1 /* $Id: handler.h,v 1.11 2008/02/06 08:09:00 mk Exp $ */
2 /* $KAME: handler.h,v 1.44 2002/07/10 23:22:03 itojun Exp $ */
3
4 /*
5 * Copyright (C) 1995, 1996, 1997, and 1998 WIDE Project.
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 * 3. Neither the name of the project nor the names of its contributors
17 * may be used to endorse or promote products derived from this software
18 * without specific prior written permission.
19 *
20 * THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
21 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
22 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
23 * ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
24 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
25 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
26 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
27 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
28 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
29 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
30 * SUCH DAMAGE.
31 */
32
33 #include "ike_pfkey.h"
34
35 /* Phase 1 handler */
36 /*
37 * main mode:
38 * initiator responder
39 * 0 (---) (---)
40 * 1 start start (1st msg received)
41 * 2 (---) 1st valid msg received
42 * 3 1st msg sent 1st msg sent
43 * 4 1st valid msg received 2st valid msg received
44 * 5 2nd msg sent 2nd msg sent
45 * 6 2nd valid msg received 3rd valid msg received
46 * 7 3rd msg sent 3rd msg sent
47 * 8 3rd valid msg received (---)
48 * 9 SA established SA established
49 *
50 * aggressive mode:
51 * initiator responder
52 * 0 (---) (---)
53 * 1 start start (1st msg received)
54 * 2 (---) 1st valid msg received
55 * 3 1st msg sent 1st msg sent
56 * 4 1st valid msg received 2st valid msg received
57 * 5 (---) (---)
58 * 6 (---) (---)
59 * 7 (---) (---)
60 * 8 (---) (---)
61 * 9 SA established SA established
62 *
63 * base mode:
64 * initiator responder
65 * 0 (---) (---)
66 * 1 start start (1st msg received)
67 * 2 (---) 1st valid msg received
68 * 3 1st msg sent 1st msg sent
69 * 4 1st valid msg received 2st valid msg received
70 * 5 2nd msg sent (---)
71 * 6 (---) (---)
72 * 7 (---) (---)
73 * 8 (---) (---)
74 * 9 SA established SA established
75 */
76 #define PHASE1ST_SPAWN 0
77 #define PHASE1ST_START 1
78 #define PHASE1ST_MSG1RECEIVED 2
79 #define PHASE1ST_MSG1SENT 3
80 #define PHASE1ST_MSG2RECEIVED 4
81 #define PHASE1ST_MSG2SENT 5
82 #define PHASE1ST_MSG3RECEIVED 6
83 #define PHASE1ST_MSG3SENT 7
84 #define PHASE1ST_MSG4RECEIVED 8
85 #define PHASE1ST_ESTABLISHED 9
86 #define PHASE1ST_EXPIRED 10
87 #define PHASE1ST_MAX 11
88
89 /* About address semantics in each case.
90 * initiator(addr=I) responder(addr=R)
91 * src dst src dst
92 * (local) (remote) (local) (remote)
93 * phase 1 handler I R R I
94 * phase 2 handler I R R I
95 * getspi msg R I I R
96 * acquire msg I R
97 * ID payload I R I R
98 */
99 struct ph1handle {
100 isakmp_index_t index;
101
102 int status; /* status of this SA */
103 int side; /* INITIATOR or RESPONDER */
104
105 struct sockaddr *remote; /* remote address to negosiate ph1 */
106 struct sockaddr *local; /* local address to negosiate ph1 */
107 /* XXX copy from rmconf due to anonymous configuration.
