1 /* $OpenBSD: iked.h,v 1.214 2023/05/30 08:41:15 claudio Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/tree.h> 22 #include <sys/queue.h> 23 #include <arpa/inet.h> 24 #include <limits.h> 25 #include <imsg.h> 26 27 #include <openssl/evp.h> 28 29 #include "types.h" 30 #include "dh.h" 31 32 #define MAXIMUM(a,b) (((a)>(b))?(a):(b)) 33 #define MINIMUM(a,b) (((a)<(b))?(a):(b)) 34 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) 35 36 #ifndef IKED_H 37 #define IKED_H 38 39 /* 40 * Common IKEv1/IKEv2 header 41 */ 42 43 struct ike_header { 44 uint64_t ike_ispi; /* Initiator cookie */ 45 uint64_t ike_rspi; /* Responder cookie */ 46 uint8_t ike_nextpayload; /* Next payload type */ 47 uint8_t ike_version; /* Major/Minor version number */ 48 uint8_t ike_exchange; /* Exchange type */ 49 uint8_t ike_flags; /* Message options */ 50 uint32_t ike_msgid; /* Message identifier */ 51 uint32_t ike_length; /* Total message length */ 52 } __packed; 53 54 /* 55 * Common daemon infrastructure, local imsg etc. 56 */ 57 58 struct imsgev { 59 struct imsgbuf ibuf; 60 void (*handler)(int, short, void *); 61 struct event ev; 62 struct privsep_proc *proc; 63 void *data; 64 short events; 65 const char *name; 66 }; 67 68 #define IMSG_SIZE_CHECK(imsg, p) do { \ 69 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 70 fatalx("bad length imsg received"); \ 71 } while (0) 72 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 73 74 #define IKED_ADDR_EQ(_a, _b) \ 75 ((_a)->addr_mask == (_b)->addr_mask && \ 76 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 77 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 78 79 #define IKED_ADDR_NEQ(_a, _b) \ 80 ((_a)->addr_mask != (_b)->addr_mask || \ 81 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 82 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 83 84 /* initially control.h */ 85 struct control_sock { 86 const char *cs_name; 87 struct event cs_ev; 88 struct event cs_evt; 89 int cs_fd; 90 int cs_restricted; 91 void *cs_env; 92 93 TAILQ_ENTRY(control_sock) cs_entry; 94 }; 95 TAILQ_HEAD(control_socks, control_sock); 96 97 struct ctl_conn { 98 TAILQ_ENTRY(ctl_conn) entry; 99 uint8_t flags; 100 #define CTL_CONN_NOTIFY 0x01 101 struct imsgev iev; 102 }; 103 TAILQ_HEAD(ctl_connlist, ctl_conn); 104 105 extern enum privsep_procid privsep_process; 106 107 /* 108 * Runtime structures 109 */ 110 111 struct iked_timer { 112 struct event tmr_ev; 113 struct iked *tmr_env; 114 void (*tmr_cb)(struct iked *, void *); 115 void *tmr_cbarg; 116 }; 117 118 struct iked_spi { 119 uint64_t spi; 120 uint8_t spi_size; 121 uint8_t spi_protoid; 122 }; 123 124 struct iked_proposal { 125 uint8_t prop_id; 126 uint8_t prop_protoid; 127 128 struct iked_spi prop_localspi; 129 struct iked_spi prop_peerspi; 130 131 struct iked_transform *prop_xforms; 132 unsigned int prop_nxforms; 133 134 TAILQ_ENTRY(iked_proposal) prop_entry; 135 }; 136 TAILQ_HEAD(iked_proposals, iked_proposal); 137 138 struct iked_addr { 139 int addr_af; 140 struct sockaddr_storage addr; 141 uint8_t addr_mask; 142 int addr_net; 143 in_port_t addr_port; 144 }; 145 146 struct iked_ts { 147 struct iked_addr ts_addr; 148 uint8_t ts_ipproto; 149 TAILQ_ENTRY(iked_ts) ts_entry; 150 }; 151 TAILQ_HEAD(iked_tss, iked_ts); 152 153 struct iked_flow { 154 struct iked_addr flow_src; 155 struct iked_addr flow_dst; 156 unsigned int flow_dir; /* in/out */ 157 int flow_rdomain; 158 struct iked_addr flow_prenat; 159 int flow_fixed; 160 161 unsigned int flow_loaded; /* pfkey done */ 162 163 uint8_t flow_saproto; 164 uint8_t flow_ipproto; 165 166 struct iked_addr *flow_local; /* outer source */ 167 struct iked_addr *flow_peer; /* outer dest */ 168 struct iked_sa *flow_ikesa; /* parent SA */ 169 170 RB_ENTRY(iked_flow) flow_node; 171 TAILQ_ENTRY(iked_flow) flow_entry; 172 }; 173 RB_HEAD(iked_flows, iked_flow); 174 TAILQ_HEAD(iked_saflows, iked_flow); 175 176 struct iked_childsa { 177 uint8_t csa_saproto; /* IPsec protocol */ 178 unsigned int csa_dir; /* in/out */ 179 180 uint64_t csa_peerspi; /* peer relation */ 181 uint8_t csa_loaded; /* pfkey done */ 182 uint8_t csa_rekey; /* will be deleted */ 183 uint8_t csa_allocated; /* from the kernel */ 184 uint8_t csa_persistent;/* do not rekey */ 185 uint8_t csa_esn; /* use ESN */ 186 uint8_t csa_transport; /* transport mode */ 187 188 struct iked_spi csa_spi; 189 190 struct ibuf *csa_encrkey; /* encryption key */ 191 uint16_t csa_encrid; /* encryption xform id */ 192 193 struct ibuf *csa_integrkey; /* auth key */ 194 uint16_t csa_integrid; /* auth xform id */ 195 196 struct iked_addr *csa_local; /* outer source */ 197 struct iked_addr *csa_peer; /* outer dest */ 198 struct iked_sa *csa_ikesa; /* parent SA */ 199 200 struct iked_childsa *csa_peersa; /* peer */ 201 202 struct iked_childsa *csa_bundled; /* IPCOMP */ 203 204 uint16_t csa_pfsgrpid; /* pfs group id */ 205 206 RB_ENTRY(iked_childsa) csa_node; 207 TAILQ_ENTRY(iked_childsa) csa_entry; 208 }; 209 RB_HEAD(iked_activesas, iked_childsa); 210 TAILQ_HEAD(iked_childsas, iked_childsa); 211 212 213 struct iked_static_id { 214 uint8_t id_type; 215 uint8_t id_length; 216 uint8_t id_offset; 217 uint8_t id_data[IKED_ID_SIZE]; 218 }; 219 220 struct iked_auth { 221 uint8_t auth_method; 222 uint8_t auth_eap; /* optional EAP */ 223 uint8_t auth_length; /* zero if EAP */ 224 uint8_t auth_data[IKED_PSK_SIZE]; 225 }; 226 227 struct iked_cfg { 228 uint8_t cfg_action; 229 uint16_t cfg_type; 230 union { 231 struct iked_addr address; 232 } cfg; 233 }; 234 235 TAILQ_HEAD(iked_sapeers, iked_sa); 236 237 struct iked_lifetime { 238 uint64_t lt_bytes; 239 uint64_t lt_seconds; 240 }; 241 242 struct iked_policy { 