1 /* $OpenBSD: iked.h,v 1.232 2024/09/15 11:08:50 yasuoka Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/tree.h> 22 #include <sys/queue.h> 23 #include <netinet/in.h> 24 #include <arpa/inet.h> 25 #include <limits.h> 26 #include <imsg.h> 27 28 #include <openssl/evp.h> 29 30 #include "types.h" 31 #include "dh.h" 32 33 #define MAXIMUM(a,b) (((a)>(b))?(a):(b)) 34 #define MINIMUM(a,b) (((a)<(b))?(a):(b)) 35 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) 36 37 #ifndef IKED_H 38 #define IKED_H 39 40 /* 41 * Common IKEv1/IKEv2 header 42 */ 43 44 struct ike_header { 45 uint64_t ike_ispi; /* Initiator cookie */ 46 uint64_t ike_rspi; /* Responder cookie */ 47 uint8_t ike_nextpayload; /* Next payload type */ 48 uint8_t ike_version; /* Major/Minor version number */ 49 uint8_t ike_exchange; /* Exchange type */ 50 uint8_t ike_flags; /* Message options */ 51 uint32_t ike_msgid; /* Message identifier */ 52 uint32_t ike_length; /* Total message length */ 53 } __packed; 54 55 /* 56 * Common daemon infrastructure, local imsg etc. 57 */ 58 59 struct imsgev { 60 struct imsgbuf ibuf; 61 void (*handler)(int, short, void *); 62 struct event ev; 63 struct privsep_proc *proc; 64 void *data; 65 short events; 66 const char *name; 67 }; 68 69 #define IMSG_SIZE_CHECK(imsg, p) do { \ 70 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 71 fatalx("bad length imsg received"); \ 72 } while (0) 73 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 74 75 #define IKED_ADDR_EQ(_a, _b) \ 76 ((_a)->addr_mask == (_b)->addr_mask && \ 77 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 78 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 79 80 #define IKED_ADDR_NEQ(_a, _b) \ 81 ((_a)->addr_mask != (_b)->addr_mask || \ 82 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 83 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 84 85 /* initially control.h */ 86 struct control_sock { 87 const char *cs_name; 88 struct event cs_ev; 89 struct event cs_evt; 90 int cs_fd; 91 int cs_restricted; 92 void *cs_env; 93 }; 94 95 struct ctl_conn { 96 TAILQ_ENTRY(ctl_conn) entry; 97 uint8_t flags; 98 #define CTL_CONN_NOTIFY 0x01 99 struct imsgev iev; 100 uint32_t peerid; 101 }; 102 TAILQ_HEAD(ctl_connlist, ctl_conn); 103 104 extern enum privsep_procid privsep_process; 105 106 /* 107 * Runtime structures 108 */ 109 110 struct iked_timer { 111 struct event tmr_ev; 112 struct iked *tmr_env; 113 void (*tmr_cb)(struct iked *, void *); 114 void *tmr_cbarg; 115 }; 116 117 struct iked_spi { 118 uint64_t spi; 119 uint8_t spi_size; 120 uint8_t spi_protoid; 121 }; 122 123 struct iked_proposal { 124 uint8_t prop_id; 125 uint8_t prop_protoid; 126 127 struct iked_spi prop_localspi; 128 struct iked_spi prop_peerspi; 129 130 struct iked_transform *prop_xforms; 131 unsigned int prop_nxforms; 132 133 TAILQ_ENTRY(iked_proposal) prop_entry; 134 }; 135 TAILQ_HEAD(iked_proposals, iked_proposal); 136 137 struct iked_addr { 138 int addr_af; 139 struct sockaddr_storage addr; 140 uint8_t addr_mask; 141 int addr_net; 142 in_port_t addr_port; 143 }; 144 145 struct iked_ts { 146 struct iked_addr ts_addr; 147 uint8_t ts_ipproto; 148 TAILQ_ENTRY(iked_ts) ts_entry; 149 }; 150 TAILQ_HEAD(iked_tss, iked_ts); 151 152 struct iked_flow { 153 struct iked_addr flow_src; 154 struct iked_addr flow_dst; 155 unsigned int flow_dir; /* in/out */ 156 int flow_rdomain; 157 struct iked_addr flow_prenat; 158 int flow_fixed; 159 160 unsigned int flow_loaded; /* pfkey done */ 161 162 uint8_t flow_saproto; 163 uint8_t flow_ipproto; 164 165 struct iked_addr *flow_local; /* outer source */ 166 struct iked_addr *flow_peer; /* outer dest */ 167 struct iked_sa *flow_ikesa; /* parent SA */ 168 169 RB_ENTRY(iked_flow) flow_node; 170 TAILQ_ENTRY(iked_flow) flow_entry; 171 }; 172 RB_HEAD(iked_flows, iked_flow); 173 TAILQ_HEAD(iked_saflows, iked_flow); 174 175 struct iked_childsa { 176 uint8_t csa_saproto; /* IPsec protocol */ 177 unsigned int csa_dir; /* in/out */ 178 179 uint64_t csa_peerspi; /* peer relation */ 180 uint8_t csa_loaded; /* pfkey done */ 181 uint8_t csa_rekey; /* will be deleted */ 182 uint8_t csa_allocated; /* from the kernel */ 183 uint8_t csa_persistent;/* do not rekey */ 184 uint8_t csa_esn; /* use ESN */ 185 uint8_t csa_transport; /* transport mode */ 186 187 struct iked_spi csa_spi; 188 189 struct ibuf *csa_encrkey; /* encryption key */ 190 uint16_t csa_encrid; /* encryption xform id */ 191 192 struct ibuf *csa_integrkey; /* auth key */ 193 uint16_t csa_integrid; /* auth xform id */ 194 195 struct iked_addr *csa_local; /* outer source */ 196 struct iked_addr *csa_peer; /* outer dest */ 197 struct iked_sa *csa_ikesa; /* parent SA */ 198 199 struct iked_childsa *csa_peersa; /* peer */ 200 201 struct iked_childsa *csa_bundled; /* IPCOMP */ 202 203 uint16_t csa_pfsgrpid; /* pfs group id */ 204 205 RB_ENTRY(iked_childsa) csa_node; 206 TAILQ_ENTRY(iked_childsa) csa_entry; 207 }; 208 RB_HEAD(iked_activesas, iked_childsa); 209 TAILQ_HEAD(iked_childsas, iked_childsa); 210 211 212 struct iked_static_id { 213 uint8_t id_type; 214 uint8_t id_length; 215 uint8_t id_offset; 216 uint8_t id_data[IKED_ID_SIZE]; 217 }; 218 219 struct iked_auth { 220 uint8_t auth_method; 221 uint8_t auth_length; /* zero if EAP */ 222 uint16_t auth_eap; /* optional EAP */ 223 uint8_t auth_data[IKED_PSK_SIZE]; 224 }; 225 226 struct iked_cfg { 227 uint8_t cfg_action; 228 uint16_t cfg_type; 229 union { 230 struct iked_addr address; 231 } cfg; 232 }; 233 234 TAILQ_HEAD(iked_sapeers, iked_sa); 235 236 struct iked_lifetime { 237 uint64_t lt_bytes; 238 uint64_t lt_seconds; 239 }; 240 241 struct iked_policy { 242 unsigned int pol_id; 243 char pol_name[IKED_ID_SIZE]; 244 unsigned int pol_iface; 245 246 #define IKED_SKIP_FLAGS 0 247 #define IKED_SKIP_AF 1 248 #define IKED_SKIP_SRC_ADDR 2 249 #define IKED_SKIP_DST_ADDR 3 250 #define IKED_SKIP_COUNT 4 251 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 252 253 uint8_t pol_flags; 254 #define IKED_POLICY_PASSIVE 0x00 255 #define IKED_POLICY_DEFAULT 0x01 256 #define IKED_POLICY_ACTIVE 0x02 257 #define IKED_POLICY_REFCNT 0x04 258 #define IKED_POLICY_QUICK 0x08 259 #define IKED_POLICY_SKIP 