1 /* $OpenBSD: iked.h,v 1.98 2016/09/04 10:26:02 vgross Exp $ */ 2 3 /* 4 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 5 * 6 * Permission to use, copy, modify, and distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #include <sys/types.h> 20 #include <sys/tree.h> 21 #include <sys/queue.h> 22 #include <limits.h> 23 #include <imsg.h> 24 25 #include "types.h" 26 #include "dh.h" 27 28 #ifndef IKED_H 29 #define IKED_H 30 31 /* 32 * Common IKEv1/IKEv2 header 33 */ 34 35 struct ike_header { 36 uint64_t ike_ispi; /* Initiator cookie */ 37 uint64_t ike_rspi; /* Responder cookie */ 38 uint8_t ike_nextpayload; /* Next payload type */ 39 uint8_t ike_version; /* Major/Minor version number */ 40 uint8_t ike_exchange; /* Exchange type */ 41 uint8_t ike_flags; /* Message options */ 42 uint32_t ike_msgid; /* Message identifier */ 43 uint32_t ike_length; /* Total message length */ 44 } __packed; 45 46 /* 47 * Common daemon infrastructure, local imsg etc. 48 */ 49 50 struct imsgev { 51 struct imsgbuf ibuf; 52 void (*handler)(int, short, void *); 53 struct event ev; 54 struct privsep_proc *proc; 55 void *data; 56 short events; 57 const char *name; 58 }; 59 60 #define IMSG_SIZE_CHECK(imsg, p) do { \ 61 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 62 fatalx("bad length imsg received"); \ 63 } while (0) 64 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 65 66 #define IKED_ADDR_EQ(_a, _b) \ 67 ((_a)->addr_mask == (_b)->addr_mask && \ 68 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 69 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 70 71 #define IKED_ADDR_NEQ(_a, _b) \ 72 ((_a)->addr_mask != (_b)->addr_mask || \ 73 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 74 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 75 76 /* initially control.h */ 77 struct control_sock { 78 const char *cs_name; 79 struct event cs_ev; 80 struct event cs_evt; 81 int cs_fd; 82 int cs_restricted; 83 void *cs_env; 84 85 TAILQ_ENTRY(control_sock) cs_entry; 86 }; 87 TAILQ_HEAD(control_socks, control_sock); 88 89 struct ctl_conn { 90 TAILQ_ENTRY(ctl_conn) entry; 91 uint8_t flags; 92 #define CTL_CONN_NOTIFY 0x01 93 struct imsgev iev; 94 }; 95 TAILQ_HEAD(ctl_connlist, ctl_conn); 96 extern struct ctl_connlist ctl_conns; 97 98 enum privsep_procid privsep_process; 99 100 /* 101 * Runtime structures 102 */ 103 104 struct iked_timer { 105 struct event tmr_ev; 106 struct iked *tmr_env; 107 void (*tmr_cb)(struct iked *, void *); 108 void *tmr_cbarg; 109 }; 110 111 struct iked_spi { 112 uint64_t spi; 113 uint8_t spi_size; 114 uint8_t spi_protoid; 115 }; 116 117 struct iked_proposal { 118 uint8_t prop_id; 119 uint8_t prop_protoid; 120 121 struct iked_spi prop_localspi; 122 struct iked_spi prop_peerspi; 123 124 struct iked_transform *prop_xforms; 125 unsigned int prop_nxforms; 126 127 TAILQ_ENTRY(iked_proposal) prop_entry; 128 }; 129 TAILQ_HEAD(iked_proposals, iked_proposal); 130 131 struct iked_addr { 132 int addr_af; 133 struct sockaddr_storage addr; 134 uint8_t addr_mask; 135 int addr_net; 136 in_port_t addr_port; 137 }; 138 139 struct iked_flow { 140 struct iked_addr flow_src; 141 struct iked_addr flow_dst; 142 unsigned int flow_dir; /* in/out */ 143 struct iked_addr flow_prenat; 144 145 unsigned int flow_loaded; /* pfkey done */ 146 147 uint8_t flow_saproto; 148 uint8_t flow_ipproto; 149 uint8_t flow_type; 150 151 struct iked_addr *flow_local; /* outer source */ 152 struct iked_addr *flow_peer; /* outer dest */ 153 struct iked_sa *flow_ikesa; /* parent SA */ 154 155 RB_ENTRY(iked_flow) flow_node; 156 TAILQ_ENTRY(iked_flow) flow_entry; 157 }; 158 RB_HEAD(iked_flows, iked_flow); 159 TAILQ_HEAD(iked_saflows, iked_flow); 160 161 struct iked_childsa { 162 uint8_t csa_saproto; /* IPSec protocol */ 163 unsigned int csa_dir; /* in/out */ 164 165 uint64_t csa_peerspi; /* peer relation */ 166 uint8_t csa_loaded; /* pfkey done */ 167 uint8_t csa_rekey; /* will be deleted */ 168 uint8_t csa_allocated; /* from the kernel */ 169 uint8_t csa_persistent;/* do not rekey */ 170 uint8_t csa_esn; /* use ESN */ 171 uint8_t