1 /* $OpenBSD: sa.h,v 1.50 2013/11/21 22:25:02 yasuoka Exp $ */ 2 /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2004 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #ifndef _SA_H_ 35 #define _SA_H_ 36 37 #include <sys/param.h> 38 #include <sys/types.h> 39 #include <sys/queue.h> 40 #include <sys/socket.h> 41 42 #include "isakmp.h" 43 44 /* Remove a SA if it has not been fully negotiated in this time. */ 45 #define SA_NEGOTIATION_MAX_TIME 120 46 47 struct doi; 48 struct event; 49 struct exchange; 50 struct keystate; 51 struct message; 52 struct payload; 53 struct proto_attr; 54 struct sa; 55 struct transport; 56 57 /* A protection suite consists of a set of protocol descriptions like this. */ 58 struct proto { 59 /* Link to the next protocol in the suite. */ 60 TAILQ_ENTRY(proto) link; 61 62 /* The SA we belong to. */ 63 struct sa *sa; 64 65 /* The protocol number as found in the proposal payload. */ 66 u_int8_t no; 67 68 /* The protocol this SA is for. */ 69 u_int8_t proto; 70 71 /* 72 * Security parameter index info. Element 0 - outgoing, 1 - 73 * incoming. 74 */ 75 u_int8_t spi_sz[2]; 76 u_int8_t *spi[2]; 77 78 /* 79 * The chosen transform, only valid while the incoming SA payload that 80 * held it is available for duplicate testing. 81 */ 82 struct payload *chosen; 83 84 /* The chosen transform's ID. */ 85 u_int8_t id; 86 87 /* DOI-specific data. */ 88 void *data; 89 90 /* Proposal transforms data, for validating the responders selection. */ 91 TAILQ_HEAD(proto_attr_head, proto_attr) xfs; 92 size_t xf_cnt; 93 }; 94 95 struct proto_attr { 96 /* Link to next transform. */ 97 TAILQ_ENTRY(proto_attr) next; 98 99 /* Transform attribute data and size, suitable for attribute_map(). */ 100 u_int8_t *attrs; 101 size_t len; 102 }; 103 104 struct sa { 105 /* Link to SAs with the same hash value. */ 106 LIST_ENTRY(sa) link; 107 108 /* 109 * When several SA's are being negotiated in one message we connect 110 * them through this link. 111 */ 112 TAILQ_ENTRY(sa) next; 113 114 /* 115 * A name of the major policy deciding offers and acceptable 116 * proposals. 117 */ 118 char *name; 119 120 /* The transport this SA got negotiated over. */ 121 struct transport *transport; 122 123 /* Both initiator and responder cookies. */ 124 u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; 125 126 /* The message ID signifying non-ISAKMP SAs. */ 127 u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; 128 129 /* The protection suite chosen. */ 130 TAILQ_HEAD(proto_head, proto) protos; 131 132 /* The exchange type we should use when rekeying. */ 133 u_int8_t exch_type; 134 135 /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ 136 u_int8_t phase; 137 138 /* A reference counter for this structure. */ 139 u_int16_t refcnt; 140 141 /* Various flags, look below for descriptions. */ 142 u_int32_t flags; 143 144 /* The DOI that is to handle DOI-specific issues for this SA. */ 145 struct doi *doi; 146 147 /* 148 * Crypto info needed to encrypt/decrypt packets protected by this 149 * SA. 150 */ 151 struct keystate *keystate; 152 153 /* IDs from Phase 1 */ 154 u_int8_t *id_i; 155 size_t id_i_len; 156 u_int8_t *id_r; 157 size_t id_r_len; 158 159 /* Set if we were the initiator of the SA/exchange in Phase 1 */ 160 int initiator; 161 162 /* Policy session ID, where applicable, copied over from the exchange */ 163 int policy_id; 164 165 /* 166 * The key used to authenticate phase 1, in printable format, used 167 * only by KeyNote. 168 */ 169 char *keynote_key; 170 171 /* 172 * Certificates or other information from Phase 1; these are copied 173 * from the exchange, so look at exchange.h for an explanation of 174 * their use. 175 */ 176 int recv_certtype, recv_keytype; 177 /* Certificate received from peer, native format. */ 178 void *recv_cert; 179 /* Key peer used to authenticate, native format. */ 180 void *recv_key; 181 182 /* 183 * Certificates or other information we used to authenticate to the 184 * peer, Phase 1. 