1 /* $OpenBSD: iked.h,v 1.230 2024/03/02 16:16:07 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/tree.h> 22 #include <sys/queue.h> 23 #include <arpa/inet.h> 24 #include <limits.h> 25 #include <imsg.h> 26 27 #include <openssl/evp.h> 28 29 #include "types.h" 30 #include "dh.h" 31 32 #define MAXIMUM(a,b) (((a)>(b))?(a):(b)) 33 #define MINIMUM(a,b) (((a)<(b))?(a):(b)) 34 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) 35 36 #ifndef IKED_H 37 #define IKED_H 38 39 /* 40 * Common IKEv1/IKEv2 header 41 */ 42 43 struct ike_header { 44 uint64_t ike_ispi; /* Initiator cookie */ 45 uint64_t ike_rspi; /* Responder cookie */ 46 uint8_t ike_nextpayload; /* Next payload type */ 47 uint8_t ike_version; /* Major/Minor version number */ 48 uint8_t ike_exchange; /* Exchange type */ 49 uint8_t ike_flags; /* Message options */ 50 uint32_t ike_msgid; /* Message identifier */ 51 uint32_t ike_length; /* Total message length */ 52 } __packed; 53 54 /* 55 * Common daemon infrastructure, local imsg etc. 56 */ 57 58 struct imsgev { 59 struct imsgbuf ibuf; 60 void (*handler)(int, short, void *); 61 struct event ev; 62 struct privsep_proc *proc; 63 void *data; 64 short events; 65 const char *name; 66 }; 67 68 #define IMSG_SIZE_CHECK(imsg, p) do { \ 69 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 70 fatalx("bad length imsg received"); \ 71 } while (0) 72 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 73 74 #define IKED_ADDR_EQ(_a, _b) \ 75 ((_a)->addr_mask == (_b)->addr_mask && \ 76 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 77 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 78 79 #define IKED_ADDR_NEQ(_a, _b) \ 80 ((_a)->addr_mask != (_b)->addr_mask || \ 81 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 82 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 83 84 /* initially control.h */ 85 struct control_sock { 86 const char *cs_name; 87 struct event cs_ev; 88 struct event cs_evt; 89 int cs_fd; 90 int cs_restricted; 91 void *cs_env; 92 }; 93 94 struct ctl_conn { 95 TAILQ_ENTRY(ctl_conn) entry; 96 uint8_t flags; 97 #define CTL_CONN_NOTIFY 0x01 98 struct imsgev iev; 99 uint32_t peerid; 100 }; 101 TAILQ_HEAD(ctl_connlist, ctl_conn); 102 103 extern enum privsep_procid privsep_process; 104 105 /* 106 * Runtime structures 107 */ 108 109 struct iked_timer { 110 struct event tmr_ev; 111 struct iked *tmr_env; 112 void (*tmr_cb)(struct iked *, void *); 113 void *tmr_cbarg; 114 }; 115 116 struct iked_spi { 117 uint64_t spi; 118 uint8_t spi_size; 119 uint8_t spi_protoid; 120 }; 121 122 struct iked_proposal { 123 uint8_t prop_id; 124 uint8_t prop_protoid; 125 126 struct iked_spi prop_localspi; 127 struct iked_spi prop_peerspi; 128 129 struct iked_transform *prop_xforms; 130 unsigned int prop_nxforms; 131 132 TAILQ_ENTRY(iked_proposal) prop_entry; 133 }; 134 TAILQ_HEAD(iked_proposals, iked_proposal); 135 136 struct iked_addr { 137 int addr_af; 138 struct sockaddr_storage addr; 139 uint8_t addr_mask; 140 int addr_net; 141 in_port_t addr_port; 142 }; 143 144 struct iked_ts { 145 struct iked_addr ts_addr; 146 uint8_t ts_ipproto; 147 TAILQ_ENTRY(iked_ts) ts_entry; 148 }; 149 TAILQ_HEAD(iked_tss, iked_ts); 150 151 struct iked_flow { 152 struct iked_addr flow_src; 153 struct iked_addr flow_dst; 154 unsigned int flow_dir; /* in/out */ 155 int flow_rdomain; 156 struct iked_addr flow_prenat; 157 int flow_fixed; 158 159 unsigned int flow_loaded; /* pfkey done */ 160 161 uint8_t flow_saproto; 162 uint8_t flow_ipproto; 163 164 struct iked_addr *flow_local; /* outer source */ 165 struct iked_addr *flow_peer; /* outer dest */ 166 struct iked_sa *flow_ikesa; /* parent SA */ 167 168 RB_ENTRY(iked_flow) flow_node; 169 TAILQ_ENTRY(iked_flow) flow_entry; 170 }; 171 RB_HEAD(iked_flows, iked_flow); 172 TAILQ_HEAD(iked_saflows, iked_flow); 173 174 struct iked_childsa { 175 uint8_t csa_saproto; /* IPsec protocol */ 176 unsigned int csa_dir; /* in/out */ 177 178 uint64_t csa_peerspi; /* peer relation */ 179 uint8_t csa_loaded; /* pfkey done */ 180 uint8_t csa_rekey; /* will be deleted */ 181 uint8_t csa_allocated; /* from the kernel */ 182 uint8_t csa_persistent;/* do not rekey */ 183 uint8_t csa_esn; /* use ESN */ 184 uint8_t csa_transport; /* transport mode */ 185 186 struct iked_spi csa_spi; 187 188 struct ibuf *csa_encrkey; /* encryption key */ 189 uint16_t csa_encrid; /* encryption xform id */ 190 191 struct ibuf *csa_integrkey; /* auth key */ 192 uint16_t csa_integrid; /* auth xform id */ 193 194 struct iked_addr *csa_local; /* outer source */ 195 struct iked_addr *csa_peer; /* outer dest */ 196 struct iked_sa *csa_ikesa; /* parent SA */ 197 198 struct iked_childsa *csa_peersa; /* peer */ 199 200 struct iked_childsa *csa_bundled; /* IPCOMP */ 201 202 uint16_t csa_pfsgrpid; /* pfs group id */ 203 204 RB_ENTRY(iked_childsa) csa_node; 205 TAILQ_ENTRY(iked_childsa) csa_entry; 206 }; 207 RB_HEAD(iked_activesas, iked_childsa); 208 TAILQ_HEAD(iked_childsas, iked_childsa); 209 210 211 struct iked_static_id { 212 uint8_t id_type; 213 uint8_t id_length; 214 uint8_t id_offset; 215 uint8_t id_data[IKED_ID_SIZE]; 216 }; 217 218 struct iked_auth { 219 uint8_t auth_method; 220 uint8_t auth_eap; /* optional EAP */ 221 uint8_t auth_length; /* zero if EAP */ 222 uint8_t auth_data[IKED_PSK_SIZE]; 223 }; 224 225 struct iked_cfg { 226 uint8_t cfg_action; 227 uint16_t cfg_type; 228 union { 229 struct iked_addr address; 230 } cfg; 231 }; 232 233 TAILQ_HEAD(iked_sapeers, iked_sa); 234 235 struct iked_lifetime { 236 uint64_t lt_bytes; 237 uint64_t lt_seconds; 238 }; 239 240 struct iked_policy { 241 unsigned int pol_id; 242 char pol_name[IKED_ID_SIZE]; 243 unsigned int pol_iface; 