243 unsigned int pol_id; 244 char pol_name[IKED_ID_SIZE]; 245 unsigned int pol_iface; 246 247 #define IKED_SKIP_FLAGS 0 248 #define IKED_SKIP_AF 1 249 #define IKED_SKIP_SRC_ADDR 2 250 #define IKED_SKIP_DST_ADDR 3 251 #define IKED_SKIP_COUNT 4 252 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 253 254 uint8_t pol_flags; 255 #define IKED_POLICY_PASSIVE 0x00 256 #define IKED_POLICY_DEFAULT 0x01 257 #define IKED_POLICY_ACTIVE 0x02 258 #define IKED_POLICY_REFCNT 0x04 259 #define IKED_POLICY_QUICK 0x08 260 #define IKED_POLICY_SKIP 0x10 261 #define IKED_POLICY_IPCOMP 0x20 262 #define IKED_POLICY_TRANSPORT 0x40 263 264 int pol_refcnt; 265 266 uint8_t pol_certreqtype; 267 268 int pol_af; 269 int pol_rdomain; 270 uint8_t pol_saproto; 271 unsigned int pol_ipproto[IKED_IPPROTO_MAX]; 272 unsigned int pol_nipproto; 273 274 struct iked_addr pol_peer; 275 struct iked_static_id pol_peerid; 276 uint32_t pol_peerdh; 277 278 struct iked_addr pol_local; 279 struct iked_static_id pol_localid; 280 281 struct iked_auth pol_auth; 282 283 char pol_tag[IKED_TAG_SIZE]; 284 unsigned int pol_tap; 285 286 struct iked_proposals pol_proposals; 287 size_t pol_nproposals; 288 289 struct iked_flows pol_flows; 290 size_t pol_nflows; 291 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 292 size_t pol_tssrc_count; 293 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 294 size_t pol_tsdst_count; 295 296 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 297 unsigned int pol_ncfg; 298 299 uint32_t pol_rekey; /* ike SA lifetime */ 300 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 301 302 struct iked_sapeers pol_sapeers; 303 304 TAILQ_ENTRY(iked_policy) pol_entry; 305 }; 306 TAILQ_HEAD(iked_policies, iked_policy); 307 308 struct iked_hash { 309 uint8_t hash_type; /* PRF or INTEGR */ 310 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 311 const void *hash_priv; /* Identifying the hash alg */ 312 void *hash_ctx; /* Context of the current invocation */ 313 int hash_fixedkey; /* Requires fixed key length */ 314 struct ibuf *hash_key; /* MAC key derived from key seed */ 315 size_t hash_length; /* Output length */ 316 size_t hash_trunc; /* Truncate the output length */ 317 struct iked_hash *hash_prf; /* PRF pointer */ 318 int hash_isaead; 319 }; 320 321 struct iked_cipher { 322 uint8_t encr_type; /* ENCR */ 323 uint16_t encr_id; /* IKE ENCR hash id */ 324 const void *encr_priv; /* Identifying the hash alg */ 325 void *encr_ctx; /* Context of the current invocation */ 326 int encr_fixedkey; /* Requires fixed key length */ 327 struct ibuf *encr_key; /* MAC key derived from key seed */ 328 struct ibuf *encr_iv; /* Initialization Vector */ 329 uint64_t encr_civ; /* Counter IV for GCM */ 330 size_t encr_ivlength; /* IV length */ 331 size_t encr_length; /* Block length */ 332 size_t encr_saltlength; /* IV salt length */ 333 uint16_t encr_authid; /* ID of associated authentication */ 334 }; 335 336 struct iked_dsa { 337 uint8_t dsa_method; /* AUTH method */ 338 const void *dsa_priv; /* PRF or signature hash function */ 339 void *dsa_ctx; /* PRF or signature hash ctx */ 340 struct ibuf *dsa_keydata; /* public, private or shared key */ 341 void *dsa_key; /* parsed public or private key */ 342 int dsa_hmac; /* HMAC or public/private key */ 343 int dsa_sign; /* Sign or verify operation */ 344 uint32_t dsa_flags; /* State flags */ 345 }; 346 347 struct iked_id { 348 uint8_t id_type; 349 uint8_t id_offset; 350 struct ibuf *id_buf; 351 }; 352 353 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 354 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 355 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 356 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 357 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 358 #define IKED_REQ_SA 0x0020 /* SA available */ 359 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 360 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 361 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 362 363 #define IKED_REQ_BITS \ 364 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 365 "\10CHILDSA\11INF" 366 367 TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit); 368 TAILQ_HEAD(iked_msg_fragqueue, iked_message); 369 370 struct iked_sahdr { 371 uint64_t sh_ispi; /* Initiator SPI */ 372 uint64_t sh_rspi; /* Responder SPI */ 373 unsigned int sh_initiator; /* Is initiator? */ 374 } __packed; 375 376 struct iked_kex { 377 struct ibuf *kex_inonce; /* Ni */ 378 struct ibuf *kex_rnonce; /* Nr */ 379 380 struct dh_group *kex_dhgroup; /* DH group */ 381 struct ibuf *kex_dhiexchange; 382 struct ibuf *kex_dhrexchange; 383 struct ibuf *kex_dhpeer; /* pointer to i or r */ 384 }; 385 386 struct iked_frag_entry { 387 uint8_t *frag_data; 388 size_t frag_size; 389 }; 390 391 struct iked_frag { 392 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 393 size_t frag_count; /* number of fragments received */ 394 #define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 395 size_t frag_total; /* total numbe of fragments */ 396 size_t frag_total_size; 397 uint8_t frag_nextpayload; 398 399 }; 400 401 struct iked_ipcomp { 402 uint16_t ic_cpi_out; /* outgoing CPI */ 403 uint16_t ic_cpi_in; /* incoming CPI */ 404 uint8_t ic_transform; /* transform */ 405 }; 406 407 struct iked_sa { 408 struct iked_sahdr sa_hdr; 409 uint32_t sa_msgid; /* Last request rcvd */ 410 int sa_msgid_set; /* msgid initialized */ 411 uint32_t sa_msgid_current; /* Current requested rcvd */ 412 uint32_t sa_reqid; /* Next request sent */ 413 414 int sa_type; 415 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 416 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 