1 /* $NetBSD: handler.h,v 1.27 2025/03/07 15:55:29 christos Exp $ */ 2 3 /* Id: handler.h,v 1.19 2006/02/25 08:25:12 manubsd Exp */ 4 5 /* 6 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project. 7 * All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 3. Neither the name of the project nor the names of its contributors 18 * may be used to endorse or promote products derived from this software 19 * without specific prior written permission. 20 * 21 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND 22 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 23 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 24 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE 25 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 26 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 27 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 28 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 29 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 30 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 31 * SUCH DAMAGE. 32 */ 33 34 #ifndef _HANDLER_H 35 #define _HANDLER_H 36 37 #include <sys/queue.h> 38 #include <openssl/rsa.h> 39 40 #include <sys/time.h> 41 42 #include "isakmp_var.h" 43 #include "oakley.h" 44 #include "schedule.h" 45 #include "evt.h" 46 47 /* Phase 1 handler */ 48 /* 49 * main mode: 50 * initiator responder 51 * 0 (---) (---) 52 * 1 start start (1st msg received) 53 * 2 (---) 1st valid msg received 54 * 3 1st msg sent 1st msg sent 55 * 4 1st valid msg received 2st valid msg received 56 * 5 2nd msg sent 2nd msg sent 57 * 6 2nd valid msg received 3rd valid msg received 58 * 7 3rd msg sent 3rd msg sent 59 * 8 3rd valid msg received (---) 60 * 9 SA established SA established 61 * 62 * aggressive mode: 63 * initiator responder 64 * 0 (---) (---) 65 * 1 start start (1st msg received) 66 * 2 (---) 1st valid msg received 67 * 3 1st msg sent 1st msg sent 68 * 4 1st valid msg received 2st valid msg received 69 * 5 (---) (---) 70 * 6 (---) (---) 71 * 7 (---) (---) 72 * 8 (---) (---) 73 * 9 SA established SA established 74 * 75 * base mode: 76 * initiator responder 77 * 0 (---) (---) 78 * 1 start start (1st msg received) 79 * 2 (---) 1st valid msg received 80 * 3 1st msg sent 1st msg sent 81 * 4 1st valid msg received 2st valid msg received 82 * 5 2nd msg sent (---) 83 * 6 (---) (---) 84 * 7 (---) (---) 85 * 8 (---) (---) 86 * 9 SA established SA established 87 */ 88 #define PHASE1ST_SPAWN 0 89 #define PHASE1ST_START 1 90 #define PHASE1ST_MSG1RECEIVED 2 91 #define PHASE1ST_MSG1SENT 3 92 #define PHASE1ST_MSG2RECEIVED 4 93 #define PHASE1ST_MSG2SENT 5 94 #define PHASE1ST_MSG3RECEIVED 6 95 #define PHASE1ST_MSG3SENT 7 96 #define PHASE1ST_MSG4RECEIVED 8 97 #define PHASE1ST_ESTABLISHED 9 98 #define PHASE1ST_DYING 10 99 #define PHASE1ST_EXPIRED 11 100 #define PHASE1ST_MAX 12 101 102 /* About address semantics in each case. 103 * initiator(addr=I) responder(addr=R) 104 * src dst src dst 105 * (local) (remote) (local) (remote) 106 * phase 1 handler I R R I 107 * phase 2 handler I R R I 108 * getspi msg R I I R 109 * acquire msg I R 110 * ID payload I R I R 111 */ 112 #ifdef ENABLE_HYBRID 113 struct isakmp_cfg_state; 114 #endif 115 struct ph1handle { 116 isakmp_index index; 117 118 int status; /* status of this SA */ 119 int side; /* INITIATOR or RESPONDER */ 120 121 struct sockaddr *remote; /* remote address to negosiate ph1 */ 122 struct sockaddr *local; /* local address to negosiate ph1 */ 123 /* XXX copy from rmconf due to anonymous configuration. 