1 /* $OpenBSD: iked.h,v 1.233 2024/11/04 02:44:28 dlg Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/tree.h> 22 #include <sys/queue.h> 23 #include <netinet/in.h> 24 #include <arpa/inet.h> 25 #include <limits.h> 26 #include <imsg.h> 27 28 #include <openssl/evp.h> 29 30 #include "types.h" 31 #include "dh.h" 32 33 #define MAXIMUM(a,b) (((a)>(b))?(a):(b)) 34 #define MINIMUM(a,b) (((a)<(b))?(a):(b)) 35 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) 36 37 #ifndef IKED_H 38 #define IKED_H 39 40 /* 41 * Common IKEv1/IKEv2 header 42 */ 43 44 struct ike_header { 45 uint64_t ike_ispi; /* Initiator cookie */ 46 uint64_t ike_rspi; /* Responder cookie */ 47 uint8_t ike_nextpayload; /* Next payload type */ 48 uint8_t ike_version; /* Major/Minor version number */ 49 uint8_t ike_exchange; /* Exchange type */ 50 uint8_t ike_flags; /* Message options */ 51 uint32_t ike_msgid; /* Message identifier */ 52 uint32_t ike_length; /* Total message length */ 53 } __packed; 54 55 /* 56 * Common daemon infrastructure, local imsg etc. 57 */ 58 59 struct imsgev { 60 struct imsgbuf ibuf; 61 void (*handler)(int, short, void *); 62 struct event ev; 63 struct privsep_proc *proc; 64 void *data; 65 short events; 66 const char *name; 67 }; 68 69 #define IMSG_SIZE_CHECK(imsg, p) do { \ 70 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 71 fatalx("bad length imsg received"); \ 72 } while (0) 73 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 74 75 #define IKED_ADDR_EQ(_a, _b) \ 76 ((_a)->addr_mask == (_b)->addr_mask && \ 77 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 78 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 79 80 #define IKED_ADDR_NEQ(_a, _b) \ 81 ((_a)->addr_mask != (_b)->addr_mask || \ 82 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 83 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 84 85 /* initially control.h */ 86 struct control_sock { 87 const char *cs_name; 88 struct event cs_ev; 89 struct event cs_evt; 90 int cs_fd; 91 int cs_restricted; 92 void *cs_env; 93 }; 94 95 struct ctl_conn { 96 TAILQ_ENTRY(ctl_conn) entry; 97 uint8_t flags; 98 #define CTL_CONN_NOTIFY 0x01 99 struct imsgev iev; 100 uint32_t peerid; 101 }; 102 TAILQ_HEAD(ctl_connlist, ctl_conn); 103 104 extern enum privsep_procid privsep_process; 105 106 /* 107 * Runtime structures 108 */ 109 110 struct iked_timer { 111 struct event tmr_ev; 112 struct iked *tmr_env; 113 void (*tmr_cb)(struct iked *, void *); 114 void *tmr_cbarg; 115 }; 116 117 struct iked_spi { 118 uint64_t spi; 119 uint8_t spi_size; 120 uint8_t spi_protoid; 121 }; 122 123 struct iked_proposal { 124 uint8_t prop_id; 125 uint8_t prop_protoid; 126 127 struct iked_spi prop_localspi; 128 struct iked_spi prop_peerspi; 129 130 struct iked_transform *prop_xforms; 131 unsigned int prop_nxforms; 132 133 TAILQ_ENTRY(iked_proposal) prop_entry; 134 }; 135 TAILQ_HEAD(iked_proposals, iked_proposal); 136 137 struct iked_addr { 138 int addr_af; 139 struct sockaddr_storage addr; 140 uint8_t addr_mask; 141 int addr_net; 142 in_port_t addr_port; 143 }; 144 145 struct iked_ts { 146 struct iked_addr ts_addr; 147 uint8_t ts_ipproto; 148 TAILQ_ENTRY(iked_ts) ts_entry; 149 }; 150 TAILQ_HEAD(iked_tss, iked_ts); 151 152 struct iked_flow { 153 struct iked_addr flow_src; 154 struct iked_addr flow_dst; 155 unsigned int flow_dir; /* in/out */ 156 int flow_rdomain; 157 struct iked_addr flow_prenat; 158 int flow_fixed; 159 160 unsigned int flow_loaded; /* pfkey done */ 161 162 uint8_t flow_saproto; 163 uint8_t flow_ipproto; 164 165 struct iked_addr *flow_local; /* outer source */ 166 struct iked_addr *flow_peer; /* outer dest */ 167 struct iked_sa *flow_ikesa; /* parent SA */ 168 169 RB_ENTRY(iked_flow) flow_node; 170 TAILQ_ENTRY(iked_flow) flow_entry; 171 }; 172 RB_HEAD(iked_flows, iked_flow); 173 TAILQ_HEAD(iked_saflows, iked_flow); 174 175 struct iked_childsa { 176 uint8_t csa_saproto; /* IPsec protocol */ 177 unsigned int csa_dir; /* in/out */ 178 179 uint64_t csa_peerspi; /* peer relation */ 180 uint8_t csa_loaded; /* pfkey done */ 181 uint8_t csa_rekey; /* will be deleted */ 182 uint8_t csa_allocated; /* from the kernel */ 183 uint8_t csa_persistent;/* do not rekey */ 184 uint8_t csa_esn; /* use ESN */ 185 uint8_t csa_transport; /* transport mode */ 186 187 struct iked_spi csa_spi; 188 189 struct ibuf *csa_encrkey; /* encryption key */ 190 uint16_t csa_encrid; /* encryption xform id */ 191 192 struct ibuf *csa_integrkey; /* auth key */ 193 uint16_t csa_integrid; /* auth xform id */ 194 195 struct iked_addr *csa_local; /* outer source */ 196 struct iked_addr *csa_peer; /* outer dest */ 197 struct iked_sa *csa_ikesa; /* parent SA */ 198 199 struct iked_childsa *csa_peersa; /* peer */ 200 201 struct iked_childsa *csa_bundled; /* IPCOMP */ 202 203 uint16_t csa_pfsgrpid; /* pfs group id */ 204 205 RB_ENTRY(iked_childsa) csa_node; 206 TAILQ_ENTRY(iked_childsa) csa_entry; 207 }; 208 RB_HEAD(iked_activesas, iked_childsa); 209 TAILQ_HEAD(iked_childsas, iked_childsa); 210 211 212 struct iked_static_id { 213 uint8_t id_type; 214 uint8_t id_length; 215 uint8_t id_offset; 216 uint8_t id_data[IKED_ID_SIZE]; 217 }; 218 219 struct iked_auth { 220 uint8_t auth_method; 221 uint8_t auth_length; /* zero if EAP */ 222 uint16_t auth_eap; /* optional EAP */ 223 uint8_t auth_data[IKED_PSK_SIZE]; 224 }; 225 226 struct iked_cfg { 227 uint8_t cfg_action; 228 uint16_t cfg_type; 229 union { 230 struct iked_addr address; 231 } cfg; 232 }; 233 234 TAILQ_HEAD(iked_sapeers, iked_sa); 235 236 struct iked_lifetime { 237 uint64_t lt_bytes; 238 uint64_t lt_seconds; 239 }; 240 241 struct iked_policy { 242 unsigned int pol_id; 243 char pol_name[IKED_ID_SIZE]; 244 unsigned int pol_iface; 245 246 #define IKED_SKIP_FLAGS 0 247 #define IKED_SKIP_AF 1 248 #define IKED_SKIP_SRC_ADDR 2 249 #define IKED_SKIP_DST_ADDR 3 250 #define IKED_SKIP_COUNT 4 251 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 252 253 unsigned int pol_flags; 254 #define IKED_POLICY_PASSIVE 0x000 255 #define IKED_POLICY_DEFAULT 0x001 256 #define IKED_POLICY_ACTIVE 0x002 257 #define IKED_POLICY_REFCNT 0x004 258 #define IKED_POLICY_QUICK 0x008 259 #define IKED_POLICY_SKIP 