417 418 struct iked_addr sa_peer; 419 struct iked_addr sa_peer_loaded;/* MOBIKE */ 420 struct iked_addr sa_local; 421 int sa_fd; 422 423 struct iked_frag sa_fragments; 424 425 int sa_natt; /* for IKE messages */ 426 int sa_udpencap; /* for pfkey */ 427 int sa_usekeepalive;/* NAT-T keepalive */ 428 429 int sa_state; 430 unsigned int sa_stateflags; 431 unsigned int sa_stateinit; /* SA_INIT */ 432 unsigned int sa_statevalid; /* IKE_AUTH */ 433 434 int sa_cp; /* XXX */ 435 struct iked_addr *sa_cp_addr; /* requested address */ 436 struct iked_addr *sa_cp_addr6; /* requested address */ 437 struct iked_addr *sa_cp_dns; /* requested dns */ 438 439 struct iked_policy *sa_policy; 440 struct timeval sa_timecreated; 441 struct timeval sa_timeused; 442 443 char *sa_tag; 444 const char *sa_reason; /* reason for close */ 445 446 struct iked_kex sa_kex; 447 /* XXX compat defines until everything is converted */ 448 #define sa_inonce sa_kex.kex_inonce 449 #define sa_rnonce sa_kex.kex_rnonce 450 #define sa_dhgroup sa_kex.kex_dhgroup 451 #define sa_dhiexchange sa_kex.kex_dhiexchange 452 #define sa_dhrexchange sa_kex.kex_dhrexchange 453 #define sa_dhpeer sa_kex.kex_dhpeer 454 455 struct iked_hash *sa_prf; /* PRF alg */ 456 struct iked_hash *sa_integr; /* integrity alg */ 457 struct iked_cipher *sa_encr; /* encryption alg */ 458 459 struct ibuf *sa_key_d; /* SK_d */ 460 struct ibuf *sa_key_iauth; /* SK_ai */ 461 struct ibuf *sa_key_rauth; /* SK_ar */ 462 struct ibuf *sa_key_iencr; /* SK_ei */ 463 struct ibuf *sa_key_rencr; /* SK_er */ 464 struct ibuf *sa_key_iprf; /* SK_pi */ 465 struct ibuf *sa_key_rprf; /* SK_pr */ 466 467 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 468 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 469 struct iked_id sa_localauth; /* local AUTH message */ 470 struct iked_id sa_peerauth; /* peer AUTH message */ 471 int sa_sigsha2; /* use SHA2 for signatures */ 472 #define IKED_SCERT_MAX 3 /* max # of supplemental cert payloads */ 473 474 struct iked_id sa_iid; /* initiator id */ 475 struct iked_id sa_rid; /* responder id */ 476 struct iked_id sa_icert; /* initiator cert */ 477 struct iked_id sa_rcert; /* responder cert */ 478 struct iked_id sa_scert[IKED_SCERT_MAX]; /* supplemental certs */ 479 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 480 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 481 482 char *sa_eapid; /* EAP identity */ 483 struct iked_id sa_eap; /* EAP challenge */ 484 struct ibuf *sa_eapmsk; /* EAK session key */ 485 486 struct iked_proposals sa_proposals; /* SA proposals */ 487 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 488 struct iked_saflows sa_flows; /* IPsec flows */ 489 490 struct iked_sa *sa_nexti; /* initiated IKE SA */ 491 struct iked_sa *sa_previ; /* matching back pointer */ 492 struct iked_sa *sa_nextr; /* simultaneous rekey */ 493 struct iked_sa *sa_prevr; /* matching back pointer */ 494 uint64_t sa_rekeyspi; /* peerspi CSA rekey */ 495 struct ibuf *sa_simult; /* simultaneous rekey */ 496 497 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 498 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 499 500 int sa_mobike; /* MOBIKE */ 501 int sa_frag; /* fragmentation */ 502 503 int sa_use_transport_mode; /* peer requested */ 504 int sa_used_transport_mode; /* we enabled */ 505 506 struct iked_timer sa_timer; /* SA timeouts */ 507 #define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 508 #define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 509 #define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 510 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 511 512 struct iked_timer sa_keepalive; /* keepalive timer */ 513 #define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 514 515 struct iked_timer sa_rekey; /* rekey timeout */ 516 int sa_tmpfail; 517 518 struct iked_msgqueue sa_requests; /* request queue */ 519 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 520 521 struct iked_msgqueue sa_responses; /* response queue */ 522 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 523 524 TAILQ_ENTRY(iked_sa) sa_peer_entry; 525 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 526 527 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 528 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 529 530 struct iked_addr *sa_addrpool; /* address from pool */ 531 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 532 533 struct iked_addr *sa_addrpool6; /* address from pool */ 534 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 535 time_t sa_last_recvd; 536 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 537 }; 538 RB_HEAD(iked_sas, iked_sa); 539 RB_HEAD(iked_dstid_sas, iked_sa); 540 RB_HEAD(iked_addrpool, iked_sa); 541 RB_HEAD(iked_addrpool6, iked_sa); 542 543 /* stats */ 544 545 struct iked_stats { 546 uint64_t ikes_sa_created; 547 uint64_t ikes_sa_established_total; 548 uint64_t ikes_sa_established_current; /* gauge */ 549 uint64_t ikes_sa_established_failures; 550 uint64_t ikes_sa_proposals_negotiate_failures; 551 uint64_t ikes_sa_rekeyed; 552 uint64_t ikes_sa_removed; 553 uint64_t ikes_csa_created; 554 uint64_t ikes_csa_removed; 555 uint64_t ikes_msg_sent; 556 uint64_t ikes_msg_send_failures; 557 uint64_t ikes_msg_rcvd; 558 uint64_t ikes_msg_rcvd_busy; 559 uint64_t ikes_msg_rcvd_dropped; 560 uint64_t ikes_retransmit_request; 561 uint64_t ikes_retransmit_response; 562 uint64_t ikes_retransmit_limit; 563 uint64_t ikes_frag_sent; 564 uint64_t ikes_frag_send_failures; 565 uint64_t ikes_frag_rcvd; 566 uint64_t ikes_frag_rcvd_drop; 567 uint64_t ikes_frag_reass_ok; 568 uint64_t ikes_frag_reass_drop; 569 uint64_t