summaryrefslogtreecommitdiff
path: root/sbin/isakmpd/sa.h
blob: 02bb4faa897022ff0a08d5eaf24767dda710a4d6 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
/* $OpenBSD: sa.h,v 1.49 2006/11/24 13:52:14 reyk Exp $	 */
/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $	 */

/*
 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist.  All rights reserved.
 * Copyright (c) 1999, 2001 Angelos D. Keromytis.  All rights reserved.
 * Copyright (c) 2004 Håkan Olsson.  All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 * 1. Redistributions of source code must retain the above copyright
 *    notice, this list of conditions and the following disclaimer.
 * 2. Redistributions in binary form must reproduce the above copyright
 *    notice, this list of conditions and the following disclaimer in the
 *    documentation and/or other materials provided with the distribution.
 *
 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 */

/*
 * This code was written under funding by Ericsson Radio Systems.
 */

#ifndef _SA_H_
#define _SA_H_

#include <sys/param.h>
#include <sys/types.h>
#include <sys/queue.h>
#include <sys/socket.h>

#include "isakmp.h"

/* Remove a SA if it has not been fully negotiated in this time.  */
#define SA_NEGOTIATION_MAX_TIME 120

struct doi;
struct event;
struct exchange;
struct keystate;
struct message;
struct payload;
struct proto_attr;
struct sa;
struct transport;

/* A protection suite consists of a set of protocol descriptions like this.  */
struct proto {
	/* Link to the next protocol in the suite.  */
	TAILQ_ENTRY(proto) link;

	/* The SA we belong to.  */
	struct sa      *sa;

	/* The protocol number as found in the proposal payload.  */
	u_int8_t        no;

	/* The protocol this SA is for.  */
	u_int8_t        proto;

	/*
	 * Security parameter index info.  Element 0 - outgoing, 1 -
	 * incoming.
	 */
	u_int8_t        spi_sz[2];
	u_int8_t       *spi[2];

	/*
	 * The chosen transform, only valid while the incoming SA payload that
	 * held it is available for duplicate testing.
         */
	struct payload *chosen;

	/* The chosen transform's ID.  */
	u_int8_t        id;

	/* DOI-specific data.  */
	void           *data;

	/* Proposal transforms data, for validating the responders selection. */
	TAILQ_HEAD(proto_attr_head, proto_attr) xfs;
	size_t          xf_cnt;
};

struct proto_attr {
	/* Link to next transform.  */
	TAILQ_ENTRY(proto_attr) next;

	/* Transform attribute data and size, suitable for attribute_map().  */
	u_int8_t       *attrs;
	size_t          len;
};

struct sa {
	/* Link to SAs with the same hash value.  */
	LIST_ENTRY(sa) link;

	/*
	 * When several SA's are being negotiated in one message we connect
	 * them through this link.
         */
	TAILQ_ENTRY(sa) next;

	/*
	 * A name of the major policy deciding offers and acceptable
	 * proposals.
	 */
	char           *name;

	/* The transport this SA got negotiated over.  */
	struct transport *transport;

	/* Both initiator and responder cookies.  */
	u_int8_t        cookies[ISAKMP_HDR_COOKIES_LEN];

	/* The message ID signifying non-ISAKMP SAs.  */
	u_int8_t        message_id[ISAKMP_HDR_MESSAGE_ID_LEN];

	/* The protection suite chosen.  */
	TAILQ_HEAD(proto_head, proto) protos;

	/* The exchange type we should use when rekeying.  */
	u_int8_t        exch_type;

	/* Phase is 1 for ISAKMP SAs, and 2 for application ones.  */
	u_int8_t        phase;

	/* A reference counter for this structure.  */
	u_int16_t       refcnt;

	/* Various flags, look below for descriptions.  */
	u_int32_t       flags;

	/* The DOI that is to handle DOI-specific issues for this SA.  */
	struct doi     *doi;

	/*
	 * Crypto info needed to encrypt/decrypt packets protected by this
	 * SA.
	 */
	struct keystate *keystate;

	/* IDs from Phase 1 */
	u_int8_t       *id_i;
	size_t          id_i_len;
	u_int8_t       *id_r;
	size_t          id_r_len;

	/* Set if we were the initiator of the SA/exchange in Phase 1 */
	int             initiator;

	/* Policy session ID, where applicable, copied over from the exchange */
	int             policy_id;

	/*
	 * The key used to authenticate phase 1, in printable format, used
	 * only by KeyNote.
         */
	char           *keynote_key;