0x010 260 #define IKED_POLICY_IPCOMP 0x020 261 #define IKED_POLICY_TRANSPORT 0x040 262 #define IKED_POLICY_ROUTING 0x080 263 #define IKED_POLICY_NATT_FORCE 0x100 264 265 int pol_refcnt; 266 267 uint8_t pol_certreqtype; 268 269 int pol_af; 270 int pol_rdomain; 271 uint8_t pol_saproto; 272 unsigned int pol_ipproto[IKED_IPPROTO_MAX]; 273 unsigned int pol_nipproto; 274 275 struct iked_addr pol_peer; 276 struct iked_static_id pol_peerid; 277 uint32_t pol_peerdh; 278 279 struct iked_addr pol_local; 280 struct iked_static_id pol_localid; 281 282 struct iked_auth pol_auth; 283 284 char pol_tag[IKED_TAG_SIZE]; 285 unsigned int pol_tap; 286 287 struct iked_proposals pol_proposals; 288 size_t pol_nproposals; 289 290 struct iked_flows pol_flows; 291 size_t pol_nflows; 292 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 293 size_t pol_tssrc_count; 294 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 295 size_t pol_tsdst_count; 296 297 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 298 unsigned int pol_ncfg; 299 300 uint32_t pol_rekey; /* ike SA lifetime */ 301 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 302 303 struct iked_sapeers pol_sapeers; 304 305 TAILQ_ENTRY(iked_policy) pol_entry; 306 }; 307 TAILQ_HEAD(iked_policies, iked_policy); 308 309 struct iked_hash { 310 uint8_t hash_type; /* PRF or INTEGR */ 311 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 312 const void *hash_priv; /* Identifying the hash alg */ 313 void *hash_ctx; /* Context of the current invocation */ 314 int hash_fixedkey; /* Requires fixed key length */ 315 struct ibuf *hash_key; /* MAC key derived from key seed */ 316 size_t hash_length; /* Output length */ 317 size_t hash_trunc; /* Truncate the output length */ 318 struct iked_hash *hash_prf; /* PRF pointer */ 319 int hash_isaead; 320 }; 321 322 struct iked_cipher { 323 uint8_t encr_type; /* ENCR */ 324 uint16_t encr_id; /* IKE ENCR hash id */ 325 const void *encr_priv; /* Identifying the hash alg */ 326 void *encr_ctx; /* Context of the current invocation */ 327 int encr_fixedkey; /* Requires fixed key length */ 328 struct ibuf *encr_key; /* MAC key derived from key seed */ 329 struct ibuf *encr_iv; /* Initialization Vector */ 330 uint64_t encr_civ; /* Counter IV for GCM */ 331 size_t encr_ivlength; /* IV length */ 332 size_t encr_length; /* Block length */ 333 size_t encr_saltlength; /* IV salt length */ 334 uint16_t encr_authid; /* ID of associated authentication */ 335 }; 336 337 struct iked_dsa { 338 uint8_t dsa_method; /* AUTH method */ 339 const void *dsa_priv; /* PRF or signature hash function */ 340 void *dsa_ctx; /* PRF or signature hash ctx */ 341 struct ibuf *dsa_keydata; /* public, private or shared key */ 342 void *dsa_key; /* parsed public or private key */ 343 int dsa_hmac; /* HMAC or public/private key */ 344 int dsa_sign; /* Sign or verify operation */ 345 uint32_t dsa_flags; /* State flags */ 346 }; 347 348 struct iked_id { 349 uint8_t id_type; 350 uint8_t id_offset; 351 struct ibuf *id_buf; 352 }; 353 354 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 355 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 356 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 357 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 358 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 359 #define IKED_REQ_SA 0x0020 /* SA available */ 360 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 361 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 362 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 363 364 #define IKED_REQ_BITS \ 365 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 366 "\10CHILDSA\11INF" 367 368 TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit); 369 TAILQ_HEAD(iked_msg_fragqueue, iked_message); 370 371 struct iked_sahdr { 372 uint64_t sh_ispi; /* Initiator SPI */ 373 uint64_t sh_rspi; /* Responder SPI */ 374 unsigned int sh_initiator; /* Is initiator? */ 375 } __packed; 376 377 struct iked_kex { 378 struct ibuf *kex_inonce; /* Ni */ 379 struct ibuf *kex_rnonce; /* Nr */ 380 381 struct dh_group *kex_dhgroup; /* DH group */ 382 struct ibuf *kex_dhiexchange; 383 struct ibuf *kex_dhrexchange; 384 struct ibuf *kex_dhpeer; /* pointer to i or r */ 385 }; 386 387 struct iked_frag_entry { 388 uint8_t *frag_data; 389 size_t frag_size; 390 }; 391 392 struct iked_frag { 393 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 394 size_t frag_count; /* number of fragments received */ 395 #define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 396 size_t frag_total; /* total numbe of fragments */ 397 size_t frag_total_size; 398 uint8_t frag_nextpayload; 399 400 }; 401 402 struct iked_ipcomp { 403 uint16_t ic_cpi_out; /* outgoing CPI */ 404 uint16_t ic_cpi_in; /* incoming CPI */ 405 uint8_t ic_transform; /* transform */ 406 }; 407 408 struct iked_sastats { 409 uint64_t sas_ipackets; 410 uint64_t sas_opackets; 411 uint64_t sas_ibytes; 412 uint64_t sas_obytes; 413 uint64_t sas_idrops; 414 uint64_t sas_odrops; 415 }; 416 417 struct iked_sa { 418 struct iked_sahdr sa_hdr; 419 uint32_t sa_msgid; /* Last request rcvd */ 420 int sa_msgid_set; /* msgid initialized */ 421 uint32_t sa_msgid_current; /* Current requested rcvd */ 422 uint32_t sa_reqid; /* Next request sent */ 423 424 int sa_type; 425 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 426 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 427 428 struct iked_addr sa_peer; 429 struct iked_addr sa_peer_loaded;/* MOBIKE */ 430 struct iked_addr sa_local; 431 int sa_fd; 432 433 struct iked_frag sa_fragments; 434 435 int sa_natt; /* for IKE messages */ 436 int sa_udpencap; /* for pfkey */ 437 int sa_usekeepalive;/* NAT-T keepalive */ 438 439 int sa_state; 440 unsigned int sa_stateflags; 441 unsigned int sa_stateinit; /* SA_INIT */ 442 unsigned int sa_statevalid; /* IKE_AUTH */ 443 444 int sa_cp; /* XXX */ 445 struct iked_addr *sa_cp_addr; /* requested address */ 446 struct iked_addr *sa_cp_addr6; /* requested address */ 447 struct iked_addr *sa_cp_dns; /* requested dns */ 448 449 struct iked_policy *sa_policy; 450 struct timeval sa_timecreated; 451 struct timeval sa_timeused; 452 453 