108 * If anonymous will be forbidden, we do delete them. */
109
110 struct rcf_remote *rmconf; /* pointer to remote configuration */
111 struct isakmpsa *proposal;
112
113 struct isakmpsa *approval; /* pointer to SA(s) approved. */
114 rc_vchar_t *authstr; /* place holder of string for auth. */
115 /* for example pre-shared key */
116
117 uint8_t version; /* ISAKMP version */
118 uint8_t etype; /* Exchange type actually for use */
119 uint8_t flags; /* Flags */
120 uint32_t msgid; /* message id */
121
122 #ifdef ENABLE_NATT
123 struct ph1natt_options *natt_options; /* Selected NAT-T IKE version */
124 uint32_t natt_flags; /* NAT-T related flags */
125 #ifdef ENABLE_FRAG
126 int frag; /* IKE phase 1 fragmentation */
127 struct isakmp_frag_item *frag_chain; /* Received fragments */
128 #endif
129 #endif
130
131 int dpd_support; /* Does remote supports DPD ? */
132 time_t dpd_lastack; /* Last ack received */
133 uint16_t dpd_seq; /* DPD seq number to receive */
134 uint8_t dpd_fails; /* number of failures */
135 struct sched *dpd_r_u;
136
137 struct sched *sce; /* schedule for expire */
138
139 struct sched *scr; /* schedule for resend */
140 int retry_counter; /* for resend. */
141 rc_vchar_t *sendbuf; /* buffer for re-sending */
142
143 rc_vchar_t *dhpriv; /* DH; private value */
144 rc_vchar_t *dhpub; /* DH; public value */
145 rc_vchar_t *dhpub_p; /* DH; partner's public value */
146 rc_vchar_t *dhgxy; /* DH; shared secret */
147 rc_vchar_t *nonce; /* nonce value */
148 rc_vchar_t *nonce_p; /* partner's nonce value */
149 rc_vchar_t *skeyid; /* SKEYID */
150 rc_vchar_t *skeyid_d; /* SKEYID_d */
151 rc_vchar_t *skeyid_a; /* SKEYID_a, i.e. hash */
152 rc_vchar_t *skeyid_e; /* SKEYID_e, i.e. encryption */
153 rc_vchar_t *key; /* cipher key */
154 rc_vchar_t *hash; /* HASH minus general header */
155 rc_vchar_t *sig; /* SIG minus general header */
156 rc_vchar_t *sig_p; /* peer's SIG minus general header */
157 cert_t *cert; /* CERT minus general header */
158 cert_t *cert_p; /* peer's CERT minus general header */
159 cert_t *crl_p; /* peer's CRL minus general header */
160 cert_t *cr_p; /* peer's CR not including general */
161 rc_vchar_t *id; /* ID minus gen header */
162 rc_vchar_t *id_p; /* partner's ID minus general header */
163 /* i.e. strut ipsecdoi_id_b*. */
164 struct isakmp_ivm *ivm; /* IVs */
165
166 rc_vchar_t *sa; /* whole SA payload to send/to be sent */
167 /* to calculate HASH */
168 /* NOT INCLUDING general header. */
169
170 rc_vchar_t *sa_ret; /* SA payload to reply/to be replyed */
171 /* NOT INCLUDING general header. */
172 /* NOTE: Should be release after use. */
173
174 #ifdef HAVE_GSSAPI
175 void *gssapi_state; /* GSS-API specific state. */
176 /* Allocated when needed */
177 rc_vchar_t *gi_i; /* optional initiator GSS id */
178 rc_vchar_t *gi_r; /* optional responder GSS id */
179 #endif
180
181 struct isakmp_pl_hash *pl_hash; /* pointer to hash payload */
182
183 time_t created; /* timestamp for establish */
184 #ifdef ENABLE_STATS
185 struct timeval start;
186 struct timeval end;
187 #endif
188
189 uint32_t msgid2; /* msgid counter for Phase 2 */
190 int ph2cnt; /* the number which is negotiated by this phase 1 */
191 LIST_HEAD(_ph2ofph1_, ph2handle) ph2tree;
192
193 LIST_ENTRY(ph1handle) chain;
194 };
195
196 /* Phase 2 handler */
197 /* allocated per a SA or SA bundles of a pair of peer's IP addresses. */
198 /*
199 * initiator responder
200 * 0 (---) (---)
201 * 1 start start (1st msg received)
202 * 2 acquire msg get 1st valid msg received
203 * 3 getspi request sent getspi request sent
204 * 4 getspi done getspi done
205 * 5 1st msg sent 1st msg sent
206 * 6 1st valid msg received 2nd valid msg received
207 * 7 (commit bit) (commit bit)
208 * 8 SAs added SAs added
209 * 9 SAs established SAs established
210 * 10 SAs expired SAs expired
211 */
212 #define PHASE2ST_SPAWN 0
213 #define PHASE2ST_START 1
214 #define PHASE2ST_STATUS2 2
215 #define PHASE2ST_GETSPISENT 3
216 #define PHASE2ST_GETSPIDONE 4
217 #define PHASE2ST_MSG1SENT 5
218 #define PHASE2ST_STATUS6 6
219 #define PHASE2ST_COMMIT 7
220 #define PHASE2ST_ADDSA 8
221 #define PHASE2ST_ESTABLISHED 9
222 #define PHASE2ST_EXPIRED 10
223 #define PHASE2ST_MAX 11
224
225 struct ph2handle {
226 struct sockaddr *src; /* my address of SA. */
227 struct sockaddr *dst; /* peer's address of SA. */
228
229 /*
230 * copy ip address from ID payloads when ID type is ip address.
231 * In other case, they must be null.
