1 /* $OpenBSD: sa.h,v 1.55 2023/08/07 04:01:30 dlg Exp $ */ 2 /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2004 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #ifndef _SA_H_ 35 #define _SA_H_ 36 37 #include <sys/types.h> 38 #include <sys/queue.h> 39 #include <sys/socket.h> 40 41 #include "isakmp.h" 42 43 /* Remove a SA if it has not been fully negotiated in this time. */ 44 #define SA_NEGOTIATION_MAX_TIME 120 45 46 struct doi; 47 struct event; 48 struct exchange; 49 struct keystate; 50 struct message; 51 struct payload; 52 struct proto_attr; 53 struct sa; 54 struct transport; 55 56 /* A protection suite consists of a set of protocol descriptions like this. */ 57 struct proto { 58 /* Link to the next protocol in the suite. */ 59 TAILQ_ENTRY(proto) link; 60 61 /* The SA we belong to. */ 62 struct sa *sa; 63 64 /* The protocol number as found in the proposal payload. */ 65 u_int8_t no; 66 67 /* The protocol this SA is for. */ 68 u_int8_t proto; 69 70 /* 71 * Security parameter index info. Element 0 - outgoing, 1 - 72 * incoming. 73 */ 74 u_int8_t spi_sz[2]; 75 u_int8_t *spi[2]; 76 77 /* 78 * The chosen transform, only valid while the incoming SA payload that 79 * held it is available for duplicate testing. 80 */ 81 struct payload *chosen; 82 83 /* The chosen transform's ID. */ 84 u_int8_t id; 85 86 /* DOI-specific data. */ 87 void *data; 88 89 /* Proposal transforms data, for validating the responders selection. */ 90 TAILQ_HEAD(proto_attr_head, proto_attr) xfs; 91 size_t xf_cnt; 92 }; 93 94 struct proto_attr { 95 /* Link to next transform. */ 96 TAILQ_ENTRY(proto_attr) next; 97 98 /* Transform attribute data and size, suitable for attribute_map(). */ 99 u_int8_t *attrs; 100 size_t len; 101 }; 102 103 struct sa { 104 /* Link to SAs with the same hash value. */ 105 LIST_ENTRY(sa) link; 106 107 /* 108 * When several SA's are being negotiated in one message we connect 109 * them through this link. 110 */ 111 TAILQ_ENTRY(sa) next; 112 113 /* 114 * A name of the major policy deciding offers and acceptable 115 * proposals. 116 */ 117 char *name; 118 119 /* The transport this SA got negotiated over. */ 120 struct transport *transport; 121 122 /* Both initiator and responder cookies. */ 123 u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; 124 125 /* The message ID signifying non-ISAKMP SAs. */ 126 u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; 127 128 /* The protection suite chosen. */ 129 TAILQ_HEAD(proto_head, proto) protos; 130 131 /* The exchange type we should use when rekeying. */ 132 u_int8_t exch_type; 133 134 /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ 135 u_int8_t phase; 136 137 /* A reference counter for this structure. */ 138 u_int16_t refcnt; 139 140 /* Various flags, look below for descriptions. */ 141 u_int32_t flags; 142 143 /* The DOI that is to handle DOI-specific issues for this SA. */ 144 struct doi *doi; 145 146 /* 147 * Crypto info needed to encrypt/decrypt packets protected by this 148 * SA. 149 */ 150 struct keystate *keystate; 151 152 /* IDs from Phase 1 */ 153 u_int8_t *id_i; 154 size_t id_i_len; 155 u_int8_t *id_r; 156 size_t id_r_len; 157 158 /* Set if we were the initiator of the SA/exchange in Phase 1 */ 159 int initiator; 160 161 /* Policy session ID, where applicable, copied over from the exchange */ 162 int policy_id; 163 164 /* 165 * The key used to authenticate phase 1, in printable format, used 166 * only by KeyNote. 167 */ 168 char *keynote_key; 169 170 /* 171 * Certificates or other information from Phase 1; these are copied 172 * from the exchange, so look at exchange.h for an explanation of 173 * their use. 174 */ 175 int recv_certtype, recv_keytype; 176 /* Certificate received from peer, native format. */ 177 void *recv_cert; 178 /* Key peer used to authenticate, native format. */ 179 void *recv_key; 180 181 /* 182 * Certificates or other information we used to authenticate to the 183 * peer, Phase 1. 