char *sa_tag; 454 const char *sa_reason; /* reason for close */ 455 456 struct iked_kex sa_kex; 457 /* XXX compat defines until everything is converted */ 458 #define sa_inonce sa_kex.kex_inonce 459 #define sa_rnonce sa_kex.kex_rnonce 460 #define sa_dhgroup sa_kex.kex_dhgroup 461 #define sa_dhiexchange sa_kex.kex_dhiexchange 462 #define sa_dhrexchange sa_kex.kex_dhrexchange 463 #define sa_dhpeer sa_kex.kex_dhpeer 464 465 struct iked_hash *sa_prf; /* PRF alg */ 466 struct iked_hash *sa_integr; /* integrity alg */ 467 struct iked_cipher *sa_encr; /* encryption alg */ 468 469 struct ibuf *sa_key_d; /* SK_d */ 470 struct ibuf *sa_key_iauth; /* SK_ai */ 471 struct ibuf *sa_key_rauth; /* SK_ar */ 472 struct ibuf *sa_key_iencr; /* SK_ei */ 473 struct ibuf *sa_key_rencr; /* SK_er */ 474 struct ibuf *sa_key_iprf; /* SK_pi */ 475 struct ibuf *sa_key_rprf; /* SK_pr */ 476 477 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 478 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 479 struct iked_id sa_localauth; /* local AUTH message */ 480 struct iked_id sa_peerauth; /* peer AUTH message */ 481 int sa_sigsha2; /* use SHA2 for signatures */ 482 #define IKED_SCERT_MAX 3 /* max # of supplemental cert payloads */ 483 484 struct iked_id sa_iid; /* initiator id */ 485 struct iked_id sa_rid; /* responder id */ 486 struct iked_id sa_icert; /* initiator cert */ 487 struct iked_id sa_rcert; /* responder cert */ 488 struct iked_id sa_scert[IKED_SCERT_MAX]; /* supplemental certs */ 489 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 490 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 491 492 char *sa_eapid; /* EAP identity */ 493 struct iked_id sa_eap; /* EAP challenge */ 494 struct ibuf *sa_eapmsk; /* EAK session key */ 495 struct ibuf *sa_eapclass; /* EAP/RADIUS class */ 496 497 struct iked_proposals sa_proposals; /* SA proposals */ 498 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 499 struct iked_saflows sa_flows; /* IPsec flows */ 500 struct iked_sastats sa_stats; 501 502 struct iked_sa *sa_nexti; /* initiated IKE SA */ 503 struct iked_sa *sa_previ; /* matching back pointer */ 504 struct iked_sa *sa_nextr; /* simultaneous rekey */ 505 struct iked_sa *sa_prevr; /* matching back pointer */ 506 uint64_t sa_rekeyspi; /* peerspi CSA rekey */ 507 struct ibuf *sa_simult; /* simultaneous rekey */ 508 509 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 510 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 511 512 int sa_mobike; /* MOBIKE */ 513 int sa_frag; /* fragmentation */ 514 515 int sa_use_transport_mode; /* peer requested */ 516 int sa_used_transport_mode; /* we enabled */ 517 518 struct iked_timer sa_timer; /* SA timeouts */ 519 #define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 520 #define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 521 #define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 522 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 523 524 struct iked_timer sa_keepalive; /* keepalive timer */ 525 #define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 526 527 struct iked_timer sa_rekey; /* rekey timeout */ 528 int sa_tmpfail; 529 530 struct iked_msgqueue sa_requests; /* request queue */ 531 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 532 533 struct iked_msgqueue sa_responses; /* response queue */ 534 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 535 536 TAILQ_ENTRY(iked_sa) sa_peer_entry; 537 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 538 539 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 540 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 541 542 struct iked_addr *sa_addrpool; /* address from pool */ 543 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 544 545 struct iked_addr *sa_addrpool6; /* address from pool */ 546 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 547 time_t sa_last_recvd; 548 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 549 struct timespec sa_starttime; 550 551 struct iked_radserver_req *sa_radreq; 552 struct iked_addr *sa_rad_addr; /* requested address */ 553 struct iked_addr *sa_rad_addr6; /* requested address */ 554 }; 555 RB_HEAD(iked_sas, iked_sa); 556 RB_HEAD(iked_dstid_sas, iked_sa); 557 RB_HEAD(iked_addrpool, iked_sa); 558 RB_HEAD(iked_addrpool6, iked_sa); 559 560 /* stats */ 561 562 struct iked_stats { 563 uint64_t ikes_sa_created; 564 uint64_t ikes_sa_established_total; 565 uint64_t ikes_sa_established_current; /* gauge */ 566 uint64_t ikes_sa_established_failures; 567 uint64_t ikes_sa_proposals_negotiate_failures; 568 uint64_t ikes_sa_rekeyed; 569 uint64_t ikes_sa_removed; 570 uint64_t ikes_csa_created; 571 uint64_t ikes_csa_removed; 572 uint64_t ikes_msg_sent; 573 uint64_t ikes_msg_send_failures; 574 uint64_t ikes_msg_rcvd; 575 uint64_t ikes_msg_rcvd_busy; 576 uint64_t ikes_msg_rcvd_dropped; 577 uint64_t ikes_retransmit_request; 578 uint64_t ikes_retransmit_response; 579 uint64_t ikes_retransmit_limit; 580 uint64_t ikes_frag_sent; 581 uint64_t ikes_frag_send_failures; 582 uint64_t ikes_frag_rcvd; 583 uint64_t ikes_frag_rcvd_drop; 584 uint64_t ikes_frag_reass_ok; 585 uint64_t ikes_frag_reass_drop; 586 uint64_t ikes_update_addresses_sent; 587 uint64_t ikes_dpd_sent; 588 uint64_t ikes_keepalive_sent; 589 }; 590 591 #define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0) 592 #define ikestat_inc(env, c) ikestat_add(env, c, 1) 593 #define ikestat_dec(env, c) ikestat_add(env, c, -1) 594 595 struct iked_certreq { 596 struct ibuf *cr_data; 597 uint8_t cr_type; 598 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 599 }; 600 SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 601 602 #define EAP_STATE_IDENTITY (1) 603 #define EAP_STATE_MSCHAPV2_CHALLENGE (2) 604 #define EAP_STATE_MSCHAPV2_SUCCESS (3) 605 #define EAP_STATE_SUCCESS (4) 606 607 struct eap_msg { 608 char *eam_identity; 609 char *eam_user; 610 int eam_type; 611 uint8_t eam_id; 612 uint8_t eam_msrid; 613 int eam_success; 614 int eam_found; 615 int eam_response; 616 uint8_t eam_challenge[16]; 617 uint8_t eam_ntresponse[24]; 618 uint32_t eam_state; 619 }; 620 621 struct iked_message { 622 struct ibuf *msg_data; 