int retry_counter;		/* for resend. */
147	vchar_t *sendbuf;		/* buffer for re-sending */
148
149	vchar_t *dhpriv;		/* DH; private value */
150	vchar_t *dhpub;			/* DH; public value */
151	vchar_t *dhpub_p;		/* DH; partner's public value */
152	vchar_t *dhgxy;			/* DH; shared secret */
153	vchar_t *nonce;			/* nonce value */
154	vchar_t *nonce_p;		/* partner's nonce value */
155	vchar_t *skeyid;		/* SKEYID */
156	vchar_t *skeyid_d;		/* SKEYID_d */
157	vchar_t *skeyid_a;		/* SKEYID_a, i.e. hash */
158	vchar_t *skeyid_e;		/* SKEYID_e, i.e. encryption */
159	vchar_t *key;			/* cipher key */
160	vchar_t *hash;			/* HASH minus general header */
161	vchar_t *sig;			/* SIG minus general header */
162	vchar_t *sig_p;			/* peer's SIG minus general header */
163	cert_t *cert;			/* CERT minus general header */
164	cert_t *cert_p;			/* peer's CERT minus general header */
165	cert_t *crl_p;			/* peer's CRL minus general header */
166	cert_t *cr_p;			/* peer's CR not including general */
167	RSA *rsa;			/* my RSA key */
168	RSA *rsa_p;			/* peer's RSA key */
169	struct genlist *rsa_candidates;	/* possible candidates for peer's RSA key */
170	vchar_t *id;			/* ID minus gen header */
171	vchar_t *id_p;			/* partner's ID minus general header */
172					/* i.e. struct ipsecdoi_id_b*. */
173	struct isakmp_ivm *ivm;		/* IVs */
174
175	vchar_t *sa;			/* whole SA payload to send/to be sent*/
176					/* to calculate HASH */
177					/* NOT INCLUDING general header. */
178
179	vchar_t *sa_ret;		/* SA payload to reply/to be replyed */
180					/* NOT INCLUDING general header. */
181					/* NOTE: Should be release after use. */
182
183#ifdef HAVE_GSSAPI
184	void *gssapi_state;		/* GSS-API specific state. */
185					/* Allocated when needed */
186	vchar_t *gi_i;			/* optional initiator GSS id */
187	vchar_t *gi_r;			/* optional responder GSS id */
188#endif
189
190	struct isakmp_pl_hash *pl_hash;	/* pointer to hash payload */
191
192	time_t created;			/* timestamp for establish */
193#ifdef ENABLE_STATS
194	struct timeval start;
195	struct timeval end;
196#endif
197
198#ifdef ENABLE_DPD
199	int		dpd_support;	/* Does remote supports DPD ? */
200	time_t		dpd_lastack;	/* Last ack received */
201	u_int16_t	dpd_seq;		/* DPD seq number to receive */
202	u_int8_t	dpd_fails;		/* number of failures */
203	struct sched	*dpd_r_u;
204#endif
205
206	u_int32_t msgid2;		/* msgid counter for Phase 2 */
207	int ph2cnt;	/* the number which is negotiated by this phase 1 */
208	LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
209
210	LIST_ENTRY(ph1handle) chain;
211#ifdef ENABLE_HYBRID
212	struct isakmp_cfg_state *mode_cfg;	/* ISAKMP mode config state */
213#endif
214
215};
216
217/* Phase 2 handler */
218/* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
219/*
220 *      initiator               responder
221 *  0   (---)                   (---)
222 *  1   start                   start (1st msg received)
223 *  2   acquire msg get         1st valid msg received
224 *  3   getspi request sent     getspi request sent
225 *  4   getspi done             getspi done
226 *  5   1st msg sent            1st msg sent
227 *  6   1st valid msg received  2nd valid msg received
228 *  7   (commit bit)            (commit bit)
229 *  8   SAs added               SAs added
230 *  9   SAs established         SAs established
231 * 10   SAs expired             SAs expired
232 */
233#define PHASE2ST_SPAWN		0
234#define PHASE2ST_START		1
235#define PHASE2ST_STATUS2	2
236#define PHASE2ST_GETSPISENT	3
237#define PHASE2ST_GETSPIDONE	4
238#define PHASE2ST_MSG1SENT	5
239#define PHASE2ST_STATUS6	6
240#define PHASE2ST_COMMIT		7
241#define PHASE2ST_ADDSA		8
242#define PHASE2ST_ESTABLISHED	9
243#define PHASE2ST_EXPIRED	10
244#define PHASE2ST_MAX		11
245
246struct ph2handle {
247	struct sockaddr *src;		/* my address of SA. */
248	struct sockaddr *dst;		/* peer's address of SA. */
249
250		/*
251		 * copy ip address from ID payloads when ID type is ip address.