	/*
	 * Certificates or other information from Phase 1; these are copied
	 * from the exchange, so look at exchange.h for an explanation of
	 * their use.
         */
	int             recv_certtype, recv_keytype;
	/* Certificate received from peer, native format.  */
	void           *recv_cert;
	/* Key peer used to authenticate, native format.  */
	void           *recv_key;

	/*
	 * Certificates or other information we used to authenticate to the
	 * peer, Phase 1.
         */
	int             sent_certtype;
	/* Certificate (to be) sent to peer, native format.  */
	void           *sent_cert;

	/* DOI-specific opaque data.  */
	void           *data;

	/* Lifetime data.  */
	u_int64_t       seconds;
	u_int64_t       kilobytes;

	/* ACQUIRE sequence number */
	u_int32_t       seq;

	/* The events that will occur when an SA has timed out.  */
	struct event   *soft_death;
	struct event   *death;

	struct event   *nat_t_keepalive;

	/* IKE DPD (RFC3706) message sequence number.  */
	u_int32_t	dpd_seq;	/* sent */
	u_int32_t	dpd_rseq;	/* received */
	u_int32_t	dpd_failcount;	/* # of subsequent failures */
	u_int32_t	dpd_rdupcount;	/* # of subsequent duplicates */
	struct event   *dpd_event;	/* time of next event */

	/* The add a pf tag to packets matching the established SA. */
	char           *tag;
};

/* This SA is alive.  */
#define SA_FLAG_READY		0x01

/* Renegotiate the SA at each expiry.  */
#define SA_FLAG_STAYALIVE	0x02

/* Establish the SA when it is needed.  */
#define SA_FLAG_ONDEMAND	0x04

/* This SA has been replaced by another newer one.  */
#define SA_FLAG_REPLACED	0x08

/* This SA has seen a soft timeout and wants to be renegotiated on use.  */
#define SA_FLAG_FADING		0x10

/* This SA should always be actively renegotiated (with us as initiator).  */
#define SA_FLAG_ACTIVE_ONLY	0x20

/* This SA flag is a placeholder for a TRANSACTION exchange "SA flag".  */
#define SA_FLAG_IKECFG		0x40

/* This SA flag indicates if we should do DPD with the phase 1 SA peer.  */
#define SA_FLAG_DPD		0x80

/* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange.  */
#define SA_FLAG_NAT_T_ENABLE	0x100
#define SA_FLAG_NAT_T_KEEPALIVE	0x200

extern void     proto_free(struct proto * proto);
extern int	sa_add_transform(struct sa *, struct payload *, int,
		    struct proto **);
extern int      sa_create(struct exchange *, struct transport *);
extern int      sa_enter(struct sa *);
extern void     sa_delete(struct sa *, int);
extern void     sa_teardown_all(void);
extern struct sa *sa_find(int (*) (struct sa *, void *), void *);
extern int      sa_flag(char *);
extern void     sa_free(struct sa *);
extern void     sa_init(void);
extern void     sa_reinit(void);
extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t);
extern void     sa_isakmp_upgrade(struct message *);
extern struct sa *sa_lookup(u_int8_t *, u_int8_t *);
extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t, int);
extern struct sa *sa_lookup_by_header(u_int8_t *, int);
extern struct sa *sa_lookup_by_name(char *, int);
extern struct sa *sa_lookup_from_icookie(u_int8_t *);
extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *);
extern void     sa_mark_replaced(struct sa *);
extern void     sa_reference(struct sa *);
extern void     sa_release(struct sa *);
extern void     sa_remove(struct sa *);
extern void     sa_report(void);
extern void     sa_dump(int, int, char *, struct sa *);
extern void     sa_report_all(FILE *);
extern int      sa_setup_expirations(struct sa *);

/*
 * This structure contains most of the data of the in-kernel SA.
 * Currently only used to collect the tdb_last_used time for DPD.
 */
struct sa_kinfo {
	u_int32_t	flags;		/* /usr/include/netinet/ip_ipsp.h */

	u_int32_t	exp_allocations;
	u_int32_t	soft_allocations;
	u_int32_t	cur_allocations;

	u_int64_t	exp_bytes;
	u_int64_t	soft_bytes;
	u_int64_t	cur_bytes;

	u_int64_t	exp_timeout;
	u_int64_t	soft_timeout;

	u_int64_t	first_use;
	u_int64_t	established;
	u_int64_t	soft_first_use;
	u_int64_t	exp_first_use;

	u_int64_t	last_used;

	struct sockaddr_storage	dst;
	struct sockaddr_storage	src;
	struct sockaddr_storage	proxy;

	u_int32_t	spi;
	u_int16_t	udpencap_port;
	u_int8_t	wnd;
};

#endif				/* _SA_H_ */