244 245 #define IKED_SKIP_FLAGS 0 246 #define IKED_SKIP_AF 1 247 #define IKED_SKIP_SRC_ADDR 2 248 #define IKED_SKIP_DST_ADDR 3 249 #define IKED_SKIP_COUNT 4 250 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 251 252 uint8_t pol_flags; 253 #define IKED_POLICY_PASSIVE 0x00 254 #define IKED_POLICY_DEFAULT 0x01 255 #define IKED_POLICY_ACTIVE 0x02 256 #define IKED_POLICY_REFCNT 0x04 257 #define IKED_POLICY_QUICK 0x08 258 #define IKED_POLICY_SKIP 0x10 259 #define IKED_POLICY_IPCOMP 0x20 260 #define IKED_POLICY_TRANSPORT 0x40 261 #define IKED_POLICY_ROUTING 0x80 262 263 int pol_refcnt; 264 265 uint8_t pol_certreqtype; 266 267 int pol_af; 268 int pol_rdomain; 269 uint8_t pol_saproto; 270 unsigned int pol_ipproto[IKED_IPPROTO_MAX]; 271 unsigned int pol_nipproto; 272 273 struct iked_addr pol_peer; 274 struct iked_static_id pol_peerid; 275 uint32_t pol_peerdh; 276 277 struct iked_addr pol_local; 278 struct iked_static_id pol_localid; 279 280 struct iked_auth pol_auth; 281 282 char pol_tag[IKED_TAG_SIZE]; 283 unsigned int pol_tap; 284 285 struct iked_proposals pol_proposals; 286 size_t pol_nproposals; 287 288 struct iked_flows pol_flows; 289 size_t pol_nflows; 290 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 291 size_t pol_tssrc_count; 292 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 293 size_t pol_tsdst_count; 294 295 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 296 unsigned int pol_ncfg; 297 298 uint32_t pol_rekey; /* ike SA lifetime */ 299 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 300 301 struct iked_sapeers pol_sapeers; 302 303 TAILQ_ENTRY(iked_policy) pol_entry; 304 }; 305 TAILQ_HEAD(iked_policies, iked_policy); 306 307 struct iked_hash { 308 uint8_t hash_type; /* PRF or INTEGR */ 309 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 310 const void *hash_priv; /* Identifying the hash alg */ 311 void *hash_ctx; /* Context of the current invocation */ 312 int hash_fixedkey; /* Requires fixed key length */ 313 struct ibuf *hash_key; /* MAC key derived from key seed */ 314 size_t hash_length; /* Output length */ 315 size_t hash_trunc; /* Truncate the output length */ 316 struct iked_hash *hash_prf; /* PRF pointer */ 317 int hash_isaead; 318 }; 319 320 struct iked_cipher { 321 uint8_t encr_type; /* ENCR */ 322 uint16_t encr_id; /* IKE ENCR hash id */ 323 const void *encr_priv; /* Identifying the hash alg */ 324 void *encr_ctx; /* Context of the current invocation */ 325 int encr_fixedkey; /* Requires fixed key length */ 326 struct ibuf *encr_key; /* MAC key derived from key seed */ 327 struct ibuf *encr_iv; /* Initialization Vector */ 328 uint64_t encr_civ; /* Counter IV for GCM */ 329 size_t encr_ivlength; /* IV length */ 330 size_t encr_length; /* Block length */ 331 size_t encr_saltlength; /* IV salt length */ 332 uint16_t encr_authid; /* ID of associated authentication */ 333 }; 334 335 struct iked_dsa { 336 uint8_t dsa_method; /* AUTH method */ 337 const void *dsa_priv; /* PRF or signature hash function */ 338 void *dsa_ctx; /* PRF or signature hash ctx */ 339 struct ibuf *dsa_keydata; /* public, private or shared key */ 340 void *dsa_key; /* parsed public or private key */ 341 int dsa_hmac; /* HMAC or public/private key */ 342 int dsa_sign; /* Sign or verify operation */ 343 uint32_t dsa_flags; /* State flags */ 344 }; 345 346 struct iked_id { 347 uint8_t id_type; 348 uint8_t id_offset; 349 struct ibuf *id_buf; 350 }; 351 352 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 353 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 354 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 355 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 356 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 357 #define IKED_REQ_SA 0x0020 /* SA available */ 358 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 359 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 360 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 361 362 #define IKED_REQ_BITS \ 363 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 364 "\10CHILDSA\11INF" 365 366 TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit); 367 TAILQ_HEAD(iked_msg_fragqueue, iked_message); 368 369 struct iked_sahdr { 370 uint64_t sh_ispi; /* Initiator SPI */ 371 uint64_t sh_rspi; /* Responder SPI */ 372 unsigned int sh_initiator; /* Is initiator? */ 373 } __packed; 374 375 struct iked_kex { 376 struct ibuf *kex_inonce; /* Ni */ 377 struct ibuf *kex_rnonce; /* Nr */ 378 379 struct dh_group *kex_dhgroup; /* DH group */ 380 struct ibuf *kex_dhiexchange; 381 struct ibuf *kex_dhrexchange; 382 struct ibuf *kex_dhpeer; /* pointer to i or r */ 383 }; 384 385 struct iked_frag_entry { 386 uint8_t *frag_data; 387 size_t frag_size; 388 }; 389 390 struct iked_frag { 391 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 392 size_t frag_count; /* number of fragments received */ 393 #define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 394 size_t frag_total; /* total numbe of fragments */ 395 size_t frag_total_size; 396 uint8_t frag_nextpayload; 397 398 }; 399 400 struct iked_ipcomp { 401 uint16_t ic_cpi_out; /* outgoing CPI */ 402 uint16_t ic_cpi_in; /* incoming CPI */ 403 uint8_t ic_transform; /* transform */ 404 }; 405 406 struct iked_sa { 407 struct iked_sahdr sa_hdr; 408 uint32_t sa_msgid; /* Last request rcvd */ 409 int sa_msgid_set; /* msgid initialized */ 410 uint32_t sa_msgid_current; /* Current requested rcvd */ 411 uint32_t sa_reqid; /* Next request sent */ 412 413 int sa_type; 414 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 415 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 416 417 struct iked_addr sa_peer; 418 