ikes_update_addresses_sent; 570 uint64_t ikes_dpd_sent; 571 uint64_t ikes_keepalive_sent; 572 }; 573 574 #define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0) 575 #define ikestat_inc(env, c) ikestat_add(env, c, 1) 576 #define ikestat_dec(env, c) ikestat_add(env, c, -1) 577 578 struct iked_certreq { 579 struct ibuf *cr_data; 580 uint8_t cr_type; 581 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 582 }; 583 SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 584 585 #define EAP_STATE_IDENTITY (1) 586 #define EAP_STATE_MSCHAPV2_CHALLENGE (2) 587 #define EAP_STATE_MSCHAPV2_SUCCESS (3) 588 #define EAP_STATE_SUCCESS (4) 589 590 struct eap_msg { 591 char *eam_identity; 592 char *eam_user; 593 int eam_type; 594 uint8_t eam_id; 595 uint8_t eam_msrid; 596 int eam_success; 597 int eam_found; 598 int eam_response; 599 uint8_t eam_challenge[16]; 600 uint8_t eam_ntresponse[24]; 601 uint32_t eam_state; 602 }; 603 604 struct iked_message { 605 struct ibuf *msg_data; 606 size_t msg_offset; 607 608 struct sockaddr_storage msg_local; 609 socklen_t msg_locallen; 610 611 struct sockaddr_storage msg_peer; 612 socklen_t msg_peerlen; 613 614 struct iked_socket *msg_sock; 615 616 int msg_fd; 617 int msg_response; 618 int msg_responded; 619 int msg_valid; 620 int msg_natt; 621 int msg_natt_rcvd; 622 int msg_nat_detected; 623 int msg_error; 624 int msg_e; 625 struct iked_message *msg_parent; 626 627 /* Associated policy and SA */ 628 struct iked_policy *msg_policy; 629 struct iked_sa *msg_sa; 630 631 uint32_t msg_msgid; 632 uint8_t msg_exchange; 633 634 /* Parsed information */ 635 struct iked_proposals msg_proposals; 636 struct iked_certreqs msg_certreqs; 637 struct iked_spi msg_rekey; 638 struct ibuf *msg_nonce; /* dh NONCE */ 639 uint16_t msg_dhgroup; /* dh group */ 640 struct ibuf *msg_ke; /* dh key exchange */ 641 struct iked_id msg_auth; /* AUTH payload */ 642 struct iked_id msg_peerid; 643 struct iked_id msg_localid; 644 struct iked_id msg_cert; 645 struct ibuf *msg_cookie; 646 uint16_t msg_group; 647 uint16_t msg_cpi; 648 uint8_t msg_transform; 649 uint16_t msg_flags; 650 struct eap_msg msg_eap; 651 size_t msg_del_spisize; 652 size_t msg_del_cnt; 653 struct ibuf *msg_del_buf; 654 int msg_del_protoid; 655 int msg_cp; 656 struct iked_addr *msg_cp_addr; /* requested address */ 657 struct iked_addr *msg_cp_addr6; /* requested address */ 658 struct iked_addr *msg_cp_dns; /* requested dns */ 659 660 /* MOBIKE */ 661 int msg_update_sa_addresses; 662 struct ibuf *msg_cookie2; 663 664 /* Parse stack */ 665 struct iked_proposal *msg_prop; 666 uint16_t msg_attrlength; 667 668 /* Retransmit queue */ 669 TAILQ_ENTRY(iked_message) 670 msg_entry; 671 }; 672 673 struct iked_msg_retransmit { 674 struct iked_msg_fragqueue mrt_frags; 675 TAILQ_ENTRY(iked_msg_retransmit) mrt_entry; 676 struct iked_timer mrt_timer; 677 int mrt_tries; 678 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 679 }; 680 681 #define IKED_MSG_NAT_SRC_IP 0x01 682 #define IKED_MSG_NAT_DST_IP 0x02 683 684 #define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 685 #define IKED_MSG_FLAGS_MOBIKE 0x0002 686 #define IKED_MSG_FLAGS_SIGSHA2 0x0004 687 #define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 688 #define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 689 #define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 690 #define IKED_MSG_FLAGS_INVALID_KE 0x0040 691 #define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 692 #define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 693 #define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 694 #define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400 695 696 697 struct iked_user { 698 char usr_name[LOGIN_NAME_MAX]; 699 char usr_pass[IKED_PASSWORD_SIZE]; 700 RB_ENTRY(iked_user) usr_entry; 701 }; 702 RB_HEAD(iked_users, iked_user); 703 704 struct privsep_pipes { 705 int *pp_pipes[PROC_MAX]; 706 }; 707 708 struct privsep { 709 struct privsep_pipes *ps_pipes[PROC_MAX]; 710 struct privsep_pipes *ps_pp; 711 712 struct imsgev *ps_ievs[PROC_MAX]; 713 const char *ps_title[PROC_MAX]; 714 pid_t ps_pid[PROC_MAX]; 715 struct passwd *ps_pw; 716 int ps_noaction; 717 718 struct control_sock ps_csock; 719 struct control_socks ps_rcsocks; 720 721 unsigned int ps_instances[PROC_MAX]; 722 unsigned int ps_ninstances; 723 unsigned int ps_instance; 724 725 /* Event and signal handlers */ 726 struct event ps_evsigint; 727 struct event ps_evsigterm; 728 struct event ps_evsigchld; 729 struct event ps_evsighup; 730 struct event ps_evsigpipe; 731 struct event ps_evsigusr1; 732 733 struct iked *ps_env; 734 }; 735 736 struct privsep_proc { 737 const char *p_title; 738 enum privsep_procid p_id; 739 int (*p_cb)(int, struct privsep_proc *, 740 struct imsg *); 741 void (*p_init)(struct privsep *, 742 struct privsep_proc *); 743 const char *p_chroot; 744 struct passwd *p_pw; 745 struct privsep *p_ps; 746 void (*p_shutdown)(void); 747 }; 748 749 struct privsep_fd { 750 enum privsep_procid pf_procid; 751 unsigned int pf_instance; 752 }; 753 754 #define PROC_PARENT_SOCK_FILENO 3 755 #define PROC_MAX_INSTANCES 32 756 757 struct iked_ocsp_entry { 758 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 759 void *ioe_ocsp; /* private ocsp request data */ 760 }; 761 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 762 763 /* 764 * Daemon configuration 765 */ 766 767 enum natt_mode { 768 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 769 NATT_DISABLE, /* send/recv with only :500 */ 770 NATT_FORCE, /* send/recv with only NAT-T port */ 771 }; 772 773 struct iked_static { 774 uint64_t st_alive_timeout; 775 int st_enforcesingleikesa; 