252		 * In other case, they must be null.
253		 */
254	struct sockaddr *src_id;
255	struct sockaddr *dst_id;
256
257	u_int32_t spid;			/* policy id by kernel */
258
259	int status;			/* ipsec sa status */
260	u_int8_t side;			/* INITIATOR or RESPONDER */
261
262	struct sched *sce;		/* schedule for expire */
263	struct sched *scr;		/* schedule for resend */
264	int retry_counter;		/* for resend. */
265	vchar_t *sendbuf;		/* buffer for re-sending */
266	vchar_t *msg1;			/* buffer for re-sending */
267				/* used for responder's first message */
268
269	int retry_checkph1;		/* counter to wait phase 1 finished. */
270					/* NOTE: actually it's timer. */
271
272	u_int32_t seq;			/* sequence number used by PF_KEY */
273			/*
274			 * NOTE: In responder side, we can't identify each SAs
275			 * with same destination address for example, when
276			 * socket based SA is required.  So we set a identifier
277			 * number to "seq", and sent kernel by pfkey.
278			 */
279	u_int8_t satype;		/* satype in PF_KEY */
280			/*
281			 * saved satype in the original PF_KEY request from
282			 * the kernel in order to reply a error.
283			 */
284
285	u_int8_t flags;			/* Flags for phase 2 */
286	u_int32_t msgid;		/* msgid for phase 2 */
287
288	struct sainfo *sainfo;		/* place holder of sainfo */
289	struct saprop *proposal;	/* SA(s) proposal. */
290	struct saprop *approval;	/* SA(s) approved. */
291	caddr_t spidx_gen;		/* policy from peer's proposal */
292
293	struct dhgroup *pfsgrp;		/* DH; prime number */
294	vchar_t *dhpriv;		/* DH; private value */
295	vchar_t *dhpub;			/* DH; public value */
296	vchar_t *dhpub_p;		/* DH; partner's public value */
297	vchar_t *dhgxy;			/* DH; shared secret */
298	vchar_t *id;			/* ID minus gen header */
299	vchar_t *id_p;			/* peer's ID minus general header */
300	vchar_t *nonce;			/* nonce value in phase 2 */
301	vchar_t *nonce_p;		/* partner's nonce value in phase 2 */
302
303	vchar_t *sa;			/* whole SA payload to send/to be sent*/
304					/* to calculate HASH */
305					/* NOT INCLUDING general header. */
306
307	vchar_t *sa_ret;		/* SA payload to reply/to be replyed */
308					/* NOT INCLUDING general header. */
309					/* NOTE: Should be release after use. */
310
311	struct isakmp_ivm *ivm;		/* IVs */
312
313	int generated_spidx;	/* mark handlers whith generated policy */
314
315#ifdef ENABLE_STATS
316	struct timeval start;
317	struct timeval end;
318#endif
319	struct ph1handle *ph1;	/* back pointer to isakmp status */
320
321	LIST_ENTRY(ph2handle) chain;
322	LIST_ENTRY(ph2handle) ph1bind;	/* chain to ph1handle */
323};
324
325/*
326 * for handling initial contact.
327 */
328struct contacted {
329	struct sockaddr *remote;	/* remote address to negosiate ph1 */
330	LIST_ENTRY(contacted) chain;
331};
332
333/*
334 * for checking a packet retransmited.
335 */
336struct recvdpkt {
337	struct sockaddr *remote;	/* the remote address */
338	struct sockaddr *local;		/* the local address */
339	vchar_t *hash;			/* hash of the received packet */
340	vchar_t *sendbuf;		/* buffer for the response */
341	int retry_counter;		/* how many times to send */
342	time_t time_send;		/* timestamp to send a packet */
343	time_t created;			/* timestamp to create a queue */
344
345	struct sched *scr;		/* schedule for resend, may not used */
346
347	LIST_ENTRY(recvdpkt) chain;
348};
349
350/* for parsing ISAKMP header. */
351struct isakmp_parse_t {
352	u_char type;		/* payload type of mine */
353	int len;		/* ntohs(ptr->len) */
354	struct isakmp_gen *ptr;
355};
356
357/*
358 * for IV management.
359 *
360 * - normal case
361 * initiator                                     responder
362 * -------------------------                     --------------------------
363 * initialize iv(A), ive(A).                     initialize iv(A), ive(A).
364 * encode by ive(A).
365 * save to iv(B).            ---[packet(B)]-->   save to ive(B).
366 *                                               decode by iv(A).
367 *                                               packet consistency.
368 *                                               sync iv(B) with ive(B).
369 *                                               check auth, integrity.
370 *                                               encode by ive(B).
371 * save to ive(C).          <--[packet(C)]---    save to iv(C).
372 * decoded by iv(B).