124 * If anonymous will be forbidden, we do delete them. */ 125 126 struct remoteconf *rmconf; /* pointer to remote configuration */ 127 128 struct isakmpsa *approval; /* pointer to SA(s) approved. */ 129 vchar_t *authstr; /* place holder of string for auth. */ 130 /* for example pre-shared key */ 131 132 uint8_t version; /* ISAKMP version */ 133 uint8_t etype; /* Exchange type actually for use */ 134 uint8_t flags; /* Flags */ 135 uint32_t msgid; /* message id */ 136 137 uint32_t vendorid_mask; /* bitmask of received supported vendor ids*/ 138 #ifdef ENABLE_NATT 139 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */ 140 uint32_t natt_flags; /* NAT-T related flags */ 141 #endif 142 #ifdef ENABLE_FRAG 143 int frag; /* IKE phase 1 fragmentation */ 144 int frag_last_index; 145 struct isakmp_frag_item *frag_chain; /* Received fragments */ 146 #endif 147 148 struct sched sce; /* schedule for expire */ 149 150 struct sched scr; /* schedule for resend */ 151 int retry_counter; /* for resend. */ 152 vchar_t *sendbuf; /* buffer for re-sending */ 153 154 vchar_t *dhpriv; /* DH; private value */ 155 vchar_t *dhpub; /* DH; public value */ 156 vchar_t *dhpub_p; /* DH; partner's public value */ 157 vchar_t *dhgxy; /* DH; shared secret */ 158 vchar_t *nonce; /* nonce value */ 159 vchar_t *nonce_p; /* partner's nonce value */ 160 vchar_t *skeyid; /* SKEYID */ 161 vchar_t *skeyid_d; /* SKEYID_d */ 162 vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */ 163 vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */ 164 vchar_t *key; /* cipher key */ 165 vchar_t *hash; /* HASH minus general header */ 166 vchar_t *sig; /* SIG minus general header */ 167 vchar_t *sig_p; /* peer's SIG minus general header */ 168 vchar_t *cert; /* CERT minus general header */ 169 vchar_t *cert_p; /* peer's CERT minus general header */ 170 vchar_t *crl_p; /* peer's CRL minus general header */ 171 vchar_t *cr_p; /* peer's CR not including general */ 172 RSA *rsa; /* my RSA key */ 173 RSA *rsa_p; /* peer's RSA key */ 174 struct genlist *rsa_candidates; /* possible candidates for peer's RSA key */ 175 vchar_t *id; /* ID minus gen header */ 176 vchar_t *id_p; /* partner's ID minus general header */ 177 /* i.e. struct ipsecdoi_id_b*. */ 178 struct isakmp_ivm *ivm; /* IVs */ 179 180 vchar_t *sa; /* whole SA payload to send/to be sent*/ 181 /* to calculate HASH */ 182 /* NOT INCLUDING general header. */ 183 184 vchar_t *sa_ret; /* SA payload to reply/to be replyed */ 185 /* NOT INCLUDING general header. */ 186 /* NOTE: Should be release after use. */ 187 188 #ifdef HAVE_GSSAPI 189 void *gssapi_state; /* GSS-API specific state. */ 190 /* Allocated when needed */ 191 vchar_t *gi_i; /* optional initiator GSS id */ 192 vchar_t *gi_r; /* optional responder GSS id */ 193 #endif 194 195 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */ 196 197 time_t created; /* timestamp for establish */ 198 int initial_contact_received; /* set if initial contact received */ 199 #ifdef ENABLE_STATS 200 struct timeval start; 201 struct timeval end; 202 #endif 203 204 #ifdef ENABLE_DPD 205 int dpd_support; /* Does remote supports DPD ? */ 206 uint32_t dpd_last_ack; 207 uint32_t dpd_seq; /* DPD seq number to receive */ 208 uint8_t dpd_fails; /* number of failures */ 209 struct sched dpd_r_u; 210 #endif 211 212 uint32_t msgid2; /* msgid counter for Phase 2 */ 213 int ph2cnt; /* the number which is negotiated by this phase 1 */ 214 LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree; 215 216 LIST_ENTRY(ph1handle) chain; 217 #ifdef ENABLE_HYBRID 218 struct isakmp_cfg_state *mode_cfg; /* ISAKMP mode config state */ 219 #endif 220 EVT_LISTENER_LIST(evt_listeners); 221 }; 222 223 /* For limiting enumeration of ph1 tree */ 224 