185 */ 186 int sent_certtype; 187 /* Certificate (to be) sent to peer, native format. */ 188 void *sent_cert; 189 190 /* DOI-specific opaque data. */ 191 void *data; 192 193 /* Lifetime data. */ 194 u_int64_t seconds; 195 u_int64_t kilobytes; 196 197 /* ACQUIRE sequence number */ 198 u_int32_t seq; 199 200 /* The events that will occur when an SA has timed out. */ 201 struct event *soft_death; 202 struct event *death; 203 204 struct event *nat_t_keepalive; 205 206 /* IKE DPD (RFC3706) message sequence number. */ 207 u_int32_t dpd_seq; /* sent */ 208 u_int32_t dpd_rseq; /* received */ 209 u_int32_t dpd_failcount; /* # of subsequent failures */ 210 u_int32_t dpd_rdupcount; /* # of subsequent duplicates */ 211 struct event *dpd_event; /* time of next event */ 212 213 /* The add a pf tag to packets matching the established SA. */ 214 char *tag; 215 }; 216 217 /* This SA is alive. */ 218 #define SA_FLAG_READY 0x01 219 220 /* Renegotiate the SA at each expiry. */ 221 #define SA_FLAG_STAYALIVE 0x02 222 223 /* Establish the SA when it is needed. */ 224 #define SA_FLAG_ONDEMAND 0x04 225 226 /* 227 * This SA has been replaced by another newer one or the SA for another 228 * client behind same NAT. 229 */ 230 #define SA_FLAG_REPLACED 0x08 231 232 /* This SA has seen a soft timeout and wants to be renegotiated on use. */ 233 #define SA_FLAG_FADING 0x10 234 235 /* This SA should always be actively renegotiated (with us as initiator). */ 236 #define SA_FLAG_ACTIVE_ONLY 0x20 237 238 /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ 239 #define SA_FLAG_IKECFG 0x40 240 241 /* This SA flag indicates if we should do DPD with the phase 1 SA peer. */ 242 #define SA_FLAG_DPD 0x80 243 244 /* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange. */ 245 #define SA_FLAG_NAT_T_ENABLE 0x100 246 #define SA_FLAG_NAT_T_KEEPALIVE 0x200 247 248 extern void proto_free(struct proto * proto); 249 extern int sa_add_transform(struct sa *, struct payload *, int, 250 struct proto **); 251 extern int sa_create(struct exchange *, struct transport *); 252 extern int sa_enter(struct sa *); 253 extern void sa_delete(struct sa *, int); 254 extern void sa_teardown_all(void); 255 extern struct sa *sa_find(int (*) (struct sa *, void *), void *); 256 extern int sa_flag(char *); 257 extern void sa_free(struct sa *); 258 extern void sa_init(void); 259 extern void sa_reinit(void); 260 extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t); 261 extern void sa_isakmp_upgrade(struct message *); 262 extern struct sa *sa_lookup(u_int8_t *, u_int8_t *); 263 extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t, int); 264 extern struct sa *sa_lookup_by_header(u_int8_t *, int); 265 extern struct sa *sa_lookup_by_name(char *, int); 266 extern struct sa *sa_lookup_from_icookie(u_int8_t *); 267 extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *); 268 extern void sa_mark_replaced(struct sa *); 269 extern void sa_replace(struct sa *, struct sa *); 270 extern void sa_reference(struct sa *); 271 extern void sa_release(struct sa *); 272 extern void sa_remove(struct sa *); 273 extern void sa_report(void); 274 extern void sa_dump(int, int, char *, struct sa *); 275 extern void sa_report_all(FILE *); 276 extern int sa_setup_expirations(struct sa *); 277 278 /* 279 * This structure contains most of the data of the in-kernel SA. 280 * Currently only used to collect the tdb_last_used time for DPD. 281 */ 282 struct sa_kinfo { 283 u_int32_t flags; /* /usr/include/netinet/ip_ipsp.h */ 284 285 u_int32_t exp_allocations; 286 u_int32_t soft_allocations; 287 u_int32_t cur_allocations; 288 289 u_int64_t exp_bytes; 290 u_int64_t soft_bytes; 291 u_int64_t cur_bytes; 292 293 u_int64_t exp_timeout; 294 u_int64_t soft_timeout; 295 296 u_int64_t first_use; 297 u_int64_t established; 298 u_int64_t soft_first_use; 299 u_int64_t exp_first_use; 300 301 u_int64_t last_used; 302 303 struct sockaddr_storage dst; 304 struct sockaddr_storage src; 305 struct sockaddr_storage proxy; 306 307 u_int32_t spi; 308 u_int16_t udpencap_port; 309 u_int8_t wnd; 310 }; 311 312 #endif /* _SA_H_ */ 313