0x10 260 #define IKED_POLICY_IPCOMP 0x20 261 #define IKED_POLICY_TRANSPORT 0x40 262 #define IKED_POLICY_ROUTING 0x80 263 264 int pol_refcnt; 265 266 uint8_t pol_certreqtype; 267 268 int pol_af; 269 int pol_rdomain; 270 uint8_t pol_saproto; 271 unsigned int pol_ipproto[IKED_IPPROTO_MAX]; 272 unsigned int pol_nipproto; 273 274 struct iked_addr pol_peer; 275 struct iked_static_id pol_peerid; 276 uint32_t pol_peerdh; 277 278 struct iked_addr pol_local; 279 struct iked_static_id pol_localid; 280 281 struct iked_auth pol_auth; 282 283 char pol_tag[IKED_TAG_SIZE]; 284 unsigned int pol_tap; 285 286 struct iked_proposals pol_proposals; 287 size_t pol_nproposals; 288 289 struct iked_flows pol_flows; 290 size_t pol_nflows; 291 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 292 size_t pol_tssrc_count; 293 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 294 size_t pol_tsdst_count; 295 296 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 297 unsigned int pol_ncfg; 298 299 uint32_t pol_rekey; /* ike SA lifetime */ 300 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 301 302 struct iked_sapeers pol_sapeers; 303 304 TAILQ_ENTRY(iked_policy) pol_entry; 305 }; 306 TAILQ_HEAD(iked_policies, iked_policy); 307 308 struct iked_hash { 309 uint8_t hash_type; /* PRF or INTEGR */ 310 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 311 const void *hash_priv; /* Identifying the hash alg */ 312 void *hash_ctx; /* Context of the current invocation */ 313 int hash_fixedkey; /* Requires fixed key length */ 314 struct ibuf *hash_key; /* MAC key derived from key seed */ 315 size_t hash_length; /* Output length */ 316 size_t hash_trunc; /* Truncate the output length */ 317 struct iked_hash *hash_prf; /* PRF pointer */ 318 int hash_isaead; 319 }; 320 321 struct iked_cipher { 322 uint8_t encr_type; /* ENCR */ 323 uint16_t encr_id; /* IKE ENCR hash id */ 324 const void *encr_priv; /* Identifying the hash alg */ 325 void *encr_ctx; /* Context of the current invocation */ 326 int encr_fixedkey; /* Requires fixed key length */ 327 struct ibuf *encr_key; /* MAC key derived from key seed */ 328 struct ibuf *encr_iv; /* Initialization Vector */ 329 uint64_t encr_civ; /* Counter IV for GCM */ 330 size_t encr_ivlength; /* IV length */ 331 size_t encr_length; /* Block length */ 332 size_t encr_saltlength; /* IV salt length */ 333 uint16_t encr_authid; /* ID of associated authentication */ 334 }; 335 336 struct iked_dsa { 337 uint8_t dsa_method; /* AUTH method */ 338 const void *dsa_priv; /* PRF or signature hash function */ 339 void *dsa_ctx; /* PRF or signature hash ctx */ 340 struct ibuf *dsa_keydata; /* public, private or shared key */ 341 void *dsa_key; /* parsed public or private key */ 342 int dsa_hmac; /* HMAC or public/private key */ 343 int dsa_sign; /* Sign or verify operation */ 344 uint32_t dsa_flags; /* State flags */ 345 }; 346 347 struct iked_id { 348 uint8_t id_type; 349 uint8_t id_offset; 350 struct ibuf *id_buf; 351 }; 352 353 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 354 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 355 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 356 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 357 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 358 #define IKED_REQ_SA 0x0020 /* SA available */ 359 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 360 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 361 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 362 363 #define IKED_REQ_BITS \ 364 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 365 "\10CHILDSA\11INF" 366 367 TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit); 368 TAILQ_HEAD(iked_msg_fragqueue, iked_message); 369 370 struct iked_sahdr { 371 uint64_t sh_ispi; /* Initiator SPI */ 372 uint64_t sh_rspi; /* Responder SPI */ 373 unsigned int sh_initiator; /* Is initiator? */ 374 } __packed; 375 376 struct iked_kex { 377 struct ibuf *kex_inonce; /* Ni */ 378 struct ibuf *kex_rnonce; /* Nr */ 379 380 struct dh_group *kex_dhgroup; /* DH group */ 381 struct ibuf *kex_dhiexchange; 382 struct ibuf *kex_dhrexchange; 383 struct ibuf *kex_dhpeer; /* pointer to i or r */ 384 }; 385 386 struct iked_frag_entry { 387 uint8_t *frag_data; 388 size_t frag_size; 389 }; 390 391 struct iked_frag { 392 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 393 size_t frag_count; /* number of fragments received */ 394 #define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 395 size_t frag_total; /* total numbe of fragments */ 396 size_t frag_total_size; 397 uint8_t frag_nextpayload; 398 399 }; 400 401 struct iked_ipcomp { 402 uint16_t ic_cpi_out; /* outgoing CPI */ 403 uint16_t ic_cpi_in; /* incoming CPI */ 404 uint8_t ic_transform; /* transform */ 405 }; 406 407 struct iked_sastats { 408 uint64_t sas_ipackets; 409 uint64_t sas_opackets; 410 uint64_t sas_ibytes; 411 uint64_t sas_obytes; 412 uint64_t sas_idrops; 413 uint64_t sas_odrops; 414 }; 415 416 struct iked_sa { 417 struct iked_sahdr sa_hdr; 418 uint32_t sa_msgid; /* Last request rcvd */ 419 int sa_msgid_set; /* msgid initialized */ 420 uint32_t sa_msgid_current; /* Current requested rcvd */ 421 uint32_t sa_reqid; /* Next request sent */ 422 423 int sa_type; 424 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 425 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 426 427 struct iked_addr sa_peer; 428 struct iked_addr sa_peer_loaded;/* MOBIKE */ 429 struct iked_addr sa_local; 430 int sa_fd; 431 432 struct iked_frag sa_fragments; 433 434 int sa_natt; /* for IKE messages */ 435 int sa_udpencap; /* for pfkey */ 436 int sa_usekeepalive;/* NAT-T keepalive */ 437 438 int sa_state; 439 unsigned int sa_stateflags; 440 unsigned int sa_stateinit; /* SA_INIT */ 441 unsigned int sa_statevalid; /* IKE_AUTH */ 442 443 int sa_cp; /* XXX */ 444 struct iked_addr *sa_cp_addr; /* requested address */ 445 struct iked_addr *sa_cp_addr6; /* requested address */ 446 struct iked_addr *sa_cp_dns; /* requested dns */ 447 448 struct iked_policy *sa_policy; 449 struct timeval sa_timecreated; 450 struct timeval sa_timeused; 451 452 char *sa_tag; 453 const char *sa_reason; /* reason for close */ 454 455 struct iked_kex sa_kex; 456 /* XXX compat defines until everything is converted */ 457 #define sa_inonce sa_kex.kex_inonce 458 #define sa_rnonce sa_kex.kex_rnonce 459 #define sa_dhgroup sa_kex.kex_dhgroup 460 #define sa_dhiexchange sa_kex.kex_dhiexchange 461 #define sa_dhrexchange sa_kex.kex_dhrexchange 462 #define sa_dhpeer sa_kex.kex_dhpeer 463 464 struct iked_hash *sa_prf; /* PRF alg */ 465 struct iked_hash *sa_integr; /* integrity alg */ 466 struct iked_cipher *sa_encr; /* encryption alg */ 467 468 struct ibuf *sa_key_d; /* SK_d */ 469 struct ibuf *sa_key_iauth; /* SK_ai */ 470 struct ibuf *sa_key_rauth; /* SK_ar */ 471 struct ibuf *sa_key_iencr; /* SK_ei */ 472 struct ibuf *sa_key_rencr; /* SK_er */ 473 struct ibuf *sa_key_iprf; /* SK_pi */ 474 struct ibuf *sa_key_rprf; /* SK_pr */ 475 476 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 477 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 478 struct iked_id sa_localauth; /* local AUTH message */ 479 struct iked_id sa_peerauth; /* peer AUTH message */ 480 int sa_sigsha2; /* use SHA2 for signatures */ 481 #define IKED_SCERT_MAX 3 /* max # of supplemental cert payloads */ 482 483 struct iked_id sa_iid; /* initiator id */ 484 struct iked_id sa_rid; /* responder id */ 485 struct iked_id sa_icert; /* initiator cert */ 486 struct iked_id sa_rcert; /* responder cert */ 487 struct iked_id sa_scert[IKED_SCERT_MAX]; /* supplemental certs */ 488 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 489 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 490 491 char *sa_eapid; /* EAP identity */ 492 struct iked_id sa_eap; /* EAP challenge */ 493 struct ibuf *sa_eapmsk; /* EAK session key */ 494 struct ibuf *sa_eapclass; /* EAP/RADIUS class */ 495 496 struct iked_proposals sa_proposals; /* SA proposals */ 497 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 498 struct iked_saflows sa_flows; /* IPsec flows */ 499 struct iked_sastats sa_stats; 500 501 struct iked_sa *sa_nexti; /* initiated IKE SA */ 502 struct iked_sa *sa_previ; /* matching back pointer */ 503 struct iked_sa *sa_nextr; /* simultaneous rekey */ 504 struct iked_sa *sa_prevr; /* matching back pointer */ 505 uint64_t sa_rekeyspi; /* peerspi CSA rekey */ 506 struct ibuf *sa_simult; /* simultaneous rekey */ 507 508 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 509 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 510 511 int sa_mobike; /* MOBIKE */ 512 int sa_frag; /* fragmentation */ 513 514 int sa_use_transport_mode; /* peer requested */ 515 int sa_used_transport_mode; /* we enabled */ 516 517 struct iked_timer sa_timer; /* SA timeouts */ 518 #define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 519 #define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 520 #define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 521 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 522 523 struct iked_timer sa_keepalive; /* keepalive timer */ 524 #define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 525 526 struct iked_timer sa_rekey; /* rekey timeout */ 527 int sa_tmpfail; 528 529 struct iked_msgqueue sa_requests; /* request queue */ 530 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 531 532 struct iked_msgqueue sa_responses; /* response queue */ 533 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 534 535 TAILQ_ENTRY(iked_sa) sa_peer_entry; 536 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 537 538 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 539 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 540 541 struct iked_addr *sa_addrpool; /* address from pool */ 542 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 543 544 struct iked_addr *sa_addrpool6; /* address from pool */ 545 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 546 time_t sa_last_recvd; 547 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 548 struct timespec sa_starttime; 549 550 struct iked_radserver_req *sa_radreq; 551 struct iked_addr *sa_rad_addr; /* requested address */ 552 struct iked_addr *sa_rad_addr6; /* requested address */ 553 }; 554 RB_HEAD(iked_sas, iked_sa); 555 RB_HEAD(iked_dstid_sas, iked_sa); 556 RB_HEAD(iked_addrpool, iked_sa); 557 RB_HEAD(iked_addrpool6, iked_sa); 558 559 /* stats */ 560 561 struct iked_stats { 562 uint64_t ikes_sa_created; 563 uint64_t ikes_sa_established_total; 564 uint64_t ikes_sa_established_current; /* gauge */ 565 uint64_t ikes_sa_established_failures; 566 uint64_t ikes_sa_proposals_negotiate_failures; 567 uint64_t ikes_sa_rekeyed; 568 uint64_t ikes_sa_removed; 569 uint64_t ikes_csa_created; 570 uint64_t ikes_csa_removed; 571 uint64_t ikes_msg_sent; 572 uint64_t ikes_msg_send_failures; 573 uint64_t ikes_msg_rcvd; 574 uint64_t ikes_msg_rcvd_busy; 575 uint64_t ikes_msg_rcvd_dropped; 576 uint64_t ikes_retransmit_request; 577 uint64_t ikes_retransmit_response; 578 uint64_t ikes_retransmit_limit; 579 uint64_t ikes_frag_sent; 580 uint64_t ikes_frag_send_failures; 581 uint64_t ikes_frag_rcvd; 582 uint64_t ikes_frag_rcvd_drop; 583 uint64_t ikes_frag_reass_ok; 584 uint64_t ikes_frag_reass_drop; 585 uint64_t ikes_update_addresses_sent; 586 uint64_t ikes_dpd_sent; 587 uint64_t ikes_keepalive_sent; 588 }; 589 590 #define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0) 591 #define ikestat_inc(env, c) ikestat_add(env, c, 1) 592 #define ikestat_dec(env, c) ikestat_add(env, c, -1) 593 594 struct iked_certreq { 595 struct ibuf *cr_data; 596 uint8_t cr_type; 597 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 598 }; 599 SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 600 601 #define EAP_STATE_IDENTITY (1) 602 #define EAP_STATE_MSCHAPV2_CHALLENGE (2) 603 #define EAP_STATE_MSCHAPV2_SUCCESS (3) 604 #define EAP_STATE_SUCCESS (4) 605 606 struct eap_msg { 607 char *eam_identity; 608 char *eam_user; 609 int eam_type; 610 uint8_t eam_id; 611 uint8_t eam_msrid; 612 int eam_success; 613 int eam_found; 614 int eam_response; 615 uint8_t eam_challenge[16]; 616 uint8_t eam_ntresponse[24]; 617 uint32_t eam_state; 618 }; 619 620 struct iked_message { 621 struct ibuf *msg_data; 622 size_t msg_offset; 623 624 