1 /* $OpenBSD: iked.h,v 1.229 2024/02/15 20:10:45 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/tree.h> 22 #include <sys/queue.h> 23 #include <arpa/inet.h> 24 #include <limits.h> 25 #include <imsg.h> 26 27 #include <openssl/evp.h> 28 29 #include "types.h" 30 #include "dh.h" 31 32 #define MAXIMUM(a,b) (((a)>(b))?(a):(b)) 33 #define MINIMUM(a,b) (((a)<(b))?(a):(b)) 34 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) 35 36 #ifndef IKED_H 37 #define IKED_H 38 39 /* 40 * Common IKEv1/IKEv2 header 41 */ 42 43 struct ike_header { 44 uint64_t ike_ispi; /* Initiator cookie */ 45 uint64_t ike_rspi; /* Responder cookie */ 46 uint8_t ike_nextpayload; /* Next payload type */ 47 uint8_t ike_version; /* Major/Minor version number */ 48 uint8_t ike_exchange; /* Exchange type */ 49 uint8_t ike_flags; /* Message options */ 50 uint32_t ike_msgid; /* Message identifier */ 51 uint32_t ike_length; /* Total message length */ 52 } __packed; 53 54 /* 55 * Common daemon infrastructure, local imsg etc. 56 */ 57 58 struct imsgev { 59 struct imsgbuf ibuf; 60 void (*handler)(int, short, void *); 61 struct event ev; 62 struct privsep_proc *proc; 63 void *data; 64 short events; 65 const char *name; 66 }; 67 68 #define IMSG_SIZE_CHECK(imsg, p) do { \ 69 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 70 fatalx("bad length imsg received"); \ 71 } while (0) 72 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 73 74 #define IKED_ADDR_EQ(_a, _b) \ 75 ((_a)->addr_mask == (_b)->addr_mask && \ 76 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 77 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 78 79 #define IKED_ADDR_NEQ(_a, _b) \ 80 ((_a)->addr_mask != (_b)->addr_mask || \ 81 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 82 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 83 84 /* initially control.h */ 85 struct control_sock { 86 const char *cs_name; 87 struct event cs_ev; 88 struct event cs_evt; 89 int cs_fd; 90 int cs_restricted; 91 void *cs_env; 92 }; 93 94 struct ctl_conn { 95 TAILQ_ENTRY(ctl_conn) entry; 96 uint8_t flags; 97 #define CTL_CONN_NOTIFY 0x01 98 struct imsgev iev; 99 uint32_t peerid; 100 }; 101 TAILQ_HEAD(ctl_connlist, ctl_conn); 102 103 extern enum privsep_procid privsep_process; 104 105 /* 106 * Runtime structures 107 */ 108 109 struct iked_timer { 110 struct event tmr_ev; 111 struct iked *tmr_env; 112 void (*tmr_cb)(struct iked *, void *); 113 void *tmr_cbarg; 114 }; 115 116 struct iked_spi { 117 uint64_t spi; 118 uint8_t spi_size; 119 uint8_t spi_protoid; 120 }; 121 122 struct iked_proposal { 123 uint8_t prop_id; 124 uint8_t prop_protoid; 125 126 struct iked_spi prop_localspi; 127 struct iked_spi prop_peerspi; 128 129 struct iked_transform *prop_xforms; 130 unsigned int prop_nxforms; 131 132 TAILQ_ENTRY(iked_proposal) prop_entry; 133 }; 134 TAILQ_HEAD(iked_proposals, iked_proposal); 135 136 struct iked_addr { 137 int addr_af; 138 struct sockaddr_storage addr; 139 uint8_t addr_mask; 140 int addr_net; 141 in_port_t addr_port; 142 }; 143 144 struct iked_ts { 145 struct iked_addr ts_addr; 146 uint8_t ts_ipproto; 147 TAILQ_ENTRY(iked_ts) ts_entry; 148 }; 149 TAILQ_HEAD(iked_tss, iked_ts); 150 151 struct iked_flow { 152 