csa_transport; /* transport mode */ 172 173 struct iked_spi csa_spi; 174 175 struct ibuf *csa_encrkey; /* encryption key */ 176 uint16_t csa_encrid; /* encryption xform id */ 177 178 struct ibuf *csa_integrkey; /* auth key */ 179 uint16_t csa_integrid; /* auth xform id */ 180 181 struct iked_addr *csa_local; /* outer source */ 182 struct iked_addr *csa_peer; /* outer dest */ 183 struct iked_sa *csa_ikesa; /* parent SA */ 184 185 struct iked_childsa *csa_peersa; /* peer */ 186 187 struct iked_childsa *csa_parent; /* IPCOMP parent */ 188 unsigned int csa_children; /* IPCOMP children */ 189 190 RB_ENTRY(iked_childsa) csa_node; 191 TAILQ_ENTRY(iked_childsa) csa_entry; 192 }; 193 RB_HEAD(iked_activesas, iked_childsa); 194 TAILQ_HEAD(iked_childsas, iked_childsa); 195 196 197 struct iked_static_id { 198 uint8_t id_type; 199 uint8_t id_length; 200 uint8_t id_offset; 201 uint8_t id_data[IKED_ID_SIZE]; 202 }; 203 204 struct iked_auth { 205 uint8_t auth_method; 206 uint8_t auth_eap; /* optional EAP */ 207 uint8_t auth_length; /* zero if EAP */ 208 uint8_t auth_data[IKED_PSK_SIZE]; 209 }; 210 211 struct iked_cfg { 212 uint8_t cfg_action; 213 uint16_t cfg_type; 214 union { 215 struct iked_addr address; 216 } cfg; 217 }; 218 219 TAILQ_HEAD(iked_sapeers, iked_sa); 220 221 struct iked_lifetime { 222 uint64_t lt_bytes; 223 uint64_t lt_seconds; 224 }; 225 226 struct iked_policy { 227 unsigned int pol_id; 228 char pol_name[IKED_ID_SIZE]; 229 230 #define IKED_SKIP_FLAGS 0 231 #define IKED_SKIP_AF 1 232 #define IKED_SKIP_PROTO 2 233 #define IKED_SKIP_SRC_ADDR 3 234 #define IKED_SKIP_DST_ADDR 4 235 #define IKED_SKIP_COUNT 5 236 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 237 238 uint8_t pol_flags; 239 #define IKED_POLICY_PASSIVE 0x00 240 #define IKED_POLICY_DEFAULT 0x01 241 #define IKED_POLICY_ACTIVE 0x02 242 #define IKED_POLICY_REFCNT 0x04 243 #define IKED_POLICY_QUICK 0x08 244 #define IKED_POLICY_SKIP 0x10 245 #define IKED_POLICY_IPCOMP 0x20 246 247 int pol_refcnt; 248 249 uint8_t pol_certreqtype; 250 251 int pol_af; 252 uint8_t pol_saproto; 253 unsigned int pol_ipproto; 254 255 struct iked_addr pol_peer; 256 struct group *pol_peerdh; 257 struct iked_static_id pol_peerid; 258 259 struct iked_addr pol_local; 260 struct iked_static_id pol_localid; 261 262 struct iked_auth pol_auth; 263 264 char pol_tag[IKED_TAG_SIZE]; 265 unsigned int pol_tap; 266 267 struct iked_proposals pol_proposals; 268 size_t pol_nproposals; 269 270 struct iked_flows pol_flows; 271 size_t pol_nflows; 272 273 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 274 unsigned int pol_ncfg; 275 276 uint32_t pol_rekey; /* ike SA lifetime */ 277 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 278 279 struct iked_sapeers pol_sapeers; 280 281 TAILQ_ENTRY(iked_policy) pol_entry; 282 }; 283 TAILQ_HEAD(iked_policies, iked_policy); 284 285 struct iked_hash { 286 uint8_t hash_type; /* PRF or INTEGR */ 287 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 288 const void *hash_priv; /* Identifying the hash alg */ 289 void *hash_ctx; /* Context of the current invocation */ 290 int hash_fixedkey; /* Requires fixed key length */ 291 struct ibuf *hash_key; /* MAC key derived from key seed */ 292 size_t hash_length; /* Output length */ 293 size_t hash_trunc; /* Truncate the output length */ 294 struct iked_hash *hash_prf; /* PRF pointer */ 295 }; 296 297 struct iked_cipher { 298 uint8_t encr_type; /* ENCR */ 299 uint16_t encr_id; /* IKE ENCR hash id */ 300 const void *encr_priv; /* Identifying the hash alg */ 301 void *encr_ctx; /* Context of the current invocation */ 302 int encr_fixedkey; /* Requires fixed key length */ 303 struct ibuf *encr_key; /* MAC key derived from key seed */ 304 struct ibuf *encr_iv; /* Initialization Vector */ 305 size_t encr_ivlength; /* IV length */ 306 size_t encr_length; /* Block length */ 307 }; 308 309 struct iked_dsa { 310 uint8_t dsa_method; /* AUTH method */ 311 const void *dsa_priv; /* PRF or signature hash function */ 312 void *dsa_ctx; /* PRF or signature hash ctx */ 313 struct ibuf *dsa_keydata; /* public, private