struct ph1selector { 225 struct sockaddr *local; 226 struct sockaddr *remote; 227 }; 228 229 /* Phase 2 handler */ 230 /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */ 231 /* 232 * initiator responder 233 * 0 (---) (---) 234 * 1 start start (1st msg received) 235 * 2 acquire msg get 1st valid msg received 236 * 3 getspi request sent getspi request sent 237 * 4 getspi done getspi done 238 * 5 1st msg sent 1st msg sent 239 * 6 1st valid msg received 2nd valid msg received 240 * 7 (commit bit) (commit bit) 241 * 8 SAs added SAs added 242 * 9 SAs established SAs established 243 * 10 SAs expired SAs expired 244 */ 245 #define PHASE2ST_SPAWN 0 246 #define PHASE2ST_START 1 247 #define PHASE2ST_STATUS2 2 248 #define PHASE2ST_GETSPISENT 3 249 #define PHASE2ST_GETSPIDONE 4 250 #define PHASE2ST_MSG1SENT 5 251 #define PHASE2ST_STATUS6 6 252 #define PHASE2ST_COMMIT 7 253 #define PHASE2ST_ADDSA 8 254 #define PHASE2ST_ESTABLISHED 9 255 #define PHASE2ST_EXPIRED 10 256 #define PHASE2ST_MAX 11 257 258 struct ph2handle { 259 /* source and destination addresses used for IKE exchange. Might 260 * differ from source and destination of SA. On the initiator, 261 * they are tweaked if a hint is available in the SPD (set by 262 * MIGRATE for instance). Otherwise they are the source and 263 * destination of SA for transport mode and the tunnel endpoints 264 * for tunnel mode */ 265 struct sockaddr *src; 266 struct sockaddr *dst; 267 268 /* source and destination addresses of the SA in the case addresses 269 * used for IKE exchanges (src and dst) do differ. On the initiator, 270 * they are set (if needed) in pk_recvacquire(). On the responder, 271 * they are _derived_ from the local and remote parameters of the 272 * SP, if available. */ 273 struct sockaddr *sa_src; 274 struct sockaddr *sa_dst; 275 276 /* Store our Phase 2 ID and the peer ID (ID minus general header). 277 * On the initiator, they are set during ACQUIRE processing. 278 * On the responder, they are set from the content of ID payload 279 * in quick_r1recv(). Then, if they are of type address or 280 * tunnel, they are compared to sainfo selectors. 281 */ 282 vchar_t *id; /* ID minus gen header */ 283 vchar_t *id_p; /* peer's ID minus general header */ 284 285 #ifdef ENABLE_NATT 286 struct sockaddr *natoa_src; /* peer's view of my address */ 287 struct sockaddr *natoa_dst; /* peer's view of his address */ 288 #endif 289 290 uint32_t spid; /* policy id by kernel */ 291 292 int status; /* ipsec sa status */ 293 uint8_t side; /* INITIATOR or RESPONDER */ 294 295 struct sched sce; /* schedule for expire */ 296 struct sched scr; /* schedule for resend */ 297 int retry_counter; /* for resend. */ 298 vchar_t *sendbuf; /* buffer for re-sending */ 299 vchar_t *msg1; /* buffer for re-sending */ 300 /* used for responder's first message */ 301 302 int retry_checkph1; /* counter to wait phase 1 finished. */ 303 /* NOTE: actually it's timer. */ 304 305 uint32_t seq; /* sequence number used by PF_KEY */ 306 /* 307 * NOTE: In responder side, we can't identify each SAs 308 * with same destination address for example, when 309 * socket based SA is required. So we set a identifier 310 * number to "seq", and sent kernel by pfkey. 311 */ 312 uint8_t satype; /* satype in PF_KEY */ 313 /* 314 * saved satype in the original PF_KEY request from 315 * the kernel in order to reply a error. 