776 uint8_t st_frag; /* fragmentation */ 777 uint8_t st_mobike; /* MOBIKE */ 778 in_port_t st_nattport; 779 int st_stickyaddress; /* addr per DSTID */ 780 int st_vendorid; 781 }; 782 783 struct iked { 784 char sc_conffile[PATH_MAX]; 785 786 uint32_t sc_opts; 787 enum natt_mode sc_nattmode; 788 uint8_t sc_passive; 789 uint8_t sc_decoupled; 790 791 struct iked_static sc_static; 792 793 #define sc_alive_timeout sc_static.st_alive_timeout 794 #define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 795 #define sc_frag sc_static.st_frag 796 #define sc_mobike sc_static.st_mobike 797 #define sc_nattport sc_static.st_nattport 798 #define sc_stickyaddress sc_static.st_stickyaddress 799 #define sc_vendorid sc_static.st_vendorid 800 801 struct iked_policies sc_policies; 802 struct iked_policy *sc_defaultcon; 803 804 struct iked_sas sc_sas; 805 struct iked_dstid_sas sc_dstid_sas; 806 struct iked_activesas sc_activesas; 807 struct iked_flows sc_activeflows; 808 struct iked_users sc_users; 809 810 struct iked_stats sc_stats; 811 812 void *sc_priv; /* per-process */ 813 814 int sc_pfkey; /* ike process */ 815 struct event sc_pfkeyev; 816 struct event sc_routeev; 817 uint8_t sc_certreqtype; 818 struct ibuf *sc_certreq; 819 void *sc_vroute; 820 821 struct iked_socket *sc_sock4[2]; 822 struct iked_socket *sc_sock6[2]; 823 824 struct iked_timer sc_inittmr; 825 #define IKED_INITIATOR_INITIAL 2 826 #define IKED_INITIATOR_INTERVAL 60 827 828 struct privsep sc_ps; 829 830 struct iked_ocsp_requests sc_ocsp; 831 char *sc_ocsp_url; 832 long sc_ocsp_tolerate; 833 long sc_ocsp_maxage; 834 835 struct iked_addrpool sc_addrpool; 836 struct iked_addrpool6 sc_addrpool6; 837 838 int sc_cert_partial_chain; 839 }; 840 841 struct iked_socket { 842 int sock_fd; 843 struct event sock_ev; 844 struct iked *sock_env; 845 struct sockaddr_storage sock_addr; 846 }; 847 848 struct ipsec_xf { 849 const char *name; 850 unsigned int id; 851 unsigned int length; 852 unsigned int keylength; 853 unsigned int nonce; 854 unsigned int noauth; 855 }; 856 857 struct ipsec_transforms { 858 const struct ipsec_xf **authxf; 859 unsigned int nauthxf; 860 const struct ipsec_xf **prfxf; 861 unsigned int nprfxf; 862 const struct ipsec_xf **encxf; 863 unsigned int nencxf; 864 const struct ipsec_xf **groupxf; 865 unsigned int ngroupxf; 866 const struct ipsec_xf **esnxf; 867 unsigned int nesnxf; 868 }; 869 870 struct ipsec_mode { 871 struct ipsec_transforms **xfs; 872 unsigned int nxfs; 873 }; 874 875 /* iked.c */ 876 void parent_reload(struct iked *, int, const char *); 877 878 extern struct iked *iked_env; 879 880 /* control.c */ 881 void control(struct privsep *, struct privsep_proc *); 882 int control_init(struct privsep *, struct control_sock *); 883 int control_listen(struct control_sock *); 884 885 /* config.c */ 886 struct iked_policy * 887 config_new_policy(struct iked *); 888 void config_free_kex(struct iked_kex *); 889 void config_free_fragments(struct iked_frag *); 890 void config_free_sa(struct iked *, struct iked_sa *); 891 struct iked_sa * 892 config_new_sa(struct iked *, int); 893 struct iked_user * 894 config_new_user(struct iked *, struct iked_user *); 895 uint64_t 896 config_getspi(void); 897 struct iked_transform * 898 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 899 struct iked_transform * 900 config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int); 901 void config_free_policy(struct iked *, struct iked_policy *); 902 struct iked_proposal * 903 config_add_proposal(struct iked_proposals *, unsigned int, 904 unsigned int); 905 void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 906 void config_free_proposals(struct iked_proposals *, unsigned int); 907 void config_free_flows(struct iked *, struct iked_flows *); 908 void config_free_childsas(struct iked *, struct iked_childsas *, 909 struct iked_spi *, struct iked_spi *); 910 int config_add_transform(struct iked_proposal *, 911 unsigned int, unsigned int, unsigned int, unsigned int); 912 int config_setcoupled(struct iked *, unsigned int); 913 int config_getcoupled(struct iked *, unsigned int); 914 int config_setmode(struct iked *, unsigned int); 915 int config_getmode(struct iked *, unsigned int); 916 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 917 int config_getreset(struct iked *, struct imsg *); 918 int config_doreset(struct iked *, unsigned int); 919 int config_setpolicy(struct iked *, struct iked_policy *, 920 enum privsep_procid); 921 int config_getpolicy(struct iked *, struct imsg *); 922 int config_setflow(struct iked *, struct iked_policy *, 923 enum privsep_procid); 924 int config_getflow(struct iked *, struct imsg *); 925 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 926 enum privsep_procid); 927 int config_getsocket(struct iked *env, struct imsg *, 928 void (*cb)(int, short, void *)); 929 int config_setpfkey(struct iked *); 930 int config_getpfkey(struct iked *, struct imsg *); 931 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 932 int config_getuser(struct iked *, struct imsg *); 933 int config_setcompile(struct iked *, enum privsep_procid); 934 int config_getcompile(struct iked *); 935 int config_setocsp(struct iked *); 936 int config_getocsp(struct iked *, struct imsg *); 937 int config_setkeys(struct iked *); 938 int config_getkey(struct iked *, struct imsg *); 939 int config_setstatic(struct iked *); 940 int config_getstatic(struct iked *, struct imsg *); 941 int config_setcertpartialchain(struct iked *); 942 int config_getcertpartialchain(struct iked *, struct imsg *); 943 944 /* policy.c */ 945 void policy_init(struct iked *); 946 int policy_lookup(struct iked *, struct