struct sockaddr_storage msg_local; 625 socklen_t msg_locallen; 626 627 struct sockaddr_storage msg_peer; 628 socklen_t msg_peerlen; 629 630 struct iked_socket *msg_sock; 631 632 int msg_fd; 633 int msg_response; 634 int msg_responded; 635 int msg_valid; 636 int msg_natt; 637 int msg_natt_rcvd; 638 int msg_nat_detected; 639 int msg_error; 640 int msg_e; 641 struct iked_message *msg_parent; 642 643 /* Associated policy and SA */ 644 struct iked_policy *msg_policy; 645 struct iked_sa *msg_sa; 646 647 uint32_t msg_msgid; 648 uint8_t msg_exchange; 649 650 /* Parsed information */ 651 struct iked_proposals msg_proposals; 652 struct iked_certreqs msg_certreqs; 653 struct iked_spi msg_rekey; 654 struct ibuf *msg_nonce; /* dh NONCE */ 655 uint16_t msg_dhgroup; /* dh group */ 656 struct ibuf *msg_ke; /* dh key exchange */ 657 struct iked_id msg_auth; /* AUTH payload */ 658 struct iked_id msg_peerid; 659 struct iked_id msg_localid; 660 struct iked_id msg_cert; 661 struct iked_id msg_scert[IKED_SCERT_MAX]; /* supplemental certs */ 662 struct ibuf *msg_cookie; 663 uint16_t msg_group; 664 uint16_t msg_cpi; 665 uint8_t msg_transform; 666 uint16_t msg_flags; 667 struct eap_msg msg_eap; 668 struct ibuf *msg_eapmsg; 669 size_t msg_del_spisize; 670 size_t msg_del_cnt; 671 struct ibuf *msg_del_buf; 672 int msg_del_protoid; 673 int msg_cp; 674 struct iked_addr *msg_cp_addr; /* requested address */ 675 struct iked_addr *msg_cp_addr6; /* requested address */ 676 struct iked_addr *msg_cp_dns; /* requested dns */ 677 uint16_t msg_frag_num; 678 679 /* MOBIKE */ 680 int msg_update_sa_addresses; 681 struct ibuf *msg_cookie2; 682 683 /* Parse stack */ 684 struct iked_proposal *msg_prop; 685 uint16_t msg_attrlength; 686 687 /* Retransmit queue */ 688 TAILQ_ENTRY(iked_message) 689 msg_entry; 690 }; 691 692 struct iked_msg_retransmit { 693 struct iked_msg_fragqueue mrt_frags; 694 TAILQ_ENTRY(iked_msg_retransmit) mrt_entry; 695 struct iked_timer mrt_timer; 696 int mrt_tries; 697 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 698 }; 699 700 #define IKED_MSG_NAT_SRC_IP 0x01 701 #define IKED_MSG_NAT_DST_IP 0x02 702 703 #define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 704 #define IKED_MSG_FLAGS_MOBIKE 0x0002 705 #define IKED_MSG_FLAGS_SIGSHA2 0x0004 706 #define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 707 #define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 708 #define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 709 #define IKED_MSG_FLAGS_INVALID_KE 0x0040 710 #define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 711 #define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 712 #define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 713 #define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400 714 715 716 struct iked_user { 717 char usr_name[LOGIN_NAME_MAX]; 718 char usr_pass[IKED_PASSWORD_SIZE]; 719 RB_ENTRY(iked_user) usr_entry; 720 }; 721 RB_HEAD(iked_users, iked_user); 722 723 struct iked_radserver_req; 724 725 struct iked_radserver { 726 int rs_sock; 727 int rs_accounting; 728 struct event rs_ev; 729 struct iked *rs_env; 730 struct sockaddr_storage rs_sockaddr; 731 TAILQ_ENTRY(iked_radserver) rs_entry; 732 struct in_addr rs_nas_ipv4; 733 struct in6_addr rs_nas_ipv6; 734 unsigned int rs_reqseq; 735 TAILQ_HEAD(, iked_radserver_req) rs_reqs; 736 char rs_secret[]; 737 }; 738 TAILQ_HEAD(iked_radservers, iked_radserver); 739 740 struct iked_raddae { 741 int rd_sock; 742 struct event rd_ev; 743 struct iked *rd_env; 744 struct sockaddr_storage rd_sockaddr; 745 TAILQ_ENTRY(iked_raddae) rd_entry; 746 }; 747 TAILQ_HEAD(iked_raddaes, iked_raddae); 748 749 struct iked_radclient { 750 struct iked *rc_env; 751 struct sockaddr_storage rc_sockaddr; 752 TAILQ_ENTRY(iked_radclient) rc_entry; 753 char rc_secret[]; 754 }; 755 TAILQ_HEAD(iked_radclients , iked_radclient); 756 757 struct iked_radopts { 758 int max_tries; 759 int max_failovers; 760 }; 761 762 struct iked_radcfgmap { 763 uint16_t cfg_type; 764 uint32_t vendor_id; 765 uint8_t attr_type; 766 TAILQ_ENTRY(iked_radcfgmap) entry; 767 }; 768 TAILQ_HEAD(iked_radcfgmaps, iked_radcfgmap); 769 770 extern const struct iked_radcfgmap radius_cfgmaps[]; 771 772 struct iked_radserver_req { 773 struct iked_radserver *rr_server; 774 struct iked_sa *rr_sa; 775 struct iked_timer rr_timer; 776 int rr_reqid; 777 int rr_accounting; 778 struct timespec rr_accttime; 779 void *rr_reqpkt; 780 struct ibuf *rr_state; 781 char *rr_user; 782 int rr_ntry; 783 int rr_nfailover; 784 struct iked_cfg rr_cfg[IKED_CFG_MAX]; 785 unsigned int rr_ncfg; 786 TAILQ_ENTRY(iked_radserver_req) rr_entry; 787 }; 788 789 struct privsep_pipes { 790 int *pp_pipes[PROC_MAX]; 791 }; 792 793 struct privsep { 794 struct privsep_pipes *ps_pipes[PROC_MAX]; 795 struct privsep_pipes *ps_pp; 796 797 struct imsgev *ps_ievs[PROC_MAX]; 798 const char *ps_title[PROC_MAX]; 799 pid_t ps_pid[PROC_MAX]; 800 struct passwd *ps_pw; 801 int ps_noaction; 802 803 struct control_sock ps_csock; 804 805 unsigned int ps_instances[PROC_MAX]; 806 unsigned int ps_ninstances; 807 unsigned int ps_instance; 808 809 /* Event and signal handlers */ 810 struct event ps_evsigint; 811 struct event ps_evsigterm; 812 struct event ps_evsigchld; 813 struct event ps_evsighup; 814 struct event ps_evsigpipe; 815 struct event ps_evsigusr1; 816 817 struct iked *ps_env; 818 unsigned int ps_connecting; 819 void (*ps_connected)(struct privsep *); 820 }; 821 822 struct privsep_proc { 823 const char *p_title; 824 enum privsep_procid p_id; 825 int (*p_cb)(int, struct privsep_proc *, 826 struct imsg *); 827 void (*p_init)(struct privsep *, 828 struct privsep_proc *); 829 const char *p_chroot; 830 struct passwd *p_pw; 831 struct privsep *p_ps; 832 void (*p_shutdown)(void); 833 }; 834 835 struct privsep_fd { 836 enum privsep_procid pf_procid; 837 unsigned int pf_instance; 838 }; 839 840 #define PROC_PARENT_SOCK_FILENO 3 841 #define PROC_MAX_INSTANCES 32 842 843 struct iked_ocsp_entry { 844 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 845 void *ioe_ocsp; /* private ocsp request data */ 846 }; 847 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 