struct iked_addr sa_peer_loaded;/* MOBIKE */ 419 struct iked_addr sa_local; 420 int sa_fd; 421 422 struct iked_frag sa_fragments; 423 424 int sa_natt; /* for IKE messages */ 425 int sa_udpencap; /* for pfkey */ 426 int sa_usekeepalive;/* NAT-T keepalive */ 427 428 int sa_state; 429 unsigned int sa_stateflags; 430 unsigned int sa_stateinit; /* SA_INIT */ 431 unsigned int sa_statevalid; /* IKE_AUTH */ 432 433 int sa_cp; /* XXX */ 434 struct iked_addr *sa_cp_addr; /* requested address */ 435 struct iked_addr *sa_cp_addr6; /* requested address */ 436 struct iked_addr *sa_cp_dns; /* requested dns */ 437 438 struct iked_policy *sa_policy; 439 struct timeval sa_timecreated; 440 struct timeval sa_timeused; 441 442 char *sa_tag; 443 const char *sa_reason; /* reason for close */ 444 445 struct iked_kex sa_kex; 446 /* XXX compat defines until everything is converted */ 447 #define sa_inonce sa_kex.kex_inonce 448 #define sa_rnonce sa_kex.kex_rnonce 449 #define sa_dhgroup sa_kex.kex_dhgroup 450 #define sa_dhiexchange sa_kex.kex_dhiexchange 451 #define sa_dhrexchange sa_kex.kex_dhrexchange 452 #define sa_dhpeer sa_kex.kex_dhpeer 453 454 struct iked_hash *sa_prf; /* PRF alg */ 455 struct iked_hash *sa_integr; /* integrity alg */ 456 struct iked_cipher *sa_encr; /* encryption alg */ 457 458 struct ibuf *sa_key_d; /* SK_d */ 459 struct ibuf *sa_key_iauth; /* SK_ai */ 460 struct ibuf *sa_key_rauth; /* SK_ar */ 461 struct ibuf *sa_key_iencr; /* SK_ei */ 462 struct ibuf *sa_key_rencr; /* SK_er */ 463 struct ibuf *sa_key_iprf; /* SK_pi */ 464 struct ibuf *sa_key_rprf; /* SK_pr */ 465 466 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 467 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 468 struct iked_id sa_localauth; /* local AUTH message */ 469 struct iked_id sa_peerauth; /* peer AUTH message */ 470 int sa_sigsha2; /* use SHA2 for signatures */ 471 #define IKED_SCERT_MAX 3 /* max # of supplemental cert payloads */ 472 473 struct iked_id sa_iid; /* initiator id */ 474 struct iked_id sa_rid; /* responder id */ 475 struct iked_id sa_icert; /* initiator cert */ 476 struct iked_id sa_rcert; /* responder cert */ 477 struct iked_id sa_scert[IKED_SCERT_MAX]; /* supplemental certs */ 478 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 479 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 480 481 char *sa_eapid; /* EAP identity */ 482 struct iked_id sa_eap; /* EAP challenge */ 483 struct ibuf *sa_eapmsk; /* EAK session key */ 484 485 struct iked_proposals sa_proposals; /* SA proposals */ 486 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 487 struct iked_saflows sa_flows; /* IPsec flows */ 488 489 struct iked_sa *sa_nexti; /* initiated IKE SA */ 490 struct iked_sa *sa_previ; /* matching back pointer */ 491 struct iked_sa *sa_nextr; /* simultaneous rekey */ 492 struct iked_sa *sa_prevr; /* matching back pointer */ 493 uint64_t sa_rekeyspi; /* peerspi CSA rekey */ 494 struct ibuf *sa_simult; /* simultaneous rekey */ 495 496 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 497 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 498 499 int sa_mobike; /* MOBIKE */ 500 int sa_frag; /* fragmentation */ 501 502 int sa_use_transport_mode; /* peer requested */ 503 int sa_used_transport_mode; /* we enabled */ 504 505 struct iked_timer sa_timer; /* SA timeouts */ 506 #define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 507 #define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 508 #define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 509 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 510 511 struct iked_timer sa_keepalive; /* keepalive timer */ 512 #define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 513 514 struct iked_timer sa_rekey; /* rekey timeout */ 515 int sa_tmpfail; 516 517 struct iked_msgqueue sa_requests; /* request queue */ 518 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 519 520 struct iked_msgqueue sa_responses; /* response queue */ 521 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 522 523 TAILQ_ENTRY(iked_sa) sa_peer_entry; 524 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 525 526 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 527 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 528 529 struct iked_addr *sa_addrpool; /* address from pool */ 530 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 531 532 struct iked_addr *sa_addrpool6; /* address from pool */ 533 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 534 time_t sa_last_recvd; 535 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 536 }; 537 RB_HEAD(iked_sas, iked_sa); 538 RB_HEAD(iked_dstid_sas, iked_sa); 539 RB_HEAD(iked_addrpool, iked_sa); 540 RB_HEAD(iked_addrpool6, iked_sa); 541 542 /* stats */ 543 544 struct iked_stats { 545 uint64_t ikes_sa_created; 546 uint64_t ikes_sa_established_total; 547 uint64_t ikes_sa_established_current; /* gauge */ 548 uint64_t ikes_sa_established_failures; 549 uint64_t ikes_sa_proposals_negotiate_failures; 550 uint64_t ikes_sa_rekeyed; 551 uint64_t ikes_sa_removed; 552 uint64_t ikes_csa_created; 553 uint64_t ikes_csa_removed; 554 uint64_t ikes_msg_sent; 555 uint64_t ikes_msg_send_failures; 556 uint64_t ikes_msg_rcvd; 557 uint64_t ikes_msg_rcvd_busy; 558 uint64_t ikes_msg_rcvd_dropped; 559 uint64_t ikes_retransmit_request; 560 uint64_t ikes_retransmit_response; 561 uint64_t ikes_retransmit_limit; 562 uint64_t ikes_frag_sent; 563 uint64_t ikes_frag_send_failures; 564 uint64_t ikes_frag_rcvd; 565 uint64_t ikes_frag_rcvd_drop; 566 uint64_t ikes_frag_reass_ok; 567 uint64_t ikes_frag_reass_drop; 568 uint64_t ikes_update_addresses_sent; 569 uint64_t ikes_dpd_sent; 570 