623 size_t msg_offset; 624 625 struct sockaddr_storage msg_local; 626 socklen_t msg_locallen; 627 628 struct sockaddr_storage msg_peer; 629 socklen_t msg_peerlen; 630 631 struct iked_socket *msg_sock; 632 633 int msg_fd; 634 int msg_response; 635 int msg_responded; 636 int msg_valid; 637 int msg_natt; 638 int msg_natt_rcvd; 639 int msg_nat_detected; 640 int msg_error; 641 int msg_e; 642 struct iked_message *msg_parent; 643 644 /* Associated policy and SA */ 645 struct iked_policy *msg_policy; 646 struct iked_sa *msg_sa; 647 648 uint32_t msg_msgid; 649 uint8_t msg_exchange; 650 651 /* Parsed information */ 652 struct iked_proposals msg_proposals; 653 struct iked_certreqs msg_certreqs; 654 struct iked_spi msg_rekey; 655 struct ibuf *msg_nonce; /* dh NONCE */ 656 uint16_t msg_dhgroup; /* dh group */ 657 struct ibuf *msg_ke; /* dh key exchange */ 658 struct iked_id msg_auth; /* AUTH payload */ 659 struct iked_id msg_peerid; 660 struct iked_id msg_localid; 661 struct iked_id msg_cert; 662 struct iked_id msg_scert[IKED_SCERT_MAX]; /* supplemental certs */ 663 struct ibuf *msg_cookie; 664 uint16_t msg_group; 665 uint16_t msg_cpi; 666 uint8_t msg_transform; 667 uint16_t msg_flags; 668 struct eap_msg msg_eap; 669 struct ibuf *msg_eapmsg; 670 size_t msg_del_spisize; 671 size_t msg_del_cnt; 672 struct ibuf *msg_del_buf; 673 int msg_del_protoid; 674 int msg_cp; 675 struct iked_addr *msg_cp_addr; /* requested address */ 676 struct iked_addr *msg_cp_addr6; /* requested address */ 677 struct iked_addr *msg_cp_dns; /* requested dns */ 678 uint16_t msg_frag_num; 679 680 /* MOBIKE */ 681 int msg_update_sa_addresses; 682 struct ibuf *msg_cookie2; 683 684 /* Parse stack */ 685 struct iked_proposal *msg_prop; 686 uint16_t msg_attrlength; 687 688 /* Retransmit queue */ 689 TAILQ_ENTRY(iked_message) 690 msg_entry; 691 }; 692 693 struct iked_msg_retransmit { 694 struct iked_msg_fragqueue mrt_frags; 695 TAILQ_ENTRY(iked_msg_retransmit) mrt_entry; 696 struct iked_timer mrt_timer; 697 int mrt_tries; 698 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 699 }; 700 701 #define IKED_MSG_NAT_SRC_IP 0x01 702 #define IKED_MSG_NAT_DST_IP 0x02 703 704 #define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 705 #define IKED_MSG_FLAGS_MOBIKE 0x0002 706 #define IKED_MSG_FLAGS_SIGSHA2 0x0004 707 #define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 708 #define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 709 #define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 710 #define IKED_MSG_FLAGS_INVALID_KE 0x0040 711 #define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 712 #define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 713 #define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 714 #define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400 715 716 717 struct iked_user { 718 char usr_name[LOGIN_NAME_MAX]; 719 char usr_pass[IKED_PASSWORD_SIZE]; 720 RB_ENTRY(iked_user) usr_entry; 721 }; 722 RB_HEAD(iked_users, iked_user); 723 724 struct iked_radserver_req; 725 726 struct iked_radserver { 727 int rs_sock; 728 int rs_accounting; 729 struct event rs_ev; 730 struct iked *rs_env; 731 struct sockaddr_storage rs_sockaddr; 732 TAILQ_ENTRY(iked_radserver) rs_entry; 733 struct in_addr rs_nas_ipv4; 734 struct in6_addr rs_nas_ipv6; 735 unsigned int rs_reqseq; 736 TAILQ_HEAD(, iked_radserver_req) rs_reqs; 737 char rs_secret[]; 738 }; 739 TAILQ_HEAD(iked_radservers, iked_radserver); 740 741 struct iked_raddae { 742 int rd_sock; 743 struct event rd_ev; 744 struct iked *rd_env; 745 struct sockaddr_storage rd_sockaddr; 746 TAILQ_ENTRY(iked_raddae) rd_entry; 747 }; 748 TAILQ_HEAD(iked_raddaes, iked_raddae); 749 750 struct iked_radclient { 751 struct iked *rc_env; 752 struct sockaddr_storage rc_sockaddr; 753 TAILQ_ENTRY(iked_radclient) rc_entry; 754 char rc_secret[]; 755 }; 756 TAILQ_HEAD(iked_radclients , iked_radclient); 757 758 struct iked_radopts { 759 int max_tries; 760 int max_failovers; 761 }; 762 763 struct iked_radcfgmap { 764 uint16_t cfg_type; 765 uint32_t vendor_id; 766 uint8_t attr_type; 767 TAILQ_ENTRY(iked_radcfgmap) entry; 768 }; 769 TAILQ_HEAD(iked_radcfgmaps, iked_radcfgmap); 770 771 extern const struct iked_radcfgmap radius_cfgmaps[]; 772 773 struct iked_radserver_req { 774 struct iked_radserver *rr_server; 775 struct iked_sa *rr_sa; 776 struct iked_timer rr_timer; 777 int rr_reqid; 778 int rr_accounting; 779 struct timespec rr_accttime; 780 void *rr_reqpkt; 781 struct ibuf *rr_state; 782 char *rr_user; 783 int rr_ntry; 784 int rr_nfailover; 785 struct iked_cfg rr_cfg[IKED_CFG_MAX]; 786 unsigned int rr_ncfg; 787 TAILQ_ENTRY(iked_radserver_req) rr_entry; 788 }; 789 790 struct privsep_pipes { 791 int *pp_pipes[PROC_MAX]; 792 }; 793 794 struct privsep { 795 struct privsep_pipes *ps_pipes[PROC_MAX]; 796 struct privsep_pipes *ps_pp; 797 798 struct imsgev *ps_ievs[PROC_MAX]; 799 const char *ps_title[PROC_MAX]; 800 pid_t ps_pid[PROC_MAX]; 801 struct passwd *ps_pw; 802 int ps_noaction; 803 804 struct control_sock ps_csock; 805 806 unsigned int ps_instances[PROC_MAX]; 807 unsigned int ps_ninstances; 808 unsigned int ps_instance; 809 810 /* Event and signal handlers */ 811 struct event ps_evsigint; 812 struct event ps_evsigterm; 813 struct event ps_evsigchld; 814 struct event ps_evsighup; 815 struct event ps_evsigpipe; 816 struct event ps_evsigusr1; 817 818 struct iked *ps_env; 819 unsigned int ps_connecting; 820 void (*ps_connected)(struct privsep *); 821 }; 822 823 struct privsep_proc { 824 const char *p_title; 825 enum privsep_procid p_id; 826 int (*p_cb)(int, struct privsep_proc *, 827 struct imsg *); 828 void (*p_init)(struct privsep *, 829 struct privsep_proc *); 830 const char *p_chroot; 831 struct passwd *p_pw; 832 struct privsep *p_ps; 833 void (*p_shutdown)(void); 834 }; 835 836 struct privsep_fd { 837 enum privsep_procid pf_procid; 838 unsigned int pf_instance; 839 }; 840 841 #define PROC_PARENT_SOCK_FILENO 3 842 #define PROC_MAX_INSTANCES 32 843 844 struct iked_ocsp_entry { 845 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 846 void *ioe_ocsp; /* private ocsp request data */ 847 }; 848 