316 */ 317 318 uint8_t flags; /* Flags for phase 2 */ 319 uint32_t msgid; /* msgid for phase 2 */ 320 321 struct sainfo *sainfo; /* place holder of sainfo */ 322 struct saprop *proposal; /* SA(s) proposal. */ 323 struct saprop *approval; /* SA(s) approved. */ 324 uint32_t lifetime_secs; /* responder lifetime (seconds) */ 325 uint32_t lifetime_kb; /* responder lifetime (kbytes) */ 326 caddr_t spidx_gen; /* policy from peer's proposal */ 327 328 struct dhgroup *pfsgrp; /* DH; prime number */ 329 vchar_t *dhpriv; /* DH; private value */ 330 vchar_t *dhpub; /* DH; public value */ 331 vchar_t *dhpub_p; /* DH; partner's public value */ 332 vchar_t *dhgxy; /* DH; shared secret */ 333 vchar_t *nonce; /* nonce value in phase 2 */ 334 vchar_t *nonce_p; /* partner's nonce value in phase 2 */ 335 336 vchar_t *sa; /* whole SA payload to send/to be sent*/ 337 /* to calculate HASH */ 338 /* NOT INCLUDING general header. */ 339 340 vchar_t *sa_ret; /* SA payload to reply/to be replyed */ 341 /* NOT INCLUDING general header. */ 342 /* NOTE: Should be release after use. */ 343 344 struct isakmp_ivm *ivm; /* IVs */ 345 346 int generated_spidx; /* mark handlers whith generated policy */ 347 348 #ifdef ENABLE_STATS 349 struct timeval start; 350 struct timeval end; 351 #endif 352 struct ph1handle *ph1; /* back pointer to isakmp status */ 353 354 LIST_ENTRY(ph2handle) chain; 355 LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */ 356 EVT_LISTENER_LIST(evt_listeners); 357 }; 358 359 /* For limiting enumeration of ph2 tree */ 360 struct ph2selector { 361 uint32_t spid; 362 struct sockaddr *src; 363 struct sockaddr *dst; 364 }; 365 366 /* 367 * for handling initial contact. 368 */ 369 struct contacted { 370 struct sockaddr *remote; /* remote address to negosiate ph1 */ 371 LIST_ENTRY(contacted) chain; 372 }; 373 374 /* 375 * for checking a packet retransmited. 376 */ 377 struct recvdpkt { 378 struct sockaddr *remote; /* the remote address */ 379 struct sockaddr *local; /* the local address */ 380 vchar_t *hash; /* hash of the received packet */ 381 vchar_t *sendbuf; /* buffer for the response */ 382 int retry_counter; /* how many times to send */ 383 struct timeval time_send; /* timestamp of previous send */ 384 385 LIST_ENTRY(recvdpkt) chain; 386 }; 387 388 /* for parsing ISAKMP header. */ 389 struct isakmp_parse_t { 390 u_char type; /* payload type of mine */ 391 int len; /* ntohs(ptr->len) */ 392 struct isakmp_gen *ptr; 393 }; 394 395 /* 396 * for IV management. 397 * 398 * - normal case 399 * initiator responder 400 * ------------------------- -------------------------- 401 * initialize iv(A), ive(A). initialize iv(A), ive(A). 402 * encode by ive(A). 403 * save to iv(B). ---[packet(B)]--> save to ive(B). 404 * decode by iv(A). 405 * packet consistency. 406 * sync iv(B) with ive(B). 407 * check auth, integrity. 408 * encode by ive(B). 409 * save to ive(C). <--[packet(C)]--- save to iv(C). 410 * decoded by iv(B). 411 * : 412 * 413 * - In the case that a error is found while cipher processing, 414 * initiator responder 415 * ------------------------- -------------------------- 416 * initialize iv(A), ive(A). initialize iv(A), ive(A). 417 * encode by ive(A). 418 * save to iv(B). ---[packet(B)]--> save to ive(B). 419 * decode by iv(A). 420 * packet consistency. 421 * sync iv(B) with ive(B). 422 * check auth, integrity. 423 * error found. 424 * create notify. 425 * get ive2(X) from iv(B). 426 * encode by ive2(X). 427 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y). 428 * save to ive2(Y). 429 * decoded by iv2(X). 430 * : 431 * 432 * The reason why the responder synchronizes iv with ive after checking the 433 * packet consistency is that it is required to leave the IV for decoding 434 * packet. Because there is a potential of error while checking the packet 435 * consistency. Also the reason why that is before authentication and 436 * integirty check is that the IV for informational exchange has to be made 437 * by the IV which is after packet decoded and checking the packet consistency. 