or shared key */ 314 void *dsa_key; /* parsed public or private key */ 315 void *dsa_cert; /* parsed certificate */ 316 int dsa_hmac; /* HMAC or public/private key */ 317 int dsa_sign; /* Sign or verify operation */ 318 }; 319 320 struct iked_id { 321 uint8_t id_type; 322 uint8_t id_offset; 323 struct ibuf *id_buf; 324 }; 325 326 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 327 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 328 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 329 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 330 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 331 #define IKED_REQ_SA 0x0020 /* SA available */ 332 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 333 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 334 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 335 336 #define IKED_REQ_BITS \ 337 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 338 "\10CHILDSA\11INF" 339 340 TAILQ_HEAD(iked_msgqueue, iked_message); 341 342 struct iked_sahdr { 343 uint64_t sh_ispi; /* Initiator SPI */ 344 uint64_t sh_rspi; /* Responder SPI */ 345 unsigned int sh_initiator; /* Is initiator? */ 346 } __packed; 347 348 struct iked_kex { 349 struct ibuf *kex_inonce; /* Ni */ 350 struct ibuf *kex_rnonce; /* Nr */ 351 352 struct group *kex_dhgroup; /* DH group */ 353 struct ibuf *kex_dhiexchange; 354 struct ibuf *kex_dhrexchange; 355 struct ibuf *kex_dhpeer; /* pointer to i or r */ 356 }; 357 358 struct iked_sa { 359 struct iked_sahdr sa_hdr; 360 uint32_t sa_msgid; /* Last request rcvd */ 361 int sa_msgid_set; /* msgid initialized */ 362 uint32_t sa_reqid; /* Next request sent */ 363 364 int sa_type; 365 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 366 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 367 368 struct iked_addr sa_peer; 369 struct iked_addr sa_local; 370 int sa_fd; 371 372 int sa_natt; /* for IKE messages */ 373 int sa_udpencap; /* for pfkey */ 374 375 int sa_state; 376 unsigned int sa_stateflags; 377 unsigned int sa_stateinit; /* SA_INIT */ 378 unsigned int sa_statevalid; /* IKE_AUTH */ 379 380 int sa_cp; /* XXX */ 381 382 struct iked_policy *sa_policy; 383 struct timeval sa_timecreated; 384 struct timeval sa_timeused; 385 386 char *sa_tag; 387 388 struct iked_kex sa_kex; 389 /* XXX compat defines until everything is converted */ 390 #define sa_inonce sa_kex.kex_inonce 391 #define sa_rnonce sa_kex.kex_rnonce 392 #define sa_dhgroup sa_kex.kex_dhgroup 393 #define sa_dhiexchange sa_kex.kex_dhiexchange 394 #define sa_dhrexchange sa_kex.kex_dhrexchange 395 #define sa_dhpeer sa_kex.kex_dhpeer 396 397 struct iked_hash *sa_prf; /* PRF alg */ 398 struct iked_hash *sa_integr; /* integrity alg */ 399 struct iked_cipher *sa_encr; /* encryption alg */ 400 401 struct ibuf *sa_key_d; /* SK_d */ 402 struct ibuf *sa_key_iauth; /* SK_ai */ 403 struct ibuf *sa_key_rauth; /* SK_ar */ 404 struct ibuf *sa_key_iencr; /* SK_ei */ 405 struct ibuf *sa_key_rencr; /* SK_er */ 406 struct ibuf *sa_key_iprf; /* SK_pi */ 407 struct ibuf *sa_key_rprf; /* SK_pr */ 408 409 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 410 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 411 struct iked_id sa_localauth; /* local AUTH message */ 412 int sa_sigsha2; /* use SHA2 for signatures */ 413 414 struct iked_id sa_iid; /* initiator id */ 415 struct iked_id sa_rid; /* responder id */ 416 struct iked_id sa_icert; /* initiator cert */ 417 struct iked_id sa_rcert; /* responder cert */ 418 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 419 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 420 421 char *sa_eapid; /* EAP identity */ 422 struct iked_id sa_eap; /* EAP challenge */ 423 struct ibuf *sa_eapmsk; /* EAK session key */ 424 425 struct iked_proposals sa_proposals; /* SA proposals */ 426 struct iked_childsas sa_childsas; /* IPSec Child SAs */ 427 struct iked_saflows sa_flows; /* IPSec flows */ 428 429 struct iked_sa *sa_next; /* IKE SA rekeying */ 430 uint64_t sa_rekeyspi; /* peerspi for rekey*/ 431 432 uint8_t sa_ipcomp; /* IPcomp transform */ 