848 849 /* 850 * Daemon configuration 851 */ 852 853 enum natt_mode { 854 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 855 NATT_DISABLE, /* send/recv with only :500 */ 856 NATT_FORCE, /* send/recv with only NAT-T port */ 857 }; 858 859 struct iked_static { 860 uint64_t st_alive_timeout; 861 int st_cert_partial_chain; 862 int st_enforcesingleikesa; 863 uint8_t st_frag; /* fragmentation */ 864 uint8_t st_mobike; /* MOBIKE */ 865 in_port_t st_nattport; 866 int st_stickyaddress; /* addr per DSTID */ 867 int st_vendorid; 868 }; 869 870 struct iked { 871 char sc_conffile[PATH_MAX]; 872 873 uint32_t sc_opts; 874 enum natt_mode sc_nattmode; 875 uint8_t sc_passive; 876 uint8_t sc_decoupled; 877 878 struct iked_static sc_static; 879 880 #define sc_alive_timeout sc_static.st_alive_timeout 881 #define sc_cert_partial_chain sc_static.st_cert_partial_chain 882 #define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 883 #define sc_frag sc_static.st_frag 884 #define sc_mobike sc_static.st_mobike 885 #define sc_nattport sc_static.st_nattport 886 #define sc_stickyaddress sc_static.st_stickyaddress 887 #define sc_vendorid sc_static.st_vendorid 888 889 struct iked_policies sc_policies; 890 struct iked_policy *sc_defaultcon; 891 892 struct iked_sas sc_sas; 893 struct iked_dstid_sas sc_dstid_sas; 894 struct iked_activesas sc_activesas; 895 struct iked_flows sc_activeflows; 896 struct iked_users sc_users; 897 struct iked_radopts sc_radauth; 898 struct iked_radopts sc_radacct; 899 int sc_radaccton; 900 struct iked_radservers sc_radauthservers; 901 struct iked_radservers sc_radacctservers; 902 struct iked_radcfgmaps sc_radcfgmaps; 903 struct iked_raddaes sc_raddaes; 904 struct iked_radclients sc_raddaeclients; 905 906 struct iked_stats sc_stats; 907 908 void *sc_priv; /* per-process */ 909 910 int sc_pfkey; /* ike process */ 911 struct event sc_pfkeyev; 912 struct event sc_routeev; 913 uint8_t sc_certreqtype; 914 struct ibuf *sc_certreq; 915 void *sc_vroute; 916 917 struct iked_socket *sc_sock4[2]; 918 struct iked_socket *sc_sock6[2]; 919 920 struct iked_timer sc_inittmr; 921 #define IKED_INITIATOR_INITIAL 2 922 #define IKED_INITIATOR_INTERVAL 60 923 924 struct privsep sc_ps; 925 926 struct iked_ocsp_requests sc_ocsp; 927 char *sc_ocsp_url; 928 long sc_ocsp_tolerate; 929 long sc_ocsp_maxage; 930 931 struct iked_addrpool sc_addrpool; 932 struct iked_addrpool6 sc_addrpool6; 933 }; 934 935 struct iked_socket { 936 int sock_fd; 937 struct event sock_ev; 938 struct iked *sock_env; 939 struct sockaddr_storage sock_addr; 940 }; 941 942 struct ipsec_xf { 943 const char *name; 944 unsigned int id; 945 unsigned int length; 946 unsigned int keylength; 947 unsigned int nonce; 948 unsigned int noauth; 949 }; 950 951 struct ipsec_transforms { 952 const struct ipsec_xf **authxf; 953 unsigned int nauthxf; 954 const struct ipsec_xf **prfxf; 955 unsigned int nprfxf; 956 const struct ipsec_xf **encxf; 957 unsigned int nencxf; 958 const struct ipsec_xf **groupxf; 959 unsigned int ngroupxf; 960 const struct ipsec_xf **esnxf; 961 unsigned int nesnxf; 962 }; 963 964 struct ipsec_mode { 965 struct ipsec_transforms **xfs; 966 unsigned int nxfs; 967 }; 968 969 /* iked.c */ 970 void parent_reload(struct iked *, int, const char *); 971 972 extern struct iked *iked_env; 973 974 /* control.c */ 975 void control(struct privsep *, struct privsep_proc *); 976 int control_init(struct privsep *, struct control_sock *); 977 int control_listen(struct control_sock *); 978 979 /* config.c */ 980 struct iked_policy * 981 config_new_policy(struct iked *); 982 void config_free_kex(struct iked_kex *); 983 void config_free_fragments(struct iked_frag *); 984 void config_free_sa(struct iked *, struct iked_sa *); 985 struct iked_sa * 986 config_new_sa(struct iked *, int); 987 struct iked_user * 988 config_new_user(struct iked *, struct iked_user *); 989 uint64_t 990 config_getspi(void); 991 struct iked_transform * 992 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 993 struct iked_transform * 994 config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int); 995 void config_free_policy(struct iked *, struct iked_policy *); 996 struct iked_proposal * 997 config_add_proposal(struct iked_proposals *, unsigned int, 998 unsigned int); 999 void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 1000 void config_free_proposals(struct iked_proposals *, unsigned int); 1001 void config_free_flows(struct iked *, struct iked_flows *); 1002 void config_free_childsas(struct iked *, struct iked_childsas *, 1003 struct iked_spi *, struct iked_spi *); 1004 int config_add_transform(struct iked_proposal *, 1005 unsigned int, unsigned int, unsigned int, unsigned int); 1006 int config_setcoupled(struct iked *, unsigned int); 1007 int config_getcoupled(struct iked *, unsigned int); 1008 int config_setmode(struct iked *, unsigned int); 1009 int config_getmode(struct iked *, unsigned int); 1010 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 1011 int config_getreset(struct iked *, struct imsg *); 1012 int config_doreset(struct iked *, unsigned int); 1013 int config_setpolicy(struct iked *, struct iked_policy *, 1014 enum privsep_procid); 1015 int config_getpolicy(struct iked *, struct imsg *); 1016 int config_setflow(struct iked *, struct iked_policy *, 1017 enum privsep_procid); 1018 int config_getflow(struct iked *, struct imsg *); 1019 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 1020 enum privsep_procid); 1021 int config_getsocket(struct iked *env, struct imsg *, 1022 void (*cb)(int, short, void *)); 1023 void config_enablesocket(struct iked *env); 1024 int config_setpfkey(struct iked *); 1025 int config_getpfkey(struct iked *, struct imsg *); 1026 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 1027 int config_getuser(struct iked *, struct imsg *); 1028 int config_setcompile(struct iked *, enum privsep_procid); 1029 int config_getcompile(struct iked *); 1030 int config_setocsp(struct iked *); 1031 int config_getocsp(struct iked *, struct imsg *); 1032 int config_setkeys(struct iked *); 1033 int config_getkey(struct iked *, struct imsg *); 1034 int config_setstatic(struct