uint64_t ikes_keepalive_sent; 571 }; 572 573 #define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0) 574 #define ikestat_inc(env, c) ikestat_add(env, c, 1) 575 #define ikestat_dec(env, c) ikestat_add(env, c, -1) 576 577 struct iked_certreq { 578 struct ibuf *cr_data; 579 uint8_t cr_type; 580 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 581 }; 582 SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 583 584 #define EAP_STATE_IDENTITY (1) 585 #define EAP_STATE_MSCHAPV2_CHALLENGE (2) 586 #define EAP_STATE_MSCHAPV2_SUCCESS (3) 587 #define EAP_STATE_SUCCESS (4) 588 589 struct eap_msg { 590 char *eam_identity; 591 char *eam_user; 592 int eam_type; 593 uint8_t eam_id; 594 uint8_t eam_msrid; 595 int eam_success; 596 int eam_found; 597 int eam_response; 598 uint8_t eam_challenge[16]; 599 uint8_t eam_ntresponse[24]; 600 uint32_t eam_state; 601 }; 602 603 struct iked_message { 604 struct ibuf *msg_data; 605 size_t msg_offset; 606 607 struct sockaddr_storage msg_local; 608 socklen_t msg_locallen; 609 610 struct sockaddr_storage msg_peer; 611 socklen_t msg_peerlen; 612 613 struct iked_socket *msg_sock; 614 615 int msg_fd; 616 int msg_response; 617 int msg_responded; 618 int msg_valid; 619 int msg_natt; 620 int msg_natt_rcvd; 621 int msg_nat_detected; 622 int msg_error; 623 int msg_e; 624 struct iked_message *msg_parent; 625 626 /* Associated policy and SA */ 627 struct iked_policy *msg_policy; 628 struct iked_sa *msg_sa; 629 630 uint32_t msg_msgid; 631 uint8_t msg_exchange; 632 633 /* Parsed information */ 634 struct iked_proposals msg_proposals; 635 struct iked_certreqs msg_certreqs; 636 struct iked_spi msg_rekey; 637 struct ibuf *msg_nonce; /* dh NONCE */ 638 uint16_t msg_dhgroup; /* dh group */ 639 struct ibuf *msg_ke; /* dh key exchange */ 640 struct iked_id msg_auth; /* AUTH payload */ 641 struct iked_id msg_peerid; 642 struct iked_id msg_localid; 643 struct iked_id msg_cert; 644 struct iked_id msg_scert[IKED_SCERT_MAX]; /* supplemental certs */ 645 struct ibuf *msg_cookie; 646 uint16_t msg_group; 647 uint16_t msg_cpi; 648 uint8_t msg_transform; 649 uint16_t msg_flags; 650 struct eap_msg msg_eap; 651 size_t msg_del_spisize; 652 size_t msg_del_cnt; 653 struct ibuf *msg_del_buf; 654 int msg_del_protoid; 655 int msg_cp; 656 struct iked_addr *msg_cp_addr; /* requested address */ 657 struct iked_addr *msg_cp_addr6; /* requested address */ 658 struct iked_addr *msg_cp_dns; /* requested dns */ 659 uint16_t msg_frag_num; 660 661 /* MOBIKE */ 662 int msg_update_sa_addresses; 663 struct ibuf *msg_cookie2; 664 665 /* Parse stack */ 666 struct iked_proposal *msg_prop; 667 uint16_t msg_attrlength; 668 669 /* Retransmit queue */ 670 TAILQ_ENTRY(iked_message) 671 msg_entry; 672 }; 673 674 struct iked_msg_retransmit { 675 struct iked_msg_fragqueue mrt_frags; 676 TAILQ_ENTRY(iked_msg_retransmit) mrt_entry; 677 struct iked_timer mrt_timer; 678 int mrt_tries; 679 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 680 }; 681 682 #define IKED_MSG_NAT_SRC_IP 0x01 683 #define IKED_MSG_NAT_DST_IP 0x02 684 685 #define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 686 #define IKED_MSG_FLAGS_MOBIKE 0x0002 687 #define IKED_MSG_FLAGS_SIGSHA2 0x0004 688 #define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 689 #define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 690 #define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 691 #define IKED_MSG_FLAGS_INVALID_KE 0x0040 692 #define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 693 #define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 694 #define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 695 #define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400 696 697 698 struct iked_user { 699 char usr_name[LOGIN_NAME_MAX]; 700 char usr_pass[IKED_PASSWORD_SIZE]; 701 RB_ENTRY(iked_user) usr_entry; 702 }; 703 RB_HEAD(iked_users, iked_user); 704 705 struct privsep_pipes { 706 int *pp_pipes[PROC_MAX]; 707 }; 708 709 struct privsep { 710 struct privsep_pipes *ps_pipes[PROC_MAX]; 711 struct privsep_pipes *ps_pp; 712 713 struct imsgev *ps_ievs[PROC_MAX]; 714 const char *ps_title[PROC_MAX]; 715 pid_t ps_pid[PROC_MAX]; 716 struct passwd *ps_pw; 717 int ps_noaction; 718 719 struct control_sock ps_csock; 720 721 unsigned int ps_instances[PROC_MAX]; 722 unsigned int ps_ninstances; 723 unsigned int ps_instance; 724 725 /* Event and signal handlers */ 726 struct event ps_evsigint; 727 struct event ps_evsigterm; 728 struct event ps_evsigchld; 729 struct event ps_evsighup; 730 struct event ps_evsigpipe; 731 struct event ps_evsigusr1; 732 733 struct iked *ps_env; 734 unsigned int ps_connecting; 735 void (*ps_connected)(struct privsep *); 736 }; 737 738 struct privsep_proc { 739 const char *p_title; 740 enum privsep_procid p_id; 741 int (*p_cb)(int, struct privsep_proc *, 742 struct imsg *); 743 void (*p_init)(struct privsep *, 744 struct privsep_proc *); 745 const char *p_chroot; 746 struct passwd *p_pw; 747 struct privsep *p_ps; 748 void (*p_shutdown)(void); 749 }; 750 751 struct privsep_fd { 752 enum privsep_procid pf_procid; 753 unsigned int pf_instance; 754 }; 755 756 #define PROC_PARENT_SOCK_FILENO 3 757 #define PROC_MAX_INSTANCES 32 758 759 struct iked_ocsp_entry { 760 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 761 void *ioe_ocsp; /* private ocsp request data */ 762 }; 763 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 764 765 /* 766 * Daemon configuration 767 */ 768 769 enum natt_mode { 770 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 771 NATT_DISABLE, /* send/recv with only :500 */ 772 NATT_FORCE, /* send/recv with only NAT-T port */ 773 }; 774 775 struct