433 uint16_t sa_cpi_out; /* IPcomp outgoing */ 434 uint16_t sa_cpi_in; /* IPcomp incoming*/ 435 436 struct iked_timer sa_timer; /* SA timeouts */ 437 #define IKED_IKE_SA_DELETE_TIMEOUT 300 /* 5 minutes */ 438 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 439 440 struct iked_timer sa_rekey; /* rekey timeout */ 441 442 struct iked_msgqueue sa_requests; /* request queue */ 443 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 444 445 struct iked_msgqueue sa_responses; /* response queue */ 446 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 447 448 TAILQ_ENTRY(iked_sa) sa_peer_entry; 449 RB_ENTRY(iked_sa) sa_entry; 450 451 struct iked_addr *sa_addrpool; /* address from pool */ 452 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 453 454 struct iked_addr *sa_addrpool6; /* address from pool */ 455 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 456 }; 457 RB_HEAD(iked_sas, iked_sa); 458 RB_HEAD(iked_addrpool, iked_sa); 459 RB_HEAD(iked_addrpool6, iked_sa); 460 461 struct iked_message { 462 struct ibuf *msg_data; 463 size_t msg_offset; 464 465 struct sockaddr_storage msg_local; 466 socklen_t msg_locallen; 467 468 struct sockaddr_storage msg_peer; 469 socklen_t msg_peerlen; 470 471 struct iked_socket *msg_sock; 472 473 int msg_fd; 474 int msg_response; 475 int msg_responded; 476 int msg_natt; 477 int msg_error; 478 int msg_e; 479 struct iked_message *msg_parent; 480 481 /* Associated policy and SA */ 482 struct iked_policy *msg_policy; 483 struct iked_sa *msg_sa; 484 485 uint32_t msg_msgid; 486 uint8_t msg_exchange; 487 488 /* Parsed information */ 489 struct iked_proposals msg_proposals; 490 struct iked_spi msg_rekey; 491 struct ibuf *msg_nonce; /* dh NONCE */ 492 struct ibuf *msg_ke; /* dh key exchange */ 493 struct iked_id msg_auth; /* AUTH payload */ 494 struct iked_id msg_id; 495 struct iked_id msg_cert; 496 497 /* Parse stack */ 498 struct iked_proposal *msg_prop; 499 uint16_t msg_attrlength; 500 501 /* Retransmit queue */ 502 struct iked_timer msg_timer; 503 TAILQ_ENTRY(iked_message) 504 msg_entry; 505 int msg_tries; /* retransmits sent */ 506 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 507 }; 508 509 struct iked_user { 510 char usr_name[LOGIN_NAME_MAX]; 511 char usr_pass[IKED_PASSWORD_SIZE]; 512 RB_ENTRY(iked_user) usr_entry; 513 }; 514 RB_HEAD(iked_users, iked_user); 515 516 struct privsep_pipes { 517 int *pp_pipes[PROC_MAX]; 518 }; 519 520 struct privsep { 521 struct privsep_pipes *ps_pipes[PROC_MAX]; 522 struct privsep_pipes *ps_pp; 523 524 struct imsgev *ps_ievs[PROC_MAX]; 525 const char *ps_title[PROC_MAX]; 526 pid_t ps_pid[PROC_MAX]; 527 struct passwd *ps_pw; 528 int ps_noaction; 529 530 struct control_sock ps_csock; 531 struct control_socks ps_rcsocks; 532 533 unsigned int ps_instances[PROC_MAX]; 534 unsigned int ps_ninstances; 535 unsigned int ps_instance; 536 537 /* Event and signal handlers */ 538 struct event ps_evsigint; 539 struct event ps_evsigterm; 540 struct event ps_evsigchld; 541 struct event ps_evsighup; 542 struct event ps_evsigpipe; 543 struct event ps_evsigusr1; 544 545 struct iked *ps_env; 546 }; 547 548 struct privsep_proc { 549 const char *p_title; 550 enum privsep_procid p_id; 551 int (*p_cb)(int, struct privsep_proc *, 552 struct imsg *); 553 pid_t (*p_init)(struct privsep *, 554 struct privsep_proc *); 555 const char *p_chroot; 556 struct privsep *p_ps; 557 struct iked *p_env; 558 void (*p_shutdown)(void); 559 unsigned int p_instance; 560 }; 561 562 struct iked_ocsp_entry { 563 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 564 void *ioe_ocsp; /* private ocsp request data */ 565 }; 566 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 567 568 /* 569 * Daemon configuration 570 */ 571 572 struct iked { 573 char sc_conffile[PATH_MAX]; 574 575 uint32_t sc_opts; 576 uint8_t sc_passive; 577 uint8_t sc_decoupled; 578 579 struct iked_policies sc_policies; 580 struct iked_policy *sc_defaultcon; 581 582 struct iked_sas sc_sas; 583 struct iked_activesas sc_activesas; 584 struct iked_flows sc_activeflows; 585 struct iked_users sc_users; 