iked *); 1035 int config_getstatic(struct iked *, struct imsg *); 1036 int config_setradauth(struct iked *); 1037 int config_getradauth(struct iked *, struct imsg *); 1038 int config_setradacct(struct iked *); 1039 int config_getradacct(struct iked *, struct imsg *); 1040 int config_setradserver(struct iked *, struct sockaddr *, socklen_t, 1041 char *, int); 1042 int config_getradserver(struct iked *, struct imsg *); 1043 int config_setradcfgmap(struct iked *, int, uint32_t, uint8_t); 1044 int config_getradcfgmap(struct iked *, struct imsg *); 1045 int config_setraddae(struct iked *, struct sockaddr *, socklen_t); 1046 int config_getraddae(struct iked *, struct imsg *); 1047 int config_setradclient(struct iked *, struct sockaddr *, socklen_t, 1048 char *); 1049 int config_getradclient(struct iked *, struct imsg *); 1050 1051 /* policy.c */ 1052 void policy_init(struct iked *); 1053 int policy_lookup(struct iked *, struct iked_message *, 1054 struct iked_proposals *, struct iked_flows *, int); 1055 int policy_lookup_sa(struct iked *, struct iked_sa *); 1056 struct iked_policy * 1057 policy_test(struct iked *, struct iked_policy *); 1058 int policy_generate_ts(struct iked_policy *); 1059 void policy_calc_skip_steps(struct iked_policies *); 1060 void policy_ref(struct iked *, struct iked_policy *); 1061 void policy_unref(struct iked *, struct iked_policy *); 1062 void sa_state(struct iked *, struct iked_sa *, int); 1063 void sa_stateflags(struct iked_sa *, unsigned int); 1064 int sa_stateok(const struct iked_sa *, int); 1065 struct iked_sa * 1066 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 1067 struct iked_policy *); 1068 void sa_free(struct iked *, struct iked_sa *); 1069 void sa_free_flows(struct iked *, struct iked_saflows *); 1070 int sa_configure_iface(struct iked *, struct iked_sa *, int); 1071 int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 1072 void childsa_free(struct iked_childsa *); 1073 struct iked_childsa * 1074 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 1075 void flow_free(struct iked_flow *); 1076 int flow_equal(struct iked_flow *, struct iked_flow *); 1077 struct iked_sa * 1078 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 1079 struct iked_user * 1080 user_lookup(struct iked *, const char *); 1081 struct iked_sa * 1082 sa_dstid_lookup(struct iked *, struct iked_sa *); 1083 struct iked_sa * 1084 sa_dstid_insert(struct iked *, struct iked_sa *); 1085 void sa_dstid_remove(struct iked *, struct iked_sa *); 1086 int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 1087 struct iked_proposals *, int, int); 1088 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 1089 RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 1090 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 1091 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 1092 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 1093 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 1094 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 1095 1096 /* crypto.c */ 1097 struct iked_hash * 1098 hash_new(uint8_t, uint16_t); 1099 struct ibuf * 1100 hash_setkey(struct iked_hash *, void *, size_t); 1101 void hash_free(struct iked_hash *); 1102 void hash_init(struct iked_hash *); 1103 void hash_update(struct iked_hash *, void *, size_t); 1104 void hash_final(struct iked_hash *, void *, size_t *); 1105 size_t hash_keylength(struct iked_hash *); 1106 size_t hash_length(struct iked_hash *); 1107 1108 struct iked_cipher * 1109 cipher_new(uint8_t, uint16_t, uint16_t); 1110 struct ibuf * 1111 cipher_setkey(struct iked_cipher *, const void *, size_t); 1112 struct ibuf * 1113 cipher_setiv(struct iked_cipher *, const void *, size_t); 1114 int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 1115 int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 1116 void cipher_free(struct iked_cipher *); 1117 int cipher_init(struct iked_cipher *, int); 1118 int cipher_init_encrypt(struct iked_cipher *); 1119 int cipher_init_decrypt(struct iked_cipher *); 1120 void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *); 1121 int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *); 1122 int cipher_final(struct iked_cipher *); 1123 size_t cipher_length(struct iked_cipher *); 1124 size_t cipher_keylength(struct iked_cipher *); 1125 size_t cipher_ivlength(struct iked_cipher *); 1126 size_t cipher_outlength(struct iked_cipher *, size_t); 1127 1128 struct iked_dsa * 1129 dsa_new(uint8_t, struct iked_hash *, int); 1130 struct iked_dsa * 1131 dsa_sign_new(uint8_t, struct iked_hash *); 1132 struct iked_dsa * 1133 dsa_verify_new(uint8_t, struct iked_hash *); 1134 struct ibuf * 1135 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 1136 void dsa_free(struct iked_dsa *); 1137 int dsa_init(struct iked_dsa *, const void *, size_t); 1138 size_t dsa_prefix(struct iked_dsa *); 1139 size_t dsa_length(struct iked_dsa *); 1140 int dsa_update(struct iked_dsa *, const void *, size_t); 1141 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 1142 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 1143 1144 /* vroute.c */ 1145 void vroute_init(struct iked *); 1146 int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int); 1147 void vroute_cleanup(struct iked *); 1148 int vroute_getaddr(struct iked *, struct imsg *); 1149 int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int); 1150 int vroute_getdns(struct iked *, struct imsg *); 1151 int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *, 1152 uint8_t, struct sockaddr *); 1153 int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *, 1154 uint8_t, struct sockaddr *); 1155 int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *, 1156 uint8_t, struct sockaddr *); 1157 int vroute_getroute(struct iked *, struct imsg *); 1158 int vroute_getcloneroute(struct iked *, struct imsg *); 1159 1160 /* ikev2.c */ 1161 void ikev2(struct privsep *, struct privsep_proc *); 1162 void ikev2_recv(struct iked *, struct iked_message *); 1163 void ikev2_init_ike_sa(struct iked *, void *); 1164 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 1165 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 