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 849 850 /* 851 * Daemon configuration 852 */ 853 854 enum natt_mode { 855 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 856 NATT_DISABLE, /* send/recv with only :500 */ 857 NATT_FORCE, /* send/recv with only NAT-T port */ 858 }; 859 860 struct iked_static { 861 uint64_t st_alive_timeout; 862 int st_cert_partial_chain; 863 int st_enforcesingleikesa; 864 uint8_t st_frag; /* fragmentation */ 865 uint8_t st_mobike; /* MOBIKE */ 866 in_port_t st_nattport; 867 int st_stickyaddress; /* addr per DSTID */ 868 int st_vendorid; 869 }; 870 871 struct iked { 872 char sc_conffile[PATH_MAX]; 873 874 uint32_t sc_opts; 875 enum natt_mode sc_nattmode; 876 uint8_t sc_passive; 877 uint8_t sc_decoupled; 878 879 struct iked_static sc_static; 880 881 #define sc_alive_timeout sc_static.st_alive_timeout 882 #define sc_cert_partial_chain sc_static.st_cert_partial_chain 883 #define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 884 #define sc_frag sc_static.st_frag 885 #define sc_mobike sc_static.st_mobike 886 #define sc_nattport sc_static.st_nattport 887 #define sc_stickyaddress sc_static.st_stickyaddress 888 #define sc_vendorid sc_static.st_vendorid 889 890 struct iked_policies sc_policies; 891 struct iked_policy *sc_defaultcon; 892 893 struct iked_sas sc_sas; 894 struct iked_dstid_sas sc_dstid_sas; 895 struct iked_activesas sc_activesas; 896 struct iked_flows sc_activeflows; 897 struct iked_users sc_users; 898 struct iked_radopts sc_radauth; 899 struct iked_radopts sc_radacct; 900 int sc_radaccton; 901 struct iked_radservers sc_radauthservers; 902 struct iked_radservers sc_radacctservers; 903 struct iked_radcfgmaps sc_radcfgmaps; 904 struct iked_raddaes sc_raddaes; 905 struct iked_radclients sc_raddaeclients; 906 907 struct iked_stats sc_stats; 908 909 void *sc_priv; /* per-process */ 910 911 int sc_pfkey; /* ike process */ 912 struct event sc_pfkeyev; 913 struct event sc_routeev; 914 uint8_t sc_certreqtype; 915 struct ibuf *sc_certreq; 916 void *sc_vroute; 917 918 struct iked_socket *sc_sock4[2]; 919 struct iked_socket *sc_sock6[2]; 920 921 struct iked_timer sc_inittmr; 922 #define IKED_INITIATOR_INITIAL 2 923 #define IKED_INITIATOR_INTERVAL 60 924 925 struct privsep sc_ps; 926 927 struct iked_ocsp_requests sc_ocsp; 928 char *sc_ocsp_url; 929 long sc_ocsp_tolerate; 930 long sc_ocsp_maxage; 931 932 struct iked_addrpool sc_addrpool; 933 struct iked_addrpool6 sc_addrpool6; 934 }; 935 936 struct iked_socket { 937 int sock_fd; 938 struct event sock_ev; 939 struct iked *sock_env; 940 struct sockaddr_storage sock_addr; 941 }; 942 943 struct ipsec_xf { 944 const char *name; 945 unsigned int id; 946 unsigned int length; 947 unsigned int keylength; 948 unsigned int nonce; 949 unsigned int noauth; 950 }; 951 952 struct ipsec_transforms { 953 const struct ipsec_xf **authxf; 954 unsigned int nauthxf; 955 const struct ipsec_xf **prfxf; 956 unsigned int nprfxf; 957 const struct ipsec_xf **encxf; 958 unsigned int nencxf; 959 const struct ipsec_xf **groupxf; 960 unsigned int ngroupxf; 961 const struct ipsec_xf **esnxf; 962 unsigned int nesnxf; 963 }; 964 965 struct ipsec_mode { 966 struct ipsec_transforms **xfs; 967 unsigned int nxfs; 968 }; 969 970 /* iked.c */ 971 void parent_reload(struct iked *, int, const char *); 972 973 extern struct iked *iked_env; 974 975 /* control.c */ 976 void control(struct privsep *, struct privsep_proc *); 977 int control_init(struct privsep *, struct control_sock *); 978 int control_listen(struct control_sock *); 979 980 /* config.c */ 981 struct iked_policy * 982 config_new_policy(struct iked *); 983 void config_free_kex(struct iked_kex *); 984 void config_free_fragments(struct iked_frag *); 985 void config_free_sa(struct iked *, struct iked_sa *); 986 struct iked_sa * 987 config_new_sa(struct iked *, int); 988 struct iked_user * 989 config_new_user(struct iked *, struct iked_user *); 990 uint64_t 991 config_getspi(void); 992 struct iked_transform * 993 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 994 struct iked_transform * 995 config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int); 996 void config_free_policy(struct iked *, struct iked_policy *); 997 struct iked_proposal * 998 config_add_proposal(struct iked_proposals *, unsigned int, 999 unsigned int); 1000 void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 1001 void config_free_proposals(struct iked_proposals *, unsigned int); 1002 void config_free_flows(struct iked *, struct iked_flows *); 1003 void config_free_childsas(struct iked *, struct iked_childsas *, 1004 struct iked_spi *, struct iked_spi *); 1005 int config_add_transform(struct iked_proposal *, 1006 unsigned int, unsigned int, unsigned int, unsigned int); 1007 int config_setcoupled(struct iked *, unsigned int); 1008 int config_getcoupled(struct iked *, unsigned int); 1009 int config_setmode(struct iked *, unsigned int); 1010 int config_getmode(struct iked *, unsigned int); 1011 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 1012 int config_getreset(struct iked *, struct imsg *); 1013 int config_doreset(struct iked *, unsigned int); 1014 int config_setpolicy(struct iked *, struct iked_policy *, 1015 enum privsep_procid); 1016 int config_getpolicy(struct iked *, struct imsg *); 1017 int config_setflow(struct iked *, struct iked_policy *, 1018 enum privsep_procid); 1019 int config_getflow(struct iked *, struct imsg *); 1020 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 1021 enum privsep_procid); 1022 int config_getsocket(struct iked *env, struct imsg *, 1023 void (*cb)(int, short, void *)); 1024 void config_enablesocket(struct iked *env); 1025 int config_setpfkey(struct iked *); 1026 int config_getpfkey(struct iked *, struct imsg *); 1027 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 1028 int config_getuser(struct iked *, struct imsg *); 1029 int config_setcompile(struct iked *, enum privsep_procid); 1030 int config_getcompile(struct iked *); 1031 int config_setocsp(struct iked *); 1032 int config_getocsp(struct iked *, struct imsg *); 1033 int config_setkeys(struct iked *); 1034 int config_getkey(struct iked *, struct imsg *); 1035 int