586 587 void *sc_priv; /* per-process */ 588 589 int sc_pfkey; /* ike process */ 590 struct event sc_pfkeyev; 591 uint8_t sc_certreqtype; 592 struct ibuf *sc_certreq; 593 594 struct iked_socket *sc_sock4[2]; 595 struct iked_socket *sc_sock6[2]; 596 597 struct iked_timer sc_inittmr; 598 #define IKED_INITIATOR_INITIAL 2 599 #define IKED_INITIATOR_INTERVAL 60 600 601 struct privsep sc_ps; 602 603 struct iked_ocsp_requests sc_ocsp; 604 char *sc_ocsp_url; 605 606 struct iked_addrpool sc_addrpool; 607 struct iked_addrpool6 sc_addrpool6; 608 }; 609 610 struct iked_socket { 611 int sock_fd; 612 struct event sock_ev; 613 struct iked *sock_env; 614 struct sockaddr_storage sock_addr; 615 }; 616 617 /* iked.c */ 618 void parent_reload(struct iked *, int, const char *); 619 620 /* control.c */ 621 pid_t control(struct privsep *, struct privsep_proc *); 622 int control_init(struct privsep *, struct control_sock *); 623 int control_listen(struct control_sock *); 624 void control_cleanup(struct control_sock *); 625 626 /* config.c */ 627 struct iked_policy * 628 config_new_policy(struct iked *); 629 void config_free_kex(struct iked_kex *); 630 void config_free_sa(struct iked *, struct iked_sa *); 631 struct iked_sa * 632 config_new_sa(struct iked *, int); 633 struct iked_user * 634 config_new_user(struct iked *, struct iked_user *); 635 uint64_t 636 config_getspi(void); 637 struct iked_transform * 638 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 639 void config_free_policy(struct iked *, struct iked_policy *); 640 struct iked_proposal * 641 config_add_proposal(struct iked_proposals *, unsigned int, 642 unsigned int); 643 void config_free_proposals(struct iked_proposals *, unsigned int); 644 void config_free_flows(struct iked *, struct iked_flows *); 645 void config_free_childsas(struct iked *, struct iked_childsas *, 646 struct iked_spi *, struct iked_spi *); 647 struct iked_transform * 648 config_add_transform(struct iked_proposal *, 649 unsigned int, unsigned int, unsigned int, unsigned int); 650 int config_setcoupled(struct iked *, unsigned int); 651 int config_getcoupled(struct iked *, unsigned int); 652 int config_setmode(struct iked *, unsigned int); 653 int config_getmode(struct iked *, unsigned int); 654 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 655 int config_getreset(struct iked *, struct imsg *); 656 int config_setpolicy(struct iked *, struct iked_policy *, 657 enum privsep_procid); 658 int config_getpolicy(struct iked *, struct imsg *); 659 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 660 enum privsep_procid); 661 int config_getsocket(struct iked *env, struct imsg *, 662 void (*cb)(int, short, void *)); 663 int config_setpfkey(struct iked *, enum privsep_procid); 664 int config_getpfkey(struct iked *, struct imsg *); 665 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 666 int config_getuser(struct iked *, struct imsg *); 667 int config_setcompile(struct iked *, enum privsep_procid); 668 int config_getcompile(struct iked *, struct imsg *); 669 int config_setocsp(struct iked *); 670 int config_getocsp(struct iked *, struct imsg *); 671 672 /* policy.c */ 673 void policy_init(struct iked *); 674 int policy_lookup(struct iked *, struct iked_message *); 675 struct iked_policy * 676 policy_test(struct iked *, struct iked_policy *); 677 void policy_calc_skip_steps(struct iked_policies *); 678 void policy_ref(struct iked *, struct iked_policy *); 679 void policy_unref(struct iked *, struct iked_policy *); 680 void sa_state(struct iked *, struct iked_sa *, int); 681 void sa_stateflags(struct iked_sa *, unsigned int); 682 int sa_stateok(struct iked_sa *, int); 683 struct iked_sa * 684 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 685 struct iked_policy *); 686 void sa_free(struct iked *, struct iked_sa *); 687 void sa_free_flows(struct iked *, struct iked_saflows *); 688 int sa_address(struct iked_sa *, struct iked_addr *, 689 struct sockaddr_storage *); 690 void childsa_free(struct iked_childsa *); 691 struct iked_childsa * 692 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 