iked_message *, 947 struct iked_proposals *, struct iked_flows *, int); 948 int policy_lookup_sa(struct iked *, struct iked_sa *); 949 struct iked_policy * 950 policy_test(struct iked *, struct iked_policy *); 951 int policy_generate_ts(struct iked_policy *); 952 void policy_calc_skip_steps(struct iked_policies *); 953 void policy_ref(struct iked *, struct iked_policy *); 954 void policy_unref(struct iked *, struct iked_policy *); 955 void sa_state(struct iked *, struct iked_sa *, int); 956 void sa_stateflags(struct iked_sa *, unsigned int); 957 int sa_stateok(const struct iked_sa *, int); 958 struct iked_sa * 959 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 960 struct iked_policy *); 961 void sa_free(struct iked *, struct iked_sa *); 962 void sa_free_flows(struct iked *, struct iked_saflows *); 963 int sa_configure_iface(struct iked *, struct iked_sa *, int); 964 int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 965 void childsa_free(struct iked_childsa *); 966 struct iked_childsa * 967 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 968 void flow_free(struct iked_flow *); 969 int flow_equal(struct iked_flow *, struct iked_flow *); 970 struct iked_sa * 971 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 972 struct iked_user * 973 user_lookup(struct iked *, const char *); 974 struct iked_sa * 975 sa_dstid_lookup(struct iked *, struct iked_sa *); 976 struct iked_sa * 977 sa_dstid_insert(struct iked *, struct iked_sa *); 978 void sa_dstid_remove(struct iked *, struct iked_sa *); 979 int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 980 struct iked_proposals *, int, int); 981 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 982 RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 983 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 984 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 985 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 986 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 987 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 988 989 /* crypto.c */ 990 struct iked_hash * 991 hash_new(uint8_t, uint16_t); 992 struct ibuf * 993 hash_setkey(struct iked_hash *, void *, size_t); 994 void hash_free(struct iked_hash *); 995 void hash_init(struct iked_hash *); 996 void hash_update(struct iked_hash *, void *, size_t); 997 void hash_final(struct iked_hash *, void *, size_t *); 998 size_t hash_keylength(struct iked_hash *); 999 size_t hash_length(struct iked_hash *); 1000 1001 struct iked_cipher * 1002 cipher_new(uint8_t, uint16_t, uint16_t); 1003 struct ibuf * 1004 cipher_setkey(struct iked_cipher *, const void *, size_t); 1005 struct ibuf * 1006 cipher_setiv(struct iked_cipher *, const void *, size_t); 1007 int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 1008 int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 1009 void cipher_free(struct iked_cipher *); 1010 int cipher_init(struct iked_cipher *, int); 1011 int cipher_init_encrypt(struct iked_cipher *); 1012 int cipher_init_decrypt(struct iked_cipher *); 1013 void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *); 1014 int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *); 1015 int cipher_final(struct iked_cipher *); 1016 size_t cipher_length(struct iked_cipher *); 1017 size_t cipher_keylength(struct iked_cipher *); 1018 size_t cipher_ivlength(struct iked_cipher *); 1019 size_t cipher_outlength(struct iked_cipher *, size_t); 1020 1021 struct iked_dsa * 1022 dsa_new(uint8_t, struct iked_hash *, int); 1023 struct iked_dsa * 1024 dsa_sign_new(uint8_t, struct iked_hash *); 1025 struct iked_dsa * 1026 dsa_verify_new(uint8_t, struct iked_hash *); 1027 struct ibuf * 1028 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 1029 void dsa_free(struct iked_dsa *); 1030 int dsa_init(struct iked_dsa *, const void *, size_t); 1031 size_t dsa_prefix(struct iked_dsa *); 1032 size_t dsa_length(struct iked_dsa *); 1033 int dsa_update(struct iked_dsa *, const void *, size_t); 1034 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 1035 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 1036 1037 /* vroute.c */ 1038 void vroute_init(struct iked *); 1039 int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int); 1040 void vroute_cleanup(struct iked *); 1041 int vroute_getaddr(struct iked *, struct imsg *); 1042 int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int); 1043 int vroute_getdns(struct iked *, struct imsg *); 1044 int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *, 1045 uint8_t, struct sockaddr *); 1046 int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *, 1047 uint8_t, struct sockaddr *); 1048 int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *, 1049 uint8_t, struct sockaddr *); 1050 int vroute_getroute(struct iked *, struct imsg *); 1051 int vroute_getcloneroute(struct iked *, struct imsg *); 1052 1053 /* ikev2.c */ 1054 void ikev2(struct privsep *, struct privsep_proc *); 1055 void ikev2_recv(struct iked *, struct iked_message *); 1056 void ikev2_init_ike_sa(struct iked *, void *); 1057 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 1058 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 1059 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 1060 uint8_t, uint64_t, uint64_t *, int); 1061 void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 1062 void ikev2_ike_sa_timeout(struct iked *env, void *); 1063 void ikev2_ike_sa_setreason(struct iked_sa *, char *); 1064 void ikev2_reset_alive_timer(struct iked *); 1065 int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 1066 1067 struct ibuf * 1068 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 1069 