config_setstatic(struct iked *); 1036 int config_getstatic(struct iked *, struct imsg *); 1037 int config_setradauth(struct iked *); 1038 int config_getradauth(struct iked *, struct imsg *); 1039 int config_setradacct(struct iked *); 1040 int config_getradacct(struct iked *, struct imsg *); 1041 int config_setradserver(struct iked *, struct sockaddr *, socklen_t, 1042 char *, int); 1043 int config_getradserver(struct iked *, struct imsg *); 1044 int config_setradcfgmap(struct iked *, int, uint32_t, uint8_t); 1045 int config_getradcfgmap(struct iked *, struct imsg *); 1046 int config_setraddae(struct iked *, struct sockaddr *, socklen_t); 1047 int config_getraddae(struct iked *, struct imsg *); 1048 int config_setradclient(struct iked *, struct sockaddr *, socklen_t, 1049 char *); 1050 int config_getradclient(struct iked *, struct imsg *); 1051 1052 /* policy.c */ 1053 void policy_init(struct iked *); 1054 int policy_lookup(struct iked *, struct iked_message *, 1055 struct iked_proposals *, struct iked_flows *, int); 1056 int policy_lookup_sa(struct iked *, struct iked_sa *); 1057 struct iked_policy * 1058 policy_test(struct iked *, struct iked_policy *); 1059 int policy_generate_ts(struct iked_policy *); 1060 void policy_calc_skip_steps(struct iked_policies *); 1061 void policy_ref(struct iked *, struct iked_policy *); 1062 void policy_unref(struct iked *, struct iked_policy *); 1063 void sa_state(struct iked *, struct iked_sa *, int); 1064 void sa_stateflags(struct iked_sa *, unsigned int); 1065 int sa_stateok(const struct iked_sa *, int); 1066 struct iked_sa * 1067 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 1068 struct iked_policy *); 1069 void sa_free(struct iked *, struct iked_sa *); 1070 void sa_free_flows(struct iked *, struct iked_saflows *); 1071 int sa_configure_iface(struct iked *, struct iked_sa *, int); 1072 int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 1073 void childsa_free(struct iked_childsa *); 1074 struct iked_childsa * 1075 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 1076 void flow_free(struct iked_flow *); 1077 int flow_equal(struct iked_flow *, struct iked_flow *); 1078 struct iked_sa * 1079 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 1080 struct iked_user * 1081 user_lookup(struct iked *, const char *); 1082 struct iked_sa * 1083 sa_dstid_lookup(struct iked *, struct iked_sa *); 1084 struct iked_sa * 1085 sa_dstid_insert(struct iked *, struct iked_sa *); 1086 void sa_dstid_remove(struct iked *, struct iked_sa *); 1087 int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 1088 struct iked_proposals *, int, int); 1089 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 1090 RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 1091 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 1092 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 1093 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 1094 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 1095 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 1096 1097 /* crypto.c */ 1098 struct iked_hash * 1099 hash_new(uint8_t, uint16_t); 1100 struct ibuf * 1101 hash_setkey(struct iked_hash *, void *, size_t); 1102 void hash_free(struct iked_hash *); 1103 void hash_init(struct iked_hash *); 1104 void hash_update(struct iked_hash *, void *, size_t); 1105 void hash_final(struct iked_hash *, void *, size_t *); 1106 size_t hash_keylength(struct iked_hash *); 1107 size_t hash_length(struct iked_hash *); 1108 1109 struct iked_cipher * 1110 cipher_new(uint8_t, uint16_t, uint16_t); 1111 struct ibuf * 1112 cipher_setkey(struct iked_cipher *, const void *, size_t); 1113 struct ibuf * 1114 cipher_setiv(struct iked_cipher *, const void *, size_t); 1115 int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 1116 int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 1117 void cipher_free(struct iked_cipher *); 1118 int cipher_init(struct iked_cipher *, int); 1119 int cipher_init_encrypt(struct iked_cipher *); 1120 int cipher_init_decrypt(struct iked_cipher *); 1121 void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *); 1122 int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *); 1123 int cipher_final(struct iked_cipher *); 1124 size_t cipher_length(struct iked_cipher *); 1125 size_t cipher_keylength(struct iked_cipher *); 1126 size_t cipher_ivlength(struct iked_cipher *); 1127 size_t cipher_outlength(struct iked_cipher *, size_t); 1128 1129 struct iked_dsa * 1130 dsa_new(uint8_t, struct iked_hash *, int); 1131 struct iked_dsa * 1132 dsa_sign_new(uint8_t, struct iked_hash *); 1133 struct iked_dsa * 1134 dsa_verify_new(uint8_t, struct iked_hash *); 1135 struct ibuf * 1136 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 1137 void dsa_free(struct iked_dsa *); 1138 int dsa_init(struct iked_dsa *, const void *, size_t); 1139 size_t dsa_prefix(struct iked_dsa *); 1140 size_t dsa_length(struct iked_dsa *); 1141 int dsa_update(struct iked_dsa *, const void *, size_t); 1142 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 1143 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 1144 1145 /* vroute.c */ 1146 void vroute_init(struct iked *); 1147 int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int); 1148 void vroute_cleanup(struct iked *); 1149 int vroute_getaddr(struct iked *, struct imsg *); 1150 int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int); 1151 int vroute_getdns(struct iked *, struct imsg *); 1152 int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *, 1153 uint8_t, struct sockaddr *); 1154 int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *, 1155 uint8_t, struct sockaddr *); 1156 int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *, 1157 uint8_t, struct sockaddr *); 1158 int vroute_getroute(struct iked *, struct imsg *); 1159 int vroute_getcloneroute(struct iked *, struct imsg *); 1160 1161 /* ikev2.c */ 1162 void ikev2(struct privsep *, struct privsep_proc *); 1163 void ikev2_recv(struct iked *, struct iked_message *); 1164 void ikev2_init_ike_sa(struct iked *, void *); 1165 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 1166 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 