693 void flow_free(struct iked_flow *); 694 struct iked_sa * 695 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 696 struct iked_user * 697 user_lookup(struct iked *, const char *); 698 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 699 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 700 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 701 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 702 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 703 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 704 705 /* crypto.c */ 706 struct iked_hash * 707 hash_new(uint8_t, uint16_t); 708 struct ibuf * 709 hash_setkey(struct iked_hash *, void *, size_t); 710 void hash_free(struct iked_hash *); 711 void hash_init(struct iked_hash *); 712 void hash_update(struct iked_hash *, void *, size_t); 713 void hash_final(struct iked_hash *, void *, size_t *); 714 size_t hash_keylength(struct iked_hash *); 715 size_t hash_length(struct iked_hash *); 716 717 struct iked_cipher * 718 cipher_new(uint8_t, uint16_t, uint16_t); 719 struct ibuf * 720 cipher_setkey(struct iked_cipher *, void *, size_t); 721 struct ibuf * 722 cipher_setiv(struct iked_cipher *, void *, size_t); 723 void cipher_free(struct iked_cipher *); 724 void cipher_init(struct iked_cipher *, int); 725 void cipher_init_encrypt(struct iked_cipher *); 726 void cipher_init_decrypt(struct iked_cipher *); 727 void cipher_update(struct iked_cipher *, void *, size_t, void *, size_t *); 728 void cipher_final(struct iked_cipher *, void *, size_t *); 729 size_t cipher_length(struct iked_cipher *); 730 size_t cipher_keylength(struct iked_cipher *); 731 size_t cipher_ivlength(struct iked_cipher *); 732 size_t cipher_outlength(struct iked_cipher *, size_t); 733 734 struct iked_dsa * 735 dsa_new(uint16_t, struct iked_hash *, int); 736 struct iked_dsa * 737 dsa_sign_new(uint16_t, struct iked_hash *); 738 struct iked_dsa * 739 dsa_verify_new(uint16_t, struct iked_hash *); 740 struct ibuf * 741 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 742 void dsa_free(struct iked_dsa *); 743 int dsa_init(struct iked_dsa *, const void *, size_t); 744 size_t dsa_length(struct iked_dsa *); 745 int dsa_update(struct iked_dsa *, const void *, size_t); 746 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 747 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 748 749 /* ikev2.c */ 750 pid_t ikev2(struct privsep *, struct privsep_proc *); 751 void ikev2_recv(struct iked *, struct iked_message *); 752 void ikev2_init_ike_sa(struct iked *, void *); 753 int ikev2_sa_negotiate(struct iked_proposals *, struct iked_proposals *, 754 struct iked_proposals *); 755 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 756 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 757 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 758 uint8_t, uint64_t, uint64_t *, int); 759 760 struct ibuf * 761 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 762 size_t); 763 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 764 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 765 void *, size_t, unsigned int); 766 int ikev2_send_informational(struct iked *, struct iked_message *); 767 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 768 uint8_t, uint8_t, int); 769 struct ike_header * 770 ikev2_add_header(struct ibuf *, struct iked_sa *, 771 uint32_t, uint8_t, uint8_t, uint8_t); 772 int ikev2_set_header(struct ike_header *, size_t); 773 struct ikev2_payload * 774 ikev2_add_payload(struct ibuf *); 775 int ikev2_next_payload(struct ikev2_payload *, size_t, 776 uint8_t); 777 int ikev2_acquire_sa(struct iked *, struct iked_flow *); 778 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 779 int ikev2_rekey_sa(struct iked *, struct iked_spi *); 780 int ikev2_drop_sa(struct iked *, struct iked_spi *); 781 int ikev2_print_id(struct iked_id *, char *, size_t); 782 783 /* ikev2_msg.c */ 784 void ikev2_msg_cb(int, short, void *); 785 struct ibuf * 786 ikev2_msg_init(struct iked *, struct iked_message *, 787 struct sockaddr_storage *, socklen_t, 788 