size_t); 1070 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 1071 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 1072 void *, size_t, unsigned int, int); 1073 void ikev2_enable_natt(struct iked *, struct iked_sa *, 1074 struct iked_message *, int); 1075 int ikev2_send_informational(struct iked *, struct iked_message *); 1076 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 1077 uint8_t, uint8_t, int); 1078 struct ike_header * 1079 ikev2_add_header(struct ibuf *, struct iked_sa *, 1080 uint32_t, uint8_t, uint8_t, uint8_t); 1081 int ikev2_set_header(struct ike_header *, size_t); 1082 struct ikev2_payload * 1083 ikev2_add_payload(struct ibuf *); 1084 int ikev2_next_payload(struct ikev2_payload *, size_t, 1085 uint8_t); 1086 int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 1087 int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 1088 int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 1089 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 1090 int ikev2_print_id(struct iked_id *, char *, size_t); 1091 int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 1092 1093 const char *ikev2_ikesa_info(uint64_t, const char *msg); 1094 #define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 1095 #define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 1096 #define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 1097 1098 /* ikev2_msg.c */ 1099 void ikev2_msg_cb(int, short, void *); 1100 struct ibuf * 1101 ikev2_msg_init(struct iked *, struct iked_message *, 1102 struct sockaddr_storage *, socklen_t, 1103 struct sockaddr_storage *, socklen_t, int); 1104 struct iked_message * 1105 ikev2_msg_copy(struct iked *, struct iked_message *); 1106 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 1107 uint32_t 1108 ikev2_msg_id(struct iked *, struct iked_sa *); 1109 struct ibuf 1110 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 1111 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 1112 struct iked_auth *, struct ibuf *); 1113 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 1114 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 1115 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 1116 struct iked_message *); 1117 int ikev2_msg_send(struct iked *, struct iked_message *); 1118 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 1119 struct ibuf **, uint8_t, uint8_t, int); 1120 struct ibuf 1121 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 1122 struct ibuf *); 1123 struct ibuf * 1124 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 1125 struct ibuf *, struct ibuf *); 1126 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1127 int ikev2_msg_frompeer(struct iked_message *); 1128 struct iked_socket * 1129 ikev2_msg_getsocket(struct iked *, int, int); 1130 int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *, 1131 struct iked_message *, int); 1132 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1133 struct iked_message *, uint8_t); 1134 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1135 struct iked_message *); 1136 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1137 struct iked_msg_retransmit *); 1138 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1139 struct iked_msg_retransmit * 1140 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1141 struct iked_message *, uint8_t); 1142 1143 /* ikev2_pld.c */ 1144 int ikev2_pld_parse(struct iked *, struct ike_header *, 1145 struct iked_message *, size_t); 1146 1147 /* eap.c */ 1148 int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*, 1149 void *, int); 1150 int eap_success(struct iked *, struct iked_sa *, int); 1151 int eap_identity_request(struct iked *, struct iked_sa *); 1152 int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1153 uint8_t *, size_t); 1154 int eap_mschap_success(struct iked *, struct iked_sa *, int); 1155 int eap_challenge_request(struct iked *, struct iked_sa *, int); 1156 1157 /* pfkey.c */ 1158 int pfkey_couple(struct iked *, struct iked_sas *, int); 1159 int pfkey_flow_add(struct iked *, struct iked_flow *); 1160 int pfkey_flow_delete(struct iked *, struct iked_flow *); 1161 int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *); 1162 int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *); 1163 int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *); 1164 int pfkey_sa_delete(struct iked *, struct iked_childsa *); 1165 int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *); 1166 int pfkey_flush(struct iked *); 1167 int pfkey_socket(struct iked *); 1168 void pfkey_init(struct iked *, int fd); 1169 1170 /* ca.c */ 1171 void caproc(struct privsep *, struct privsep_proc *); 1172 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1173 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1174 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1175 uint8_t, uint8_t *, size_t, enum privsep_procid); 1176 int ca_setauth(struct iked *, struct iked_sa *, 1177 struct ibuf *, enum privsep_procid); 1178 void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1179 int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1180 int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1181 void ca_sslinit(void); 1182 void ca_sslerror(const char *); 1183 char *ca_asn1_name(uint8_t *, size_t); 1184 void *ca_x509_name_parse(char *); 1185 void ca_cert_info(const char *, X509 *); 1186 1187 /* timer.c */ 1188 void timer_set(struct iked *, struct iked_timer *, 1189 void (*)(struct iked *, void *), void *); 1190 void timer_add(struct iked *, struct iked_timer *, int); 1191 void timer_del(struct iked *, struct iked_timer *); 1192 1193 /* proc.c */ 1194 