1167 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 1168 uint8_t, uint64_t, uint64_t *, int); 1169 void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 1170 void ikev2_ike_sa_timeout(struct iked *env, void *); 1171 void ikev2_ike_sa_setreason(struct iked_sa *, char *); 1172 void ikev2_reset_alive_timer(struct iked *); 1173 int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 1174 1175 struct ibuf * 1176 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 1177 size_t); 1178 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 1179 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 1180 void *, size_t, unsigned int, int); 1181 void ikev2_enable_natt(struct iked *, struct iked_sa *, 1182 struct iked_message *, int); 1183 int ikev2_send_informational(struct iked *, struct iked_message *); 1184 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 1185 uint8_t, uint8_t, int); 1186 struct ike_header * 1187 ikev2_add_header(struct ibuf *, struct iked_sa *, 1188 uint32_t, uint8_t, uint8_t, uint8_t); 1189 int ikev2_set_header(struct ike_header *, size_t); 1190 struct ikev2_payload * 1191 ikev2_add_payload(struct ibuf *); 1192 int ikev2_next_payload(struct ikev2_payload *, size_t, 1193 uint8_t); 1194 int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 1195 int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 1196 int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 1197 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 1198 int ikev2_print_id(struct iked_id *, char *, size_t); 1199 int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 1200 1201 const char *ikev2_ikesa_info(uint64_t, const char *msg); 1202 #define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 1203 #define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 1204 #define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 1205 1206 /* ikev2_msg.c */ 1207 void ikev2_msg_cb(int, short, void *); 1208 struct ibuf * 1209 ikev2_msg_init(struct iked *, struct iked_message *, 1210 struct sockaddr_storage *, socklen_t, 1211 struct sockaddr_storage *, socklen_t, int); 1212 struct iked_message * 1213 ikev2_msg_copy(struct iked *, struct iked_message *); 1214 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 1215 uint32_t 1216 ikev2_msg_id(struct iked *, struct iked_sa *); 1217 struct ibuf 1218 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 1219 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 1220 struct iked_auth *, struct ibuf *); 1221 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 1222 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 1223 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 1224 struct iked_message *); 1225 int ikev2_msg_send(struct iked *, struct iked_message *); 1226 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 1227 struct ibuf **, uint8_t, uint8_t, int); 1228 struct ibuf 1229 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 1230 struct ibuf *); 1231 struct ibuf * 1232 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 1233 struct ibuf *, struct ibuf *); 1234 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1235 int ikev2_msg_frompeer(struct iked_message *); 1236 struct iked_socket * 1237 ikev2_msg_getsocket(struct iked *, int, int); 1238 int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *, 1239 struct iked_message *, int); 1240 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1241 struct iked_message *, struct ike_header *); 1242 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1243 struct iked_message *); 1244 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1245 struct iked_msg_retransmit *); 1246 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1247 struct iked_msg_retransmit * 1248 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1249 struct iked_message *, uint8_t); 1250 1251 /* ikev2_pld.c */ 1252 int ikev2_pld_parse(struct iked *, struct ike_header *, 1253 struct iked_message *, size_t); 1254 int ikev2_pld_parse_quick(struct iked *, struct ike_header *, 1255 struct iked_message *, size_t); 1256 1257 /* eap.c */ 1258 int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*, 1259 void *, int); 1260 int eap_success(struct iked *, struct iked_sa *, int); 1261 int eap_identity_request(struct iked *, struct iked_sa *); 1262 int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1263 uint8_t *, size_t); 1264 int eap_mschap_success(struct iked *, struct iked_sa *, int); 1265 int eap_challenge_request(struct iked *, struct iked_sa *, int); 1266 1267 /* radius.c */ 1268 int iked_radius_request(struct iked *, struct iked_sa *, 1269 struct iked_message *); 1270 void iked_radius_request_free(struct iked *, struct iked_radserver_req *); 1271 void iked_radius_on_event(int, short, void *); 1272 void iked_radius_acct_on(struct iked *); 1273 void iked_radius_acct_off(struct iked *); 1274 void iked_radius_acct_start(struct iked *, struct iked_sa *); 1275 void iked_radius_acct_stop(struct iked *, struct iked_sa *); 1276 void iked_radius_dae_on_event(int, short, void *); 1277 1278 /* pfkey.c */ 1279 int pfkey_couple(struct iked *, struct iked_sas *, int); 1280 int pfkey_flow_add(struct iked *, struct iked_flow *); 1281 int pfkey_flow_delete(struct iked *, struct iked_flow *); 1282 int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *); 1283 int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *); 1284 int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *); 1285 int pfkey_sa_delete(struct iked *, struct iked_childsa *); 1286 int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *); 1287 int pfkey_flush(struct iked *); 1288 int pfkey_socket(struct iked *); 1289 void pfkey_init(struct iked *, int fd); 1290 1291 /* ca.c */ 1292 void caproc(struct privsep *, struct privsep_proc *); 1293 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1294 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1295 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1296 uint8_t, uint8_t *, size_t, enum privsep_procid); 1297 int ca_setauth(struct iked *, struct iked_sa *, 1298 struct ibuf *, enum privsep_procid); 1299 