232 */
233 struct sockaddr *src_id;
234 struct sockaddr *dst_id;
235 #ifdef ENABLE_NATT
236 struct sockaddr *natoa_src; /* peer's view of my address */
237 struct sockaddr *natoa_dst; /* peer's view of his address */
238 #endif
239
240
241 struct sadb_request sadb_request;
242 #if 0
243 uint32_t spid; /* policy id by kernel */
244 #endif
245 struct rcf_selector *selector;
246
247 int status; /* ipsec sa status */
248 uint8_t side; /* INITIATOR or RESPONDER */
249
250 struct sched *sce; /* schedule for expire */
251 struct sched *scr; /* schedule for resend */
252 int retry_counter; /* for resend. */
253 rc_vchar_t *sendbuf; /* buffer for re-sending */
254 rc_vchar_t *msg1; /* buffer for re-sending */
255 /* used for responder's first message */
256
257 int retry_checkph1; /* counter to wait phase 1 finished. */
258 /* NOTE: actually it's timer. */
259
260 uint32_t seq; /* sequence number used by PF_KEY */
261 /*
262 * NOTE: In responder side, we can't identify each SAs
263 * with same destination address for example, when
264 * socket based SA is required. So we set a identifier
265 * number to "seq", and sent kernel by pfkey.
266 */
267 rc_type satype; /* satype in rc_type */
268 /*
269 * saved satype in the original PF_KEY request from
270 * the kernel in order to reply a error.
271 */
272
273 uint8_t flags; /* Flags for phase 2 */
274 uint32_t msgid; /* msgid for phase 2 */
275
276 #if 0
277 struct sainfo *sainfo; /* place holder of sainfo */
278 #endif
279 struct saprop *proposal; /* SA(s) proposal. */
280 struct saprop *approval; /* SA(s) approved. */
281 #ifdef notyet
282 caddr_t spidx_gen; /* policy from peer's proposal */
283 #endif
284
285 struct dhgroup *pfsgrp; /* DH; prime number */
286 rc_vchar_t *dhpriv; /* DH; private value */
287 rc_vchar_t *dhpub; /* DH; public value */
288 rc_vchar_t *dhpub_p; /* DH; partner's public value */
289 rc_vchar_t *dhgxy; /* DH; shared secret */
290 rc_vchar_t *id; /* ID minus gen header */
291 rc_vchar_t *id_p; /* peer's ID minus general header */
292 rc_vchar_t *nonce; /* nonce value in phase 2 */
293 rc_vchar_t *nonce_p; /* partner's nonce value in phase 2 */
294
295 rc_vchar_t *sa; /* whole SA payload to send/to be sent */
296 /* to calculate HASH */
297 /* NOT INCLUDING general header. */
298
299 rc_vchar_t *sa_ret; /* SA payload to reply/to be replyed */
300 /* NOT INCLUDING general header. */
301 /* NOTE: Should be release after use. */
302
303 struct isakmp_ivm *ivm; /* IVs */
304
305 #ifdef ENABLE_STATS
306 struct timeval start;
307 struct timeval end;
308 #endif
309
310 /* byte counts for peer/self during current and previous cycle */
311 uint64_t prev_peercount;
312 uint64_t cur_peercount;
313 uint64_t prev_selfcount;
314 uint64_t cur_selfcount;
315
316 struct ph1handle *ph1; /* back pointer to isakmp status */
317
318 LIST_ENTRY(ph2handle) chain;
319 LIST_ENTRY(ph2handle) ph1bind; /* chain to ph1handle */
320 };
321
322 /*
323 * for handling initial contact.
324 */
325 struct contacted {
326 struct sockaddr *remote; /* remote address to negosiate ph1 */
327 LIST_ENTRY(contacted) chain;
328 };
329
330 /*
331 * for checking a packet retransmited.
332 */
333 struct recvdpkt {
334 struct sockaddr *remote; /* the remote address */
335 struct sockaddr *local; /* the local address */
336 rc_vchar_t *hash; /* hash of the received packet */
337 rc_vchar_t *sendbuf; /* buffer for the response */
338 int retry_counter; /* max retry to send */
339 int lifetime; /* max duration of retransmission */
340 time_t time_send; /* timestamp to send a packet */
341 time_t created; /* timestamp to create a queue */
342
343 struct sched *scr; /* schedule for resend, may not used */
344
345 LIST_ENTRY(recvdpkt) chain;
346 };
347
348 /* for parsing ISAKMP header. */
349 struct isakmp_parse_t {
350 unsigned char type; /* payload type of mine */
351 int len; /* ntohs(ptr->len) */
352 struct isakmp_gen *ptr;
353 };
354
355 /*
356 * for IV management.