iked_static { 776 uint64_t st_alive_timeout; 777 int st_cert_partial_chain; 778 int st_enforcesingleikesa; 779 uint8_t st_frag; /* fragmentation */ 780 uint8_t st_mobike; /* MOBIKE */ 781 in_port_t st_nattport; 782 int st_stickyaddress; /* addr per DSTID */ 783 int st_vendorid; 784 }; 785 786 struct iked { 787 char sc_conffile[PATH_MAX]; 788 789 uint32_t sc_opts; 790 enum natt_mode sc_nattmode; 791 uint8_t sc_passive; 792 uint8_t sc_decoupled; 793 794 struct iked_static sc_static; 795 796 #define sc_alive_timeout sc_static.st_alive_timeout 797 #define sc_cert_partial_chain sc_static.st_cert_partial_chain 798 #define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 799 #define sc_frag sc_static.st_frag 800 #define sc_mobike sc_static.st_mobike 801 #define sc_nattport sc_static.st_nattport 802 #define sc_stickyaddress sc_static.st_stickyaddress 803 #define sc_vendorid sc_static.st_vendorid 804 805 struct iked_policies sc_policies; 806 struct iked_policy *sc_defaultcon; 807 808 struct iked_sas sc_sas; 809 struct iked_dstid_sas sc_dstid_sas; 810 struct iked_activesas sc_activesas; 811 struct iked_flows sc_activeflows; 812 struct iked_users sc_users; 813 814 struct iked_stats sc_stats; 815 816 void *sc_priv; /* per-process */ 817 818 int sc_pfkey; /* ike process */ 819 struct event sc_pfkeyev; 820 struct event sc_routeev; 821 uint8_t sc_certreqtype; 822 struct ibuf *sc_certreq; 823 void *sc_vroute; 824 825 struct iked_socket *sc_sock4[2]; 826 struct iked_socket *sc_sock6[2]; 827 828 struct iked_timer sc_inittmr; 829 #define IKED_INITIATOR_INITIAL 2 830 #define IKED_INITIATOR_INTERVAL 60 831 832 struct privsep sc_ps; 833 834 struct iked_ocsp_requests sc_ocsp; 835 char *sc_ocsp_url; 836 long sc_ocsp_tolerate; 837 long sc_ocsp_maxage; 838 839 struct iked_addrpool sc_addrpool; 840 struct iked_addrpool6 sc_addrpool6; 841 }; 842 843 struct iked_socket { 844 int sock_fd; 845 struct event sock_ev; 846 struct iked *sock_env; 847 struct sockaddr_storage sock_addr; 848 }; 849 850 struct ipsec_xf { 851 const char *name; 852 unsigned int id; 853 unsigned int length; 854 unsigned int keylength; 855 unsigned int nonce; 856 unsigned int noauth; 857 }; 858 859 struct ipsec_transforms { 860 const struct ipsec_xf **authxf; 861 unsigned int nauthxf; 862 const struct ipsec_xf **prfxf; 863 unsigned int nprfxf; 864 const struct ipsec_xf **encxf; 865 unsigned int nencxf; 866 const struct ipsec_xf **groupxf; 867 unsigned int ngroupxf; 868 const struct ipsec_xf **esnxf; 869 unsigned int nesnxf; 870 }; 871 872 struct ipsec_mode { 873 struct ipsec_transforms **xfs; 874 unsigned int nxfs; 875 }; 876 877 /* iked.c */ 878 void parent_reload(struct iked *, int, const char *); 879 880 extern struct iked *iked_env; 881 882 /* control.c */ 883 void control(struct privsep *, struct privsep_proc *); 884 int control_init(struct privsep *, struct control_sock *); 885 int control_listen(struct control_sock *); 886 887 /* config.c */ 888 struct iked_policy * 889 config_new_policy(struct iked *); 890 void config_free_kex(struct iked_kex *); 891 void config_free_fragments(struct iked_frag *); 892 void config_free_sa(struct iked *, struct iked_sa *); 893 struct iked_sa * 894 config_new_sa(struct iked *, int); 895 struct iked_user * 896 config_new_user(struct iked *, struct iked_user *); 897 uint64_t 898 config_getspi(void); 899 struct iked_transform * 900 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 901 struct iked_transform * 902 config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int); 903 void config_free_policy(struct iked *, struct iked_policy *); 904 struct iked_proposal * 905 config_add_proposal(struct iked_proposals *, unsigned int, 906 unsigned int); 907 void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 908 void config_free_proposals(struct iked_proposals *, unsigned int); 909 void config_free_flows(struct iked *, struct iked_flows *); 910 void config_free_childsas(struct iked *, struct iked_childsas *, 911 struct iked_spi *, struct iked_spi *); 912 int config_add_transform(struct iked_proposal *, 913 unsigned int, unsigned int, unsigned int, unsigned int); 914 int config_setcoupled(struct iked *, unsigned int); 915 int config_getcoupled(struct iked *, unsigned int); 916 int config_setmode(struct iked *, unsigned int); 917 int config_getmode(struct iked *, unsigned int); 918 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 919 int config_getreset(struct iked *, struct imsg *); 920 int config_doreset(struct iked *, unsigned int); 921 int config_setpolicy(struct iked *, struct iked_policy *, 922 enum privsep_procid); 923 int config_getpolicy(struct iked *, struct imsg *); 924 int config_setflow(struct iked *, struct iked_policy *, 925 enum privsep_procid); 926 int config_getflow(struct iked *, struct imsg *); 927 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 928 enum privsep_procid); 929 int config_getsocket(struct iked *env, struct imsg *, 930 void (*cb)(int, short, void *)); 931 void config_enablesocket(struct iked *env); 932 int config_setpfkey(struct iked *); 933 int config_getpfkey(struct iked *, struct imsg *); 934 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 935 int config_getuser(struct iked *, struct imsg *); 936 int config_setcompile(struct iked *, enum privsep_procid); 937 int config_getcompile(struct iked *); 938 int config_setocsp(struct iked *); 939 int config_getocsp(struct iked *, struct imsg *); 940 int config_setkeys(struct iked *); 941 int config_getkey(struct iked *, struct imsg *); 942 int config_setstatic(struct iked *); 943 int config_getstatic(struct iked *, struct imsg *); 944 945 /* policy.c */ 946 void policy_init(struct