void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1300 int ca_certbundle_add(struct ibuf *, struct iked_id *); 1301 int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1302 int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1303 void ca_sslerror(const char *); 1304 char *ca_asn1_name(uint8_t *, size_t); 1305 void *ca_x509_name_parse(char *); 1306 void ca_cert_info(const char *, X509 *); 1307 1308 /* timer.c */ 1309 void timer_set(struct iked *, struct iked_timer *, 1310 void (*)(struct iked *, void *), void *); 1311 void timer_add(struct iked *, struct iked_timer *, int); 1312 void timer_del(struct iked *, struct iked_timer *); 1313 1314 /* proc.c */ 1315 void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int, 1316 int, char **, enum privsep_procid); 1317 void proc_kill(struct privsep *); 1318 void proc_connect(struct privsep *, void (*)(struct privsep *)); 1319 void proc_dispatch(int, short event, void *); 1320 void proc_run(struct privsep *, struct privsep_proc *, 1321 struct privsep_proc *, unsigned int, 1322 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1323 void imsg_event_add(struct imsgev *); 1324 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1325 pid_t, int, void *, uint16_t); 1326 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1327 pid_t, int, const struct iovec *, int); 1328 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1329 uint16_t, uint32_t, int, void *, uint16_t); 1330 int proc_compose(struct privsep *, enum privsep_procid, 1331 uint16_t, void *, uint16_t); 1332 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1333 uint16_t, uint32_t, int, const struct iovec *, int); 1334 int proc_composev(struct privsep *, enum privsep_procid, 1335 uint16_t, const struct iovec *, int); 1336 int proc_forward_imsg(struct privsep *, struct imsg *, 1337 enum privsep_procid, int); 1338 struct imsgbuf * 1339 proc_ibuf(struct privsep *, enum privsep_procid, int); 1340 struct imsgev * 1341 proc_iev(struct privsep *, enum privsep_procid, int); 1342 enum privsep_procid 1343 proc_getid(struct privsep_proc *, unsigned int, const char *); 1344 int proc_flush_imsg(struct privsep *, enum privsep_procid, int); 1345 1346 /* util.c */ 1347 int socket_af(struct sockaddr *, in_port_t); 1348 in_port_t 1349 socket_getport(struct sockaddr *); 1350 int socket_setport(struct sockaddr *, in_port_t); 1351 int socket_getaddr(int, struct sockaddr_storage *); 1352 int socket_bypass(int, struct sockaddr *); 1353 int udp_bind(struct sockaddr *, in_port_t); 1354 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1355 socklen_t, struct sockaddr *, socklen_t); 1356 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1357 socklen_t *, struct sockaddr *, socklen_t *); 1358 const char * 1359 print_spi(uint64_t, int); 1360 const char * 1361 print_map(unsigned int, struct iked_constmap *); 1362 void lc_idtype(char *); 1363 void print_hex(const uint8_t *, off_t, size_t); 1364 void print_hexval(const uint8_t *, off_t, size_t); 1365 void print_hexbuf(struct ibuf *); 1366 const char * 1367 print_bits(unsigned short, unsigned char *); 1368 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1369 uint8_t mask2prefixlen(struct sockaddr *); 1370 uint8_t mask2prefixlen6(struct sockaddr *); 1371 struct in6_addr * 1372 prefixlen2mask6(uint8_t, uint32_t *); 1373 uint32_t 1374 prefixlen2mask(uint8_t); 1375 const char * 1376 print_addr(void *); 1377 char *get_string(uint8_t *, size_t); 1378 const char * 1379 print_proto(uint8_t); 1380 int expand_string(char *, size_t, const char *, const char *); 1381 uint8_t *string2unicode(const char *, size_t *); 1382 void print_debug(const char *, ...) 1383 __attribute__((format(printf, 1, 2))); 1384 void print_verbose(const char *, ...) 1385 __attribute__((format(printf, 1, 2))); 1386 1387 /* imsg_util.c */ 1388 struct ibuf * 1389 ibuf_new(const void *, size_t); 1390 struct ibuf * 1391 ibuf_static(void); 1392 size_t ibuf_length(struct ibuf *); 1393 int ibuf_setsize(struct ibuf *, size_t); 1394 struct ibuf * 1395 ibuf_getdata(struct ibuf *, size_t); 1396 struct ibuf * 1397 ibuf_dup(struct ibuf *); 1398 struct ibuf * 1399 ibuf_random(size_t); 1400 1401 /* log.c */ 1402 void log_init(int, int); 1403 void log_procinit(const char *); 1404 void log_setverbose(int); 1405 int log_getverbose(void); 1406 void log_warn(const char *, ...) 1407 __attribute__((__format__ (printf, 1, 2))); 1408 void log_warnx(const char *, ...) 1409 __attribute__((__format__ (printf, 1, 2))); 1410 void log_info(const char *, ...) 1411 __attribute__((__format__ (printf, 1, 2))); 1412 void log_debug(const char *, ...) 1413 __attribute__((__format__ (printf, 1, 2))); 1414 void logit(int, const char *, ...) 1415 __attribute__((__format__ (printf, 2, 3))); 1416 void vlog(int, const char *, va_list) 1417 __attribute__((__format__ (printf, 2, 0))); 1418 __dead void fatal(const char *, ...) 1419 __attribute__((__format__ (printf, 1, 2))); 1420 __dead void fatalx(const char *, ...) 1421 __attribute__((__format__ (printf, 1, 2))); 1422 1423 /* ocsp.c */ 1424 int ocsp_connect(struct iked *, struct imsg *); 1425 int ocsp_receive_fd(struct iked *, struct imsg *); 1426 int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1427 uint8_t, X509 *); 1428 1429 /* parse.y */ 1430 int parse_config(const char *, struct iked *); 1431 int cmdline_symset(char *); 1432 extern const struct ipsec_xf authxfs[]; 1433 extern const struct ipsec_xf prfxfs[]; 1434 extern const struct ipsec_xf *encxfs; 1435 extern const struct ipsec_xf ikeencxfs[]; 1436 extern const struct ipsec_xf ipsecencxfs[]; 1437 extern const struct ipsec_xf groupxfs[]; 1438 extern const struct ipsec_xf esnxfs[]; 1439 extern const struct ipsec_xf methodxfs[]; 1440 extern const struct ipsec_xf saxfs[]; 1441 extern const struct ipsec_xf cpxfs[]; 1442 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1443 size_t noncelength_xf(unsigned int, unsigned int); 1444 int encxf_noauth(unsigned int); 1445 1446 /* print.c */ 1447 void print_user(struct iked_user *); 1448 void print_policy(struct iked_policy *); 1449 const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); 1450 1451 #endif /* IKED_H */ 1452