1166 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 1167 uint8_t, uint64_t, uint64_t *, int); 1168 void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 1169 void ikev2_ike_sa_timeout(struct iked *env, void *); 1170 void ikev2_ike_sa_setreason(struct iked_sa *, char *); 1171 void ikev2_reset_alive_timer(struct iked *); 1172 int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 1173 1174 struct ibuf * 1175 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 1176 size_t); 1177 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 1178 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 1179 void *, size_t, unsigned int, int); 1180 void ikev2_enable_natt(struct iked *, struct iked_sa *, 1181 struct iked_message *, int); 1182 int ikev2_send_informational(struct iked *, struct iked_message *); 1183 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 1184 uint8_t, uint8_t, int); 1185 struct ike_header * 1186 ikev2_add_header(struct ibuf *, struct iked_sa *, 1187 uint32_t, uint8_t, uint8_t, uint8_t); 1188 int ikev2_set_header(struct ike_header *, size_t); 1189 struct ikev2_payload * 1190 ikev2_add_payload(struct ibuf *); 1191 int ikev2_next_payload(struct ikev2_payload *, size_t, 1192 uint8_t); 1193 int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 1194 int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 1195 int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 1196 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 1197 int ikev2_print_id(struct iked_id *, char *, size_t); 1198 int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 1199 1200 const char *ikev2_ikesa_info(uint64_t, const char *msg); 1201 #define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 1202 #define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 1203 #define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 1204 1205 /* ikev2_msg.c */ 1206 void ikev2_msg_cb(int, short, void *); 1207 struct ibuf * 1208 ikev2_msg_init(struct iked *, struct iked_message *, 1209 struct sockaddr_storage *, socklen_t, 1210 struct sockaddr_storage *, socklen_t, int); 1211 struct iked_message * 1212 ikev2_msg_copy(struct iked *, struct iked_message *); 1213 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 1214 uint32_t 1215 ikev2_msg_id(struct iked *, struct iked_sa *); 1216 struct ibuf 1217 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 1218 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 1219 struct iked_auth *, struct ibuf *); 1220 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 1221 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 1222 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 1223 struct iked_message *); 1224 int ikev2_msg_send(struct iked *, struct iked_message *); 1225 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 1226 struct ibuf **, uint8_t, uint8_t, int); 1227 struct ibuf 1228 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 1229 struct ibuf *); 1230 struct ibuf * 1231 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 1232 struct ibuf *, struct ibuf *); 1233 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1234 int ikev2_msg_frompeer(struct iked_message *); 1235 struct iked_socket * 1236 ikev2_msg_getsocket(struct iked *, int, int); 1237 int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *, 1238 struct iked_message *, int); 1239 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1240 struct iked_message *, struct ike_header *); 1241 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1242 struct iked_message *); 1243 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1244 struct iked_msg_retransmit *); 1245 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1246 struct iked_msg_retransmit * 1247 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1248 struct iked_message *, uint8_t); 1249 1250 /* ikev2_pld.c */ 1251 int ikev2_pld_parse(struct iked *, struct ike_header *, 1252 struct iked_message *, size_t); 1253 int ikev2_pld_parse_quick(struct iked *, struct ike_header *, 1254 struct iked_message *, size_t); 1255 1256 /* eap.c */ 1257 int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*, 1258 void *, int); 1259 int eap_success(struct iked *, struct iked_sa *, int); 1260 int eap_identity_request(struct iked *, struct iked_sa *); 1261 int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1262 uint8_t *, size_t); 1263 int eap_mschap_success(struct iked *, struct iked_sa *, int); 1264 int eap_challenge_request(struct iked *, struct iked_sa *, int); 1265 1266 /* radius.c */ 1267 int iked_radius_request(struct iked *, struct iked_sa *, 1268 struct iked_message *); 1269 void iked_radius_request_free(struct iked *, struct iked_radserver_req *); 1270 void iked_radius_on_event(int, short, void *); 1271 void iked_radius_acct_on(struct iked *); 1272 void iked_radius_acct_off(struct iked *); 1273 void iked_radius_acct_start(struct iked *, struct iked_sa *); 1274 void iked_radius_acct_stop(struct iked *, struct iked_sa *); 1275 void iked_radius_dae_on_event(int, short, void *); 1276 1277 /* pfkey.c */ 1278 int pfkey_couple(struct iked *, struct iked_sas *, int); 1279 int pfkey_flow_add(struct iked *, struct iked_flow *); 1280 int pfkey_flow_delete(struct iked *, struct iked_flow *); 1281 int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *); 1282 int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *); 1283 int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *); 1284 int pfkey_sa_delete(struct iked *, struct iked_childsa *); 1285 int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *); 1286 int pfkey_flush(struct iked *); 1287 int pfkey_socket(struct iked *); 1288 void pfkey_init(struct iked *, int fd); 1289 1290 /* ca.c */ 1291 void caproc(struct privsep *, struct privsep_proc *); 1292 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1293 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1294 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1295 uint8_t, uint8_t *, size_t, enum privsep_procid); 1296 int ca_setauth(struct iked *, struct iked_sa *, 1297 struct ibuf *, enum privsep_procid); 1298 