iked *); 947 int policy_lookup(struct iked *, struct iked_message *, 948 struct iked_proposals *, struct iked_flows *, int); 949 int policy_lookup_sa(struct iked *, struct iked_sa *); 950 struct iked_policy * 951 policy_test(struct iked *, struct iked_policy *); 952 int policy_generate_ts(struct iked_policy *); 953 void policy_calc_skip_steps(struct iked_policies *); 954 void policy_ref(struct iked *, struct iked_policy *); 955 void policy_unref(struct iked *, struct iked_policy *); 956 void sa_state(struct iked *, struct iked_sa *, int); 957 void sa_stateflags(struct iked_sa *, unsigned int); 958 int sa_stateok(const struct iked_sa *, int); 959 struct iked_sa * 960 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 961 struct iked_policy *); 962 void sa_free(struct iked *, struct iked_sa *); 963 void sa_free_flows(struct iked *, struct iked_saflows *); 964 int sa_configure_iface(struct iked *, struct iked_sa *, int); 965 int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 966 void childsa_free(struct iked_childsa *); 967 struct iked_childsa * 968 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 969 void flow_free(struct iked_flow *); 970 int flow_equal(struct iked_flow *, struct iked_flow *); 971 struct iked_sa * 972 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 973 struct iked_user * 974 user_lookup(struct iked *, const char *); 975 struct iked_sa * 976 sa_dstid_lookup(struct iked *, struct iked_sa *); 977 struct iked_sa * 978 sa_dstid_insert(struct iked *, struct iked_sa *); 979 void sa_dstid_remove(struct iked *, struct iked_sa *); 980 int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 981 struct iked_proposals *, int, int); 982 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 983 RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 984 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 985 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 986 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 987 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 988 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 989 990 /* crypto.c */ 991 struct iked_hash * 992 hash_new(uint8_t, uint16_t); 993 struct ibuf * 994 hash_setkey(struct iked_hash *, void *, size_t); 995 void hash_free(struct iked_hash *); 996 void hash_init(struct iked_hash *); 997 void hash_update(struct iked_hash *, void *, size_t); 998 void hash_final(struct iked_hash *, void *, size_t *); 999 size_t hash_keylength(struct iked_hash *); 1000 size_t hash_length(struct iked_hash *); 1001 1002 struct iked_cipher * 1003 cipher_new(uint8_t, uint16_t, uint16_t); 1004 struct ibuf * 1005 cipher_setkey(struct iked_cipher *, const void *, size_t); 1006 struct ibuf * 1007 cipher_setiv(struct iked_cipher *, const void *, size_t); 1008 int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 1009 int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 1010 void cipher_free(struct iked_cipher *); 1011 int cipher_init(struct iked_cipher *, int); 1012 int cipher_init_encrypt(struct iked_cipher *); 1013 int cipher_init_decrypt(struct iked_cipher *); 1014 void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *); 1015 int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *); 1016 int cipher_final(struct iked_cipher *); 1017 size_t cipher_length(struct iked_cipher *); 1018 size_t cipher_keylength(struct iked_cipher *); 1019 size_t cipher_ivlength(struct iked_cipher *); 1020 size_t cipher_outlength(struct iked_cipher *, size_t); 1021 1022 struct iked_dsa * 1023 dsa_new(uint8_t, struct iked_hash *, int); 1024 struct iked_dsa * 1025 dsa_sign_new(uint8_t, struct iked_hash *); 1026 struct iked_dsa * 1027 dsa_verify_new(uint8_t, struct iked_hash *); 1028 struct ibuf * 1029 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 1030 void dsa_free(struct iked_dsa *); 1031 int dsa_init(struct iked_dsa *, const void *, size_t); 1032 size_t dsa_prefix(struct iked_dsa *); 1033 size_t dsa_length(struct iked_dsa *); 1034 int dsa_update(struct iked_dsa *, const void *, size_t); 1035 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 1036 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 1037 1038 /* vroute.c */ 1039 void vroute_init(struct iked *); 1040 int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int); 1041 void vroute_cleanup(struct iked *); 1042 int vroute_getaddr(struct iked *, struct imsg *); 1043 int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int); 1044 int vroute_getdns(struct iked *, struct imsg *); 1045 int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *, 1046 uint8_t, struct sockaddr *); 1047 int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *, 1048 uint8_t, struct sockaddr *); 1049 int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *, 1050 uint8_t, struct sockaddr *); 1051 int vroute_getroute(struct iked *, struct imsg *); 1052 int vroute_getcloneroute(struct iked *, struct imsg *); 1053 1054 /* ikev2.c */ 1055 void ikev2(struct privsep *, struct privsep_proc *); 1056 void ikev2_recv(struct iked *, struct iked_message *); 1057 void ikev2_init_ike_sa(struct iked *, void *); 1058 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 1059 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 1060 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 1061 uint8_t, uint64_t, uint64_t *, int); 1062 void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 1063 void ikev2_ike_sa_timeout(struct iked *env, void *); 1064 void ikev2_ike_sa_setreason(struct iked_sa *, char *); 1065 void ikev2_reset_alive_timer(struct iked *); 1066 int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 1067 1068 struct ibuf * 1069 