void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int, 1195 int, char **, enum privsep_procid); 1196 void proc_kill(struct privsep *); 1197 void proc_connect(struct privsep *); 1198 void proc_dispatch(int, short event, void *); 1199 void proc_run(struct privsep *, struct privsep_proc *, 1200 struct privsep_proc *, unsigned int, 1201 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1202 void imsg_event_add(struct imsgev *); 1203 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1204 pid_t, int, void *, uint16_t); 1205 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1206 pid_t, int, const struct iovec *, int); 1207 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1208 uint16_t, uint32_t, int, void *, uint16_t); 1209 int proc_compose(struct privsep *, enum privsep_procid, 1210 uint16_t, void *, uint16_t); 1211 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1212 uint16_t, uint32_t, int, const struct iovec *, int); 1213 int proc_composev(struct privsep *, enum privsep_procid, 1214 uint16_t, const struct iovec *, int); 1215 int proc_forward_imsg(struct privsep *, struct imsg *, 1216 enum privsep_procid, int); 1217 struct imsgbuf * 1218 proc_ibuf(struct privsep *, enum privsep_procid, int); 1219 struct imsgev * 1220 proc_iev(struct privsep *, enum privsep_procid, int); 1221 enum privsep_procid 1222 proc_getid(struct privsep_proc *, unsigned int, const char *); 1223 int proc_flush_imsg(struct privsep *, enum privsep_procid, int); 1224 1225 /* util.c */ 1226 int socket_af(struct sockaddr *, in_port_t); 1227 in_port_t 1228 socket_getport(struct sockaddr *); 1229 int socket_setport(struct sockaddr *, in_port_t); 1230 int socket_getaddr(int, struct sockaddr_storage *); 1231 int socket_bypass(int, struct sockaddr *); 1232 int udp_bind(struct sockaddr *, in_port_t); 1233 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1234 socklen_t, struct sockaddr *, socklen_t); 1235 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1236 socklen_t *, struct sockaddr *, socklen_t *); 1237 const char * 1238 print_spi(uint64_t, int); 1239 const char * 1240 print_map(unsigned int, struct iked_constmap *); 1241 void lc_idtype(char *); 1242 void print_hex(const uint8_t *, off_t, size_t); 1243 void print_hexval(const uint8_t *, off_t, size_t); 1244 const char * 1245 print_bits(unsigned short, unsigned char *); 1246 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1247 uint8_t mask2prefixlen(struct sockaddr *); 1248 uint8_t mask2prefixlen6(struct sockaddr *); 1249 struct in6_addr * 1250 prefixlen2mask6(uint8_t, uint32_t *); 1251 uint32_t 1252 prefixlen2mask(uint8_t); 1253 const char * 1254 print_host(struct sockaddr *, char *, size_t); 1255 char *get_string(uint8_t *, size_t); 1256 const char * 1257 print_proto(uint8_t); 1258 int expand_string(char *, size_t, const char *, const char *); 1259 uint8_t *string2unicode(const char *, size_t *); 1260 void print_debug(const char *, ...) 1261 __attribute__((format(printf, 1, 2))); 1262 void print_verbose(const char *, ...) 1263 __attribute__((format(printf, 1, 2))); 1264 1265 /* imsg_util.c */ 1266 struct ibuf * 1267 ibuf_new(const void *, size_t); 1268 struct ibuf * 1269 ibuf_static(void); 1270 int ibuf_cat(struct ibuf *, struct ibuf *); 1271 size_t ibuf_length(struct ibuf *); 1272 int ibuf_setsize(struct ibuf *, size_t); 1273 uint8_t * 1274 ibuf_data(struct ibuf *); 1275 void *ibuf_getdata(struct ibuf *, size_t); 1276 struct ibuf * 1277 ibuf_get(struct ibuf *, size_t); 1278 struct ibuf * 1279 ibuf_dup(struct ibuf *); 1280 struct ibuf * 1281 ibuf_random(size_t); 1282 int ibuf_strcat(struct ibuf **, const char *); 1283 int ibuf_strlen(struct ibuf *); 1284 1285 /* log.c */ 1286 void log_init(int, int); 1287 void log_procinit(const char *); 1288 void log_setverbose(int); 1289 int log_getverbose(void); 1290 void log_warn(const char *, ...) 1291 __attribute__((__format__ (printf, 1, 2))); 1292 void log_warnx(const char *, ...) 1293 __attribute__((__format__ (printf, 1, 2))); 1294 void log_info(const char *, ...) 1295 __attribute__((__format__ (printf, 1, 2))); 1296 void log_debug(const char *, ...) 1297 __attribute__((__format__ (printf, 1, 2))); 1298 void logit(int, const char *, ...) 1299 __attribute__((__format__ (printf, 2, 3))); 1300 void vlog(int, const char *, va_list) 1301 __attribute__((__format__ (printf, 2, 0))); 1302 __dead void fatal(const char *, ...) 1303 __attribute__((__format__ (printf, 1, 2))); 1304 __dead void fatalx(const char *, ...) 1305 __attribute__((__format__ (printf, 1, 2))); 1306 1307 /* ocsp.c */ 1308 int ocsp_connect(struct iked *, struct imsg *); 1309 int ocsp_receive_fd(struct iked *, struct imsg *); 1310 int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1311 uint8_t, X509 *); 1312 1313 /* parse.y */ 1314 int parse_config(const char *, struct iked *); 1315 int cmdline_symset(char *); 1316 extern const struct ipsec_xf authxfs[]; 1317 extern const struct ipsec_xf prfxfs[]; 1318 extern const struct ipsec_xf *encxfs; 1319 extern const struct ipsec_xf ikeencxfs[]; 1320 extern const struct ipsec_xf ipsecencxfs[]; 1321 extern const struct ipsec_xf groupxfs[]; 1322 extern const struct ipsec_xf esnxfs[]; 1323 extern const struct ipsec_xf methodxfs[]; 1324 extern const struct ipsec_xf saxfs[]; 1325 extern const struct ipsec_xf cpxfs[]; 1326 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1327 size_t noncelength_xf(unsigned int, unsigned int); 1328 int encxf_noauth(unsigned int); 1329 1330 /* print.c */ 1331 void print_user(struct iked_user *); 1332 void print_policy(struct iked_policy *); 1333 const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); 1334 1335 #endif /* IKED_H */ 1336