357 *
358 * - normal case
359 * initiator responder
360 * ------------------------- --------------------------
361 * initialize iv(A), ive(A). initialize iv(A), ive(A).
362 * encode by ive(A).
363 * save to iv(B). ---[packet(B)]--> save to ive(B).
364 * decode by iv(A).
365 * packet consistency.
366 * sync iv(B) with ive(B).
367 * check auth, integrity.
368 * encode by ive(B).
369 * save to ive(C). <--[packet(C)]--- save to iv(C).
370 * decoded by iv(B).
371 * :
372 *
373 * - In the case that a error is found while cipher processing,
374 * initiator responder
375 * ------------------------- --------------------------
376 * initialize iv(A), ive(A). initialize iv(A), ive(A).
377 * encode by ive(A).
378 * save to iv(B). ---[packet(B)]--> save to ive(B).
379 * decode by iv(A).
380 * packet consistency.
381 * sync iv(B) with ive(B).
382 * check auth, integrity.
383 * error found.
384 * create notify.
385 * get ive2(X) from iv(B).
386 * encode by ive2(X).
387 * get iv2(X) from iv(B). <--[packet(Y)]--- save to iv2(Y).
388 * save to ive2(Y).
389 * decoded by iv2(X).
390 * :
391 *
392 * The reason why the responder synchronizes iv with ive after checking the
393 * packet consistency is that it is required to leave the IV for decoding
394 * packet. Because there is a potential of error while checking the packet
395 * consistency. Also the reason why that is before authentication and
396 * integirty check is that the IV for informational exchange has to be made
397 * by the IV which is after packet decoded and checking the packet consistency.
398 * Otherwise IV mismatched happens between the intitiator and the responder.
399 */
400 struct isakmp_ivm {
401 rc_vchar_t *iv; /* for decoding packet */
402 /* if phase 1, it's for computing phase2 iv */
403 rc_vchar_t *ive; /* for encoding packet */
404 };
405
406 /* for dumping */
407 struct ph1dump {
408 isakmp_index_t index;
409 int status;
410 int side;
411 struct sockaddr_storage remote;
412 struct sockaddr_storage local;
413 uint8_t version;
414 uint8_t etype;
415 time_t created;
416 int ph2cnt;
417 };
418
419 struct sockaddr;
420 struct ph1handle;
421 struct ph2handle;
422 struct policyindex;
423
424 extern struct ph1handle *getph1byindex (isakmp_index_t *);
425 extern struct ph1handle *getph1byindex0 (isakmp_index_t *);
426 extern struct ph1handle *getph1byaddr (struct sockaddr *,
427 struct sockaddr *);
428 extern struct ph1handle *getph1byaddrwop (struct sockaddr *,
429 struct sockaddr *);
430 extern rc_vchar_t *dumpph1 (void);
431 extern struct ph1handle *newph1 (void);
432 extern void delph1 (struct ph1handle *);
433 extern int insph1 (struct ph1handle *);
434 extern void remph1 (struct ph1handle *);
435 extern void flushph1 (void);
436 extern void initph1tree (void);
437
438 extern struct ph2handle *getph2byspidx (struct policyindex *);
439 extern struct ph2handle *getph2byspid (uint32_t);
440 extern struct ph2handle *getph2byseq (uint32_t);
441 extern struct ph2handle *getph2bymsgid (struct ph1handle *, uint32_t);
442 extern struct ph2handle *getph2bysaidx (struct sockaddr *,
443 struct sockaddr *, unsigned int,
444 uint32_t);
445 extern struct ph2handle *newph2 (void);
446 extern void initph2 (struct ph2handle *);
447 extern void delph2 (struct ph2handle *);
448 extern int insph2 (struct ph2handle *);
449 extern void remph2 (struct ph2handle *);
450 extern void flushph2 (void);
451 extern void deleteallph2 (struct sockaddr *, struct sockaddr *, unsigned int);
452 extern void initph2tree (void);
453
454 extern void bindph12 (struct ph1handle *, struct ph2handle *);
455 extern void unbindph12 (struct ph2handle *);
456
457 extern struct contacted *getcontacted (struct sockaddr *);
458 extern int inscontacted (struct sockaddr *);
459 extern void initctdtree (void);
460
461 extern int check_recvdpkt (struct sockaddr *,
462 struct sockaddr *, rc_vchar_t *);
463 extern int add_recvdpkt (struct sockaddr *, struct sockaddr *,
464 rc_vchar_t *, rc_vchar_t *, struct rcf_remote *);
465 extern void init_recvdpkt (void);