struct sockaddr_storage *, socklen_t, int); 789 struct iked_message * 790 ikev2_msg_copy(struct iked *, struct iked_message *); 791 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 792 uint32_t 793 ikev2_msg_id(struct iked *, struct iked_sa *); 794 struct ibuf 795 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 796 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 797 struct iked_auth *, struct ibuf *); 798 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 799 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 800 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 801 struct iked_message *); 802 int ikev2_msg_send(struct iked *, struct iked_message *); 803 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 804 struct ibuf **, uint8_t, uint8_t, int); 805 struct ibuf 806 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *); 807 struct ibuf * 808 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 809 struct ibuf *, struct ibuf *); 810 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 811 int ikev2_msg_frompeer(struct iked_message *); 812 struct iked_socket * 813 ikev2_msg_getsocket(struct iked *, int, int); 814 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 815 struct iked_message *); 816 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 817 struct iked_message *); 818 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 819 struct iked_message *); 820 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 821 struct iked_message * 822 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 823 struct iked_message *, struct ike_header *); 824 825 /* ikev2_pld.c */ 826 int ikev2_pld_parse(struct iked *, struct ike_header *, 827 struct iked_message *, size_t); 828 829 /* eap.c */ 830 ssize_t eap_identity_request(struct ibuf *); 831 int eap_parse(struct iked *, struct iked_sa *, void *, int); 832 833 /* pfkey.c */ 834 int pfkey_couple(int, struct iked_sas *, int); 835 int pfkey_flow_add(int fd, struct iked_flow *); 836 int pfkey_flow_delete(int fd, struct iked_flow *); 837 int pfkey_block(int, int, unsigned int); 838 int pfkey_sa_init(int, struct iked_childsa *, uint32_t *); 839 int pfkey_sa_add(int, struct iked_childsa *, struct iked_childsa *); 840 int pfkey_sa_delete(int, struct iked_childsa *); 841 int pfkey_sa_last_used(int, struct iked_childsa *, uint64_t *); 842 int pfkey_flush(int); 843 int pfkey_socket(void); 844 void pfkey_init(struct iked *, int fd); 845 846 /* ca.c */ 847 pid_t caproc(struct privsep *, struct privsep_proc *); 848 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 849 uint8_t, uint8_t *, size_t, enum privsep_procid); 850 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 851 uint8_t, uint8_t *, size_t, enum privsep_procid); 852 int ca_setauth(struct iked *, struct iked_sa *, 853 struct ibuf *, enum privsep_procid); 854 void ca_sslinit(void); 855 void ca_sslerror(const char *); 856 char *ca_asn1_name(uint8_t *, size_t); 857 char *ca_x509_name(void *); 858 void *ca_x509_name_parse(char *); 859 860 /* timer.c */ 861 void timer_set(struct iked *, struct iked_timer *, 862 void (*)(struct iked *, void *), void *); 863 void timer_add(struct iked *, struct iked_timer *, int); 864 void timer_del(struct iked *, struct iked_timer *); 865 866 /* proc.c */ 867 void proc_init(struct privsep *, struct privsep_proc *, unsigned int); 868 void proc_kill(struct privsep *); 869 void proc_listen(struct privsep *, struct privsep_proc *, size_t); 870 void proc_dispatch(int, short event, void *); 871 pid_t proc_run(struct privsep *, struct privsep_proc *, 872 struct privsep_proc *, unsigned int, 873 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 874 void imsg_event_add(struct imsgev *); 875 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 876 pid_t, int, void *, uint16_t); 877 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 878 pid_t, int, const struct iovec *, int); 879 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 880 u_int16_t, u_int32_t, int, void *, u_int16_t); 881 int proc_compose(struct privsep *, enum privsep_procid, 882 