373 *      :
374 *
375 * - In the case that a error is found while cipher processing,
376 * initiator                                     responder
377 * -------------------------                     --------------------------
378 * initialize iv(A), ive(A).                     initialize iv(A), ive(A).
379 * encode by ive(A).
380 * save to iv(B).            ---[packet(B)]-->   save to ive(B).
381 *                                               decode by iv(A).
382 *                                               packet consistency.
383 *                                               sync iv(B) with ive(B).
384 *                                               check auth, integrity.
385 *                                               error found.
386 *                                               create notify.
387 *                                               get ive2(X) from iv(B).
388 *                                               encode by ive2(X).
389 * get iv2(X) from iv(B).   <--[packet(Y)]---    save to iv2(Y).
390 * save to ive2(Y).
391 * decoded by iv2(X).
392 *      :
393 *
394 * The reason why the responder synchronizes iv with ive after checking the
395 * packet consistency is that it is required to leave the IV for decoding
396 * packet.  Because there is a potential of error while checking the packet
397 * consistency.  Also the reason why that is before authentication and
398 * integirty check is that the IV for informational exchange has to be made
399 * by the IV which is after packet decoded and checking the packet consistency.
400 * Otherwise IV mismatched happens between the intitiator and the responder.
401 */
402struct isakmp_ivm {
403	vchar_t *iv;	/* for decoding packet */
404			/* if phase 1, it's for computing phase2 iv */
405	vchar_t *ive;	/* for encoding packet */
406};
407
408/* for dumping */
409struct ph1dump {
410	isakmp_index index;
411	int status;
412	int side;
413	struct sockaddr_storage remote;
414	struct sockaddr_storage local;
415	u_int8_t version;
416	u_int8_t etype;
417	time_t created;
418	int ph2cnt;
419};
420
421struct sockaddr;
422struct ph1handle;
423struct ph2handle;
424struct policyindex;
425
426extern struct ph1handle *getph1byindex __P((isakmp_index *));
427extern struct ph1handle *getph1byindex0 __P((isakmp_index *));
428extern struct ph1handle *getph1byaddr __P((struct sockaddr *,
429										   struct sockaddr *, int));
430extern struct ph1handle *getph1byaddrwop __P((struct sockaddr *,
431	struct sockaddr *));
432extern struct ph1handle *getph1bydstaddrwop __P((struct sockaddr *));
433#ifdef ENABLE_HYBRID
434struct ph1handle *getph1bylogin __P((char *));
435int purgeph1bylogin __P((char *));
436#endif
437extern vchar_t *dumpph1 __P((void));
438extern struct ph1handle *newph1 __P((void));
439extern void delph1 __P((struct ph1handle *));
440extern int insph1 __P((struct ph1handle *));
441extern void remph1 __P((struct ph1handle *));
442extern void flushph1 __P((void));
443extern void initph1tree __P((void));
444
445extern struct ph2handle *getph2byspidx __P((struct policyindex *));
446extern struct ph2handle *getph2byspid __P((u_int32_t));
447extern struct ph2handle *getph2byseq __P((u_int32_t));
448extern struct ph2handle *getph2bysaddr __P((struct sockaddr *,
449	struct sockaddr *));
450extern struct ph2handle *getph2bymsgid __P((struct ph1handle *, u_int32_t));
451extern struct ph2handle *getph2byid __P((struct sockaddr *,
452	struct sockaddr *, u_int32_t));
453extern struct ph2handle *getph2bysaidx __P((struct sockaddr *,
454	struct sockaddr *, u_int, u_int32_t));
455extern struct ph2handle *newph2 __P((void));
456extern void initph2 __P((struct ph2handle *));
457extern void delph2 __P((struct ph2handle *));
458extern int insph2 __P((struct ph2handle *));
459extern void remph2 __P((struct ph2handle *));
460extern void flushph2 __P((void));
461extern void deleteallph2 __P((struct sockaddr *, struct sockaddr *, u_int));
462extern void initph2tree __P((void));
463
464extern void bindph12 __P((struct ph1handle *, struct ph2handle *));
465extern void unbindph12 __P((struct ph2handle *));
466
467extern struct contacted *getcontacted __P((struct sockaddr *));
468extern int inscontacted __P((struct sockaddr *));
469extern void initctdtree __P((void));
470
471extern int check_recvdpkt __P((struct sockaddr *,
472	struct sockaddr *, vchar_t *));
473extern int add_recvdpkt __P((struct sockaddr *, struct sockaddr *,
474	vchar_t *, vchar_t *));
475extern void init_recvdpkt __P((void));
476
477#ifdef ENABLE_HYBRID
478extern int exclude_cfg_addr __P((const struct sockaddr *));
479#endif
480
481extern int revalidate_ph12(void);
482
483#endif /* _HANDLER_H */
484