438 * Otherwise IV mismatched happens between the intitiator and the responder. 439 */ 440 struct isakmp_ivm { 441 vchar_t *iv; /* for decoding packet */ 442 /* if phase 1, it's for computing phase2 iv */ 443 vchar_t *ive; /* for encoding packet */ 444 }; 445 446 /* for dumping */ 447 struct ph1dump { 448 isakmp_index index; 449 int status; 450 int side; 451 struct sockaddr_storage remote; 452 struct sockaddr_storage local; 453 uint8_t version; 454 uint8_t etype; 455 time_t created; 456 int ph2cnt; 457 }; 458 459 struct sockaddr; 460 struct ph1handle; 461 struct ph2handle; 462 struct policyindex; 463 464 extern struct ph1handle *getph1byindex(isakmp_index *); 465 extern struct ph1handle *getph1byindex0(isakmp_index *); 466 467 extern int enumph1(struct ph1selector *ph1sel, 468 int (* enum_func)(struct ph1handle *iph1, void *arg), void *enum_arg); 469 470 #define GETPH1_F_ESTABLISHED 0x0001 471 472 extern struct ph1handle *getph1(struct ph1handle *ph1hint, 473 struct sockaddr *local, struct sockaddr *remote, int flags); 474 475 #define getph1byaddr(local, remote, est) \ 476 getph1(NULL, local, remote, /*CONSTCOND*/est ? GETPH1_F_ESTABLISHED : 0) 477 #define getph1bydstaddr(remote) \ 478 getph1(NULL, NULL, remote, 0) 479 480 #ifdef ENABLE_HYBRID 481 struct ph1handle *getph1bylogin(char *); 482 int purgeph1bylogin(char *); 483 #endif 484 extern void migrate_ph12(struct ph1handle *old_iph1, struct ph1handle *new_iph1); 485 extern void migrate_dying_ph12(struct ph1handle *iph1); 486 extern vchar_t *dumpph1(void); 487 extern struct ph1handle *newph1(void); 488 extern void delph1(struct ph1handle *); 489 extern int insph1(struct ph1handle *); 490 extern void remph1(struct ph1handle *); 491 extern int resolveph1rmconf(struct ph1handle *); 492 extern void flushph1(void); 493 extern void initph1tree(void); 494 extern int ph1_rekey_enabled(struct ph1handle *); 495 496 extern int enumph2(struct ph2selector *ph2sel, 497 int (* enum_func)(struct ph2handle *iph2, void *arg), void *enum_arg); 498 extern struct ph2handle *getph2byseq(uint32_t); 499 extern struct ph2handle *getph2bysaddr(struct sockaddr *, struct sockaddr *); 500 extern struct ph2handle *getph2bymsgid(struct ph1handle *, uint32_t); 501 extern struct ph2handle *getph2byid(struct sockaddr *, 502 struct sockaddr *, uint32_t); 503 extern struct ph2handle *getph2bysaidx(struct sockaddr *, struct sockaddr *, 504 u_int, uint32_t); 505 extern struct ph2handle *newph2(void); 506 extern void initph2(struct ph2handle *); 507 extern void delph2(struct ph2handle *); 508 extern int insph2(struct ph2handle *); 509 extern void remph2(struct ph2handle *); 510 extern void flushph2(void); 511 extern void deleteallph2(struct sockaddr *, struct sockaddr *, u_int); 512 extern void initph2tree(void); 513 514 extern void bindph12(struct ph1handle *, struct ph2handle *); 515 extern void unbindph12(struct ph2handle *); 516 517 extern struct contacted *getcontacted(struct sockaddr *); 518 extern int inscontacted(struct sockaddr *); 519 extern void remcontacted(struct sockaddr *); 520 extern void initctdtree(void); 521 522 extern int check_recvdpkt(struct sockaddr *, struct sockaddr *, vchar_t *); 523 extern int add_recvdpkt(struct sockaddr *, struct sockaddr *, vchar_t *, 524 vchar_t *); 525 extern void init_recvdpkt(void); 526 527 #ifdef ENABLE_HYBRID 528 extern int exclude_cfg_addr(const struct sockaddr *); 529 #endif 530 531 extern int revalidate_ph12(void); 532 533 #endif /* _HANDLER_H */ 534