void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1299 int ca_certbundle_add(struct ibuf *, struct iked_id *); 1300 int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1301 int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1302 void ca_sslerror(const char *); 1303 char *ca_asn1_name(uint8_t *, size_t); 1304 void *ca_x509_name_parse(char *); 1305 void ca_cert_info(const char *, X509 *); 1306 1307 /* timer.c */ 1308 void timer_set(struct iked *, struct iked_timer *, 1309 void (*)(struct iked *, void *), void *); 1310 void timer_add(struct iked *, struct iked_timer *, int); 1311 void timer_del(struct iked *, struct iked_timer *); 1312 1313 /* proc.c */ 1314 void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int, 1315 int, char **, enum privsep_procid); 1316 void proc_kill(struct privsep *); 1317 void proc_connect(struct privsep *, void (*)(struct privsep *)); 1318 void proc_dispatch(int, short event, void *); 1319 void proc_run(struct privsep *, struct privsep_proc *, 1320 struct privsep_proc *, unsigned int, 1321 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1322 void imsg_event_add(struct imsgev *); 1323 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1324 pid_t, int, void *, uint16_t); 1325 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1326 pid_t, int, const struct iovec *, int); 1327 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1328 uint16_t, uint32_t, int, void *, uint16_t); 1329 int proc_compose(struct privsep *, enum privsep_procid, 1330 uint16_t, void *, uint16_t); 1331 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1332 uint16_t, uint32_t, int, const struct iovec *, int); 1333 int proc_composev(struct privsep *, enum privsep_procid, 1334 uint16_t, const struct iovec *, int); 1335 int proc_forward_imsg(struct privsep *, struct imsg *, 1336 enum privsep_procid, int); 1337 struct imsgbuf * 1338 proc_ibuf(struct privsep *, enum privsep_procid, int); 1339 struct imsgev * 1340 proc_iev(struct privsep *, enum privsep_procid, int); 1341 enum privsep_procid 1342 proc_getid(struct privsep_proc *, unsigned int, const char *); 1343 int proc_flush_imsg(struct privsep *, enum privsep_procid, int); 1344 1345 /* util.c */ 1346 int socket_af(struct sockaddr *, in_port_t); 1347 in_port_t 1348 socket_getport(struct sockaddr *); 1349 int socket_setport(struct sockaddr *, in_port_t); 1350 int socket_getaddr(int, struct sockaddr_storage *); 1351 int socket_bypass(int, struct sockaddr *); 1352 int udp_bind(struct sockaddr *, in_port_t); 1353 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1354 socklen_t, struct sockaddr *, socklen_t); 1355 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1356 socklen_t *, struct sockaddr *, socklen_t *); 1357 const char * 1358 print_spi(uint64_t, int); 1359 const char * 1360 print_map(unsigned int, struct iked_constmap *); 1361 void lc_idtype(char *); 1362 void print_hex(const uint8_t *, off_t, size_t); 1363 void print_hexval(const uint8_t *, off_t, size_t); 1364 void print_hexbuf(struct ibuf *); 1365 const char * 1366 print_bits(unsigned short, unsigned char *); 1367 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1368 uint8_t mask2prefixlen(struct sockaddr *); 1369 uint8_t mask2prefixlen6(struct sockaddr *); 1370 struct in6_addr * 1371 prefixlen2mask6(uint8_t, uint32_t *); 1372 uint32_t 1373 prefixlen2mask(uint8_t); 1374 const char * 1375 print_addr(void *); 1376 char *get_string(uint8_t *, size_t); 1377 const char * 1378 print_proto(uint8_t); 1379 int expand_string(char *, size_t, const char *, const char *); 1380 uint8_t *string2unicode(const char *, size_t *); 1381 void print_debug(const char *, ...) 1382 __attribute__((format(printf, 1, 2))); 1383 void print_verbose(const char *, ...) 1384 __attribute__((format(printf, 1, 2))); 1385 1386 /* imsg_util.c */ 1387 struct ibuf * 1388 ibuf_new(const void *, size_t); 1389 struct ibuf * 1390 ibuf_static(void); 1391 size_t ibuf_length(struct ibuf *); 1392 int ibuf_setsize(struct ibuf *, size_t); 1393 struct ibuf * 1394 ibuf_getdata(struct ibuf *, size_t); 1395 struct ibuf * 1396 ibuf_dup(struct ibuf *); 1397 struct ibuf * 1398 ibuf_random(size_t); 1399 1400 /* log.c */ 1401 void log_init(int, int); 1402 void log_procinit(const char *); 1403 void log_setverbose(int); 1404 int log_getverbose(void); 1405 void log_warn(const char *, ...) 1406 __attribute__((__format__ (printf, 1, 2))); 1407 void log_warnx(const char *, ...) 1408 __attribute__((__format__ (printf, 1, 2))); 1409 void log_info(const char *, ...) 1410 __attribute__((__format__ (printf, 1, 2))); 1411 void log_debug(const char *, ...) 1412 __attribute__((__format__ (printf, 1, 2))); 1413 void logit(int, const char *, ...) 1414 __attribute__((__format__ (printf, 2, 3))); 1415 void vlog(int, const char *, va_list) 1416 __attribute__((__format__ (printf, 2, 0))); 1417 __dead void fatal(const char *, ...) 1418 __attribute__((__format__ (printf, 1, 2))); 1419 __dead void fatalx(const char *, ...) 1420 __attribute__((__format__ (printf, 1, 2))); 1421 1422 /* ocsp.c */ 1423 int ocsp_connect(struct iked *, struct imsg *); 1424 int ocsp_receive_fd(struct iked *, struct imsg *); 1425 int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1426 uint8_t, X509 *); 1427 1428 /* parse.y */ 1429 int parse_config(const char *, struct iked *); 1430 int cmdline_symset(char *); 1431 extern const struct ipsec_xf authxfs[]; 1432 extern const struct ipsec_xf prfxfs[]; 1433 extern const struct ipsec_xf *encxfs; 1434 extern const struct ipsec_xf ikeencxfs[]; 1435 extern const struct ipsec_xf ipsecencxfs[]; 1436 extern const struct ipsec_xf groupxfs[]; 1437 extern const struct ipsec_xf esnxfs[]; 1438 extern const struct ipsec_xf methodxfs[]; 1439 extern const struct ipsec_xf saxfs[]; 1440 extern const struct ipsec_xf cpxfs[]; 1441 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1442 size_t noncelength_xf(unsigned int, unsigned int); 1443 int encxf_noauth(unsigned int); 1444 1445 /* print.c */ 1446 void print_user(struct iked_user *); 1447 void print_policy(struct iked_policy *); 1448 const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); 1449 1450 #endif /* IKED_H */ 1451