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 1070 size_t); 1071 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 1072 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 1073 void *, size_t, unsigned int, int); 1074 void ikev2_enable_natt(struct iked *, struct iked_sa *, 1075 struct iked_message *, int); 1076 int ikev2_send_informational(struct iked *, struct iked_message *); 1077 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 1078 uint8_t, uint8_t, int); 1079 struct ike_header * 1080 ikev2_add_header(struct ibuf *, struct iked_sa *, 1081 uint32_t, uint8_t, uint8_t, uint8_t); 1082 int ikev2_set_header(struct ike_header *, size_t); 1083 struct ikev2_payload * 1084 ikev2_add_payload(struct ibuf *); 1085 int ikev2_next_payload(struct ikev2_payload *, size_t, 1086 uint8_t); 1087 int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 1088 int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 1089 int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 1090 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 1091 int ikev2_print_id(struct iked_id *, char *, size_t); 1092 int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 1093 1094 const char *ikev2_ikesa_info(uint64_t, const char *msg); 1095 #define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 1096 #define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 1097 #define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 1098 1099 /* ikev2_msg.c */ 1100 void ikev2_msg_cb(int, short, void *); 1101 struct ibuf * 1102 ikev2_msg_init(struct iked *, struct iked_message *, 1103 struct sockaddr_storage *, socklen_t, 1104 struct sockaddr_storage *, socklen_t, int); 1105 struct iked_message * 1106 ikev2_msg_copy(struct iked *, struct iked_message *); 1107 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 1108 uint32_t 1109 ikev2_msg_id(struct iked *, struct iked_sa *); 1110 struct ibuf 1111 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 1112 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 1113 struct iked_auth *, struct ibuf *); 1114 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 1115 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 1116 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 1117 struct iked_message *); 1118 int ikev2_msg_send(struct iked *, struct iked_message *); 1119 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 1120 struct ibuf **, uint8_t, uint8_t, int); 1121 struct ibuf 1122 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 1123 struct ibuf *); 1124 struct ibuf * 1125 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 1126 struct ibuf *, struct ibuf *); 1127 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1128 int ikev2_msg_frompeer(struct iked_message *); 1129 struct iked_socket * 1130 ikev2_msg_getsocket(struct iked *, int, int); 1131 int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *, 1132 struct iked_message *, int); 1133 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1134 struct iked_message *, struct ike_header *); 1135 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1136 struct iked_message *); 1137 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1138 struct iked_msg_retransmit *); 1139 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1140 struct iked_msg_retransmit * 1141 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1142 struct iked_message *, uint8_t); 1143 1144 /* ikev2_pld.c */ 1145 int ikev2_pld_parse(struct iked *, struct ike_header *, 1146 struct iked_message *, size_t); 1147 int ikev2_pld_parse_quick(struct iked *, struct ike_header *, 1148 struct iked_message *, size_t); 1149 1150 /* eap.c */ 1151 int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*, 1152 void *, int); 1153 int eap_success(struct iked *, struct iked_sa *, int); 1154 int eap_identity_request(struct iked *, struct iked_sa *); 1155 int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1156 uint8_t *, size_t); 1157 int eap_mschap_success(struct iked *, struct iked_sa *, int); 1158 int eap_challenge_request(struct iked *, struct iked_sa *, int); 1159 1160 /* pfkey.c */ 1161 int pfkey_couple(struct iked *, struct iked_sas *, int); 1162 int pfkey_flow_add(struct iked *, struct iked_flow *); 1163 int pfkey_flow_delete(struct iked *, struct iked_flow *); 1164 int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *); 1165 int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *); 1166 int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *); 1167 int pfkey_sa_delete(struct iked *, struct iked_childsa *); 1168 int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *); 1169 int pfkey_flush(struct iked *); 1170 int pfkey_socket(struct iked *); 1171 void pfkey_init(struct iked *, int fd); 1172 1173 /* ca.c */ 1174 void caproc(struct privsep *, struct privsep_proc *); 1175 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1176 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1177 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1178 uint8_t, uint8_t *, size_t, enum privsep_procid); 1179 int ca_setauth(struct iked *, struct iked_sa *, 1180 struct ibuf *, enum privsep_procid); 1181 void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1182 int ca_certbundle_add(struct ibuf *, struct iked_id *); 1183 int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1184 int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1185 void ca_sslerror(const char *); 1186 char *ca_asn1_name(uint8_t *, size_t); 1187 void *ca_x509_name_parse(char *); 1188 void ca_cert_info(const char *, X509 *); 1189 1190 /* timer.c */ 1191 void timer_set(struct iked *, struct iked_timer *, 1192 void (*)(struct