184 */ 185 int sent_certtype; 186 /* Certificate (to be) sent to peer, native format. */ 187 void *sent_cert; 188 189 /* DOI-specific opaque data. */ 190 void *data; 191 192 /* Lifetime data. */ 193 u_int64_t seconds; 194 u_int64_t kilobytes; 195 196 /* ACQUIRE sequence number */ 197 u_int32_t seq; 198 199 /* The events that will occur when an SA has timed out. */ 200 struct event *soft_death; 201 struct event *death; 202 203 struct event *nat_t_keepalive; 204 205 /* IKE DPD (RFC3706) message sequence number. */ 206 u_int32_t dpd_seq; /* sent */ 207 u_int32_t dpd_rseq; /* received */ 208 u_int32_t dpd_failcount; /* # of subsequent failures */ 209 u_int32_t dpd_rdupcount; /* # of subsequent duplicates */ 210 struct event *dpd_event; /* time of next event */ 211 212 /* The add a pf tag to packets matching the established SA. */ 213 char *tag; 214 215 /* IPsec with Interface SAs, enabled with SA_FLAG_IFACE */ 216 unsigned int iface; 217 }; 218 219 /* This SA is alive. */ 220 #define SA_FLAG_READY 0x01 221 222 /* Renegotiate the SA at each expiry. */ 223 #define SA_FLAG_STAYALIVE 0x02 224 225 /* Establish the SA when it is needed. */ 226 #define SA_FLAG_ONDEMAND 0x04 227 228 /* 229 * This SA has been replaced by another newer one or the SA for another 230 * client behind same NAT. 231 */ 232 #define SA_FLAG_REPLACED 0x08 233 234 /* This SA has seen a soft timeout and wants to be renegotiated on use. */ 235 #define SA_FLAG_FADING 0x10 236 237 /* This SA should always be actively renegotiated (with us as initiator). */ 238 #define SA_FLAG_ACTIVE_ONLY 0x20 239 240 /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ 241 #define SA_FLAG_IKECFG 0x40 242 243 /* This SA flag indicates if we should do DPD with the phase 1 SA peer. */ 244 #define SA_FLAG_DPD 0x80 245 246 /* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange. */ 247 #define SA_FLAG_NAT_T_ENABLE 0x100 248 #define SA_FLAG_NAT_T_KEEPALIVE 0x200 249 250 /* Policy is handled by routing/filtering on the specified iface */ 251 #define SA_FLAG_IFACE 0x400 252 253 extern void proto_free(struct proto * proto); 254 extern int sa_add_transform(struct sa *, struct payload *, int, 255 struct proto **); 256 extern int sa_create(struct exchange *, struct transport *); 257 extern int sa_enter(struct sa *); 258 extern void sa_delete(struct sa *, int); 259 extern void sa_teardown_all(void); 260 extern struct sa *sa_find(int (*) (struct sa *, void *), void *); 261 extern int sa_flag(char *); 262 extern void sa_free(struct sa *); 263 extern void sa_init(void); 264 extern void sa_reinit(void); 265 extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t); 266 extern void sa_isakmp_upgrade(struct message *); 267 extern struct sa *sa_lookup(u_int8_t *, u_int8_t *); 268 extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t, int); 269 extern struct sa *sa_lookup_by_header(u_int8_t *, int); 270 extern struct sa *sa_lookup_by_name(char *, int); 271 extern struct sa *sa_lookup_from_icookie(u_int8_t *); 272 extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *); 273 extern void sa_mark_replaced(struct sa *); 274 extern void sa_replace(struct sa *, struct sa *); 275 extern void sa_reference(struct sa *); 276 extern void sa_release(struct sa *); 277 extern void sa_remove(struct sa *); 278 extern void sa_report(void); 279 extern void sa_dump(int, int, char *, struct sa *); 280 extern void sa_report_all(FILE *); 281 extern int sa_setup_expirations(struct sa *); 282 283 /* 284 * This structure contains most of the data of the in-kernel SA. 285 * Currently only used to collect the tdb_last_used time for DPD. 286 */ 287 struct sa_kinfo { 288 u_int32_t flags; /* /usr/include/netinet/ip_ipsp.h */ 289 290 u_int32_t exp_allocations; 291 u_int32_t soft_allocations; 292 u_int32_t cur_allocations; 293 294 u_int64_t exp_bytes; 295 u_int64_t soft_bytes; 296 u_int64_t cur_bytes; 297 298 u_int64_t exp_timeout; 299 u_int64_t soft_timeout; 300 301 u_int64_t first_use; 302 u_int64_t established; 303 u_int64_t soft_first_use; 304 u_int64_t exp_first_use; 305 306 u_int64_t last_used; 307 308 struct sockaddr_storage dst; 309 struct sockaddr_storage src; 310 311 u_int32_t spi; 312 u_int16_t udpencap_port; 313 u_int8_t wnd; 314 }; 315 316 #endif /* _SA_H_ */ 317