uint16_t, void *, uint16_t); 883 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 884 u_int16_t, u_int32_t, int, const struct iovec *, int); 885 int proc_composev(struct privsep *, enum privsep_procid, 886 uint16_t, const struct iovec *, int); 887 int proc_forward_imsg(struct privsep *, struct imsg *, 888 enum privsep_procid, int); 889 struct imsgbuf * 890 proc_ibuf(struct privsep *, enum privsep_procid, int); 891 struct imsgev * 892 proc_iev(struct privsep *, enum privsep_procid, int); 893 894 /* util.c */ 895 int socket_af(struct sockaddr *, in_port_t); 896 in_port_t 897 socket_getport(struct sockaddr *); 898 int socket_setport(struct sockaddr *, in_port_t); 899 int socket_getaddr(int, struct sockaddr_storage *); 900 int socket_bypass(int, struct sockaddr *); 901 int udp_bind(struct sockaddr *, in_port_t); 902 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 903 socklen_t, struct sockaddr *, socklen_t); 904 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 905 socklen_t *, struct sockaddr *, socklen_t *); 906 const char * 907 print_spi(uint64_t, int); 908 const char * 909 print_map(unsigned int, struct iked_constmap *); 910 void lc_string(char *); 911 void print_hex(uint8_t *, off_t, size_t); 912 void print_hexval(uint8_t *, off_t, size_t); 913 const char * 914 print_bits(unsigned short, unsigned char *); 915 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 916 uint8_t mask2prefixlen(struct sockaddr *); 917 uint8_t mask2prefixlen6(struct sockaddr *); 918 struct in6_addr * 919 prefixlen2mask6(uint8_t, uint32_t *); 920 uint32_t 921 prefixlen2mask(uint8_t); 922 const char * 923 print_host(struct sockaddr *, char *, size_t); 924 char *get_string(uint8_t *, size_t); 925 const char * 926 print_proto(uint8_t); 927 int expand_string(char *, size_t, const char *, const char *); 928 uint8_t *string2unicode(const char *, size_t *); 929 void print_debug(const char *, ...) 930 __attribute__((format(printf, 1, 2))); 931 void print_verbose(const char *, ...) 932 __attribute__((format(printf, 1, 2))); 933 934 /* imsg_util.c */ 935 struct ibuf * 936 ibuf_new(void *, size_t); 937 struct ibuf * 938 ibuf_static(void); 939 int ibuf_cat(struct ibuf *, struct ibuf *); 940 void ibuf_release(struct ibuf *); 941 size_t ibuf_length(struct ibuf *); 942 int ibuf_setsize(struct ibuf *, size_t); 943 uint8_t * 944 ibuf_data(struct ibuf *); 945 void *ibuf_getdata(struct ibuf *, size_t); 946 struct ibuf * 947 ibuf_get(struct ibuf *, size_t); 948 struct ibuf * 949 ibuf_dup(struct ibuf *); 950 struct ibuf * 951 ibuf_random(size_t); 952 int ibuf_prepend(struct ibuf *, void *, size_t); 953 void *ibuf_advance(struct ibuf *, size_t); 954 void ibuf_zero(struct ibuf *); 955 956 /* log.c */ 957 void log_init(int, int); 958 void log_procinit(const char *); 959 void log_verbose(int); 960 void log_warn(const char *, ...) 961 __attribute__((__format__ (printf, 1, 2))); 962 void log_warnx(const char *, ...) 963 __attribute__((__format__ (printf, 1, 2))); 964 void log_info(const char *, ...) 965 __attribute__((__format__ (printf, 1, 2))); 966 void log_debug(const char *, ...) 967 __attribute__((__format__ (printf, 1, 2))); 968 void logit(int, const char *, ...) 969 __attribute__((__format__ (printf, 2, 3))); 970 void vlog(int, const char *, va_list) 971 __attribute__((__format__ (printf, 2, 0))); 972 __dead void fatal(const char *, ...) 973 __attribute__((__format__ (printf, 1, 2))); 974 __dead void fatalx(const char *, ...) 975 __attribute__((__format__ (printf, 1, 2))); 976 977 /* ocsp.c */ 978 int ocsp_connect(struct iked *env); 979 int ocsp_receive_fd(struct iked *, struct imsg *); 980 int ocsp_validate_cert(struct iked *, struct iked_static_id *, 981 void *, size_t, struct iked_sahdr, uint8_t); 982 983 /* parse.y */ 984 int parse_config(const char *, struct iked *); 985 void print_user(struct iked_user *); 986 void print_policy(struct iked_policy *); 987 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 988 size_t noncelength_xf(unsigned int, unsigned int); 989 int cmdline_symset(char *); 990 991 #endif /* IKED_H */ 992