iked *, void *), void *); 1193 void timer_add(struct iked *, struct iked_timer *, int); 1194 void timer_del(struct iked *, struct iked_timer *); 1195 1196 /* proc.c */ 1197 void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int, 1198 int, char **, enum privsep_procid); 1199 void proc_kill(struct privsep *); 1200 void proc_connect(struct privsep *, void (*)(struct privsep *)); 1201 void proc_dispatch(int, short event, void *); 1202 void proc_run(struct privsep *, struct privsep_proc *, 1203 struct privsep_proc *, unsigned int, 1204 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1205 void imsg_event_add(struct imsgev *); 1206 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1207 pid_t, int, void *, uint16_t); 1208 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1209 pid_t, int, const struct iovec *, int); 1210 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1211 uint16_t, uint32_t, int, void *, uint16_t); 1212 int proc_compose(struct privsep *, enum privsep_procid, 1213 uint16_t, void *, uint16_t); 1214 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1215 uint16_t, uint32_t, int, const struct iovec *, int); 1216 int proc_composev(struct privsep *, enum privsep_procid, 1217 uint16_t, const struct iovec *, int); 1218 int proc_forward_imsg(struct privsep *, struct imsg *, 1219 enum privsep_procid, int); 1220 struct imsgbuf * 1221 proc_ibuf(struct privsep *, enum privsep_procid, int); 1222 struct imsgev * 1223 proc_iev(struct privsep *, enum privsep_procid, int); 1224 enum privsep_procid 1225 proc_getid(struct privsep_proc *, unsigned int, const char *); 1226 int proc_flush_imsg(struct privsep *, enum privsep_procid, int); 1227 1228 /* util.c */ 1229 int socket_af(struct sockaddr *, in_port_t); 1230 in_port_t 1231 socket_getport(struct sockaddr *); 1232 int socket_setport(struct sockaddr *, in_port_t); 1233 int socket_getaddr(int, struct sockaddr_storage *); 1234 int socket_bypass(int, struct sockaddr *); 1235 int udp_bind(struct sockaddr *, in_port_t); 1236 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1237 socklen_t, struct sockaddr *, socklen_t); 1238 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1239 socklen_t *, struct sockaddr *, socklen_t *); 1240 const char * 1241 print_spi(uint64_t, int); 1242 const char * 1243 print_map(unsigned int, struct iked_constmap *); 1244 void lc_idtype(char *); 1245 void print_hex(const uint8_t *, off_t, size_t); 1246 void print_hexval(const uint8_t *, off_t, size_t); 1247 void print_hexbuf(struct ibuf *); 1248 const char * 1249 print_bits(unsigned short, unsigned char *); 1250 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1251 uint8_t mask2prefixlen(struct sockaddr *); 1252 uint8_t mask2prefixlen6(struct sockaddr *); 1253 struct in6_addr * 1254 prefixlen2mask6(uint8_t, uint32_t *); 1255 uint32_t 1256 prefixlen2mask(uint8_t); 1257 const char * 1258 print_addr(void *); 1259 char *get_string(uint8_t *, size_t); 1260 const char * 1261 print_proto(uint8_t); 1262 int expand_string(char *, size_t, const char *, const char *); 1263 uint8_t *string2unicode(const char *, size_t *); 1264 void print_debug(const char *, ...) 1265 __attribute__((format(printf, 1, 2))); 1266 void print_verbose(const char *, ...) 1267 __attribute__((format(printf, 1, 2))); 1268 1269 /* imsg_util.c */ 1270 struct ibuf * 1271 ibuf_new(const void *, size_t); 1272 struct ibuf * 1273 ibuf_static(void); 1274 size_t ibuf_length(struct ibuf *); 1275 int ibuf_setsize(struct ibuf *, size_t); 1276 struct ibuf * 1277 ibuf_getdata(struct ibuf *, size_t); 1278 struct ibuf * 1279 ibuf_dup(struct ibuf *); 1280 struct ibuf * 1281 ibuf_random(size_t); 1282 1283 /* log.c */ 1284 void log_init(int, int); 1285 void log_procinit(const char *); 1286 void log_setverbose(int); 1287 int log_getverbose(void); 1288 void log_warn(const char *, ...) 1289 __attribute__((__format__ (printf, 1, 2))); 1290 void log_warnx(const char *, ...) 1291 __attribute__((__format__ (printf, 1, 2))); 1292 void log_info(const char *, ...) 1293 __attribute__((__format__ (printf, 1, 2))); 1294 void log_debug(const char *, ...) 1295 __attribute__((__format__ (printf, 1, 2))); 1296 void logit(int, const char *, ...) 1297 __attribute__((__format__ (printf, 2, 3))); 1298 void vlog(int, const char *, va_list) 1299 __attribute__((__format__ (printf, 2, 0))); 1300 __dead void fatal(const char *, ...) 1301 __attribute__((__format__ (printf, 1, 2))); 1302 __dead void fatalx(const char *, ...) 1303 __attribute__((__format__ (printf, 1, 2))); 1304 1305 /* ocsp.c */ 1306 int ocsp_connect(struct iked *, struct imsg *); 1307 int ocsp_receive_fd(struct iked *, struct imsg *); 1308 int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1309 uint8_t, X509 *); 1310 1311 /* parse.y */ 1312 int parse_config(const char *, struct iked *); 1313 int cmdline_symset(char *); 1314 extern const struct ipsec_xf authxfs[]; 1315 extern const struct ipsec_xf prfxfs[]; 1316 extern const struct ipsec_xf *encxfs; 1317 extern const struct ipsec_xf ikeencxfs[]; 1318 extern const struct ipsec_xf ipsecencxfs[]; 1319 extern const struct ipsec_xf groupxfs[]; 1320 extern const struct ipsec_xf esnxfs[]; 1321 extern const struct ipsec_xf methodxfs[]; 1322 extern const struct ipsec_xf saxfs[]; 1323 extern const struct ipsec_xf cpxfs[]; 1324 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1325 size_t noncelength_xf(unsigned int, unsigned int); 1326 int encxf_noauth(unsigned int); 1327 1328 /* print.c */ 1329 void print_user(struct iked_user *); 1330 void print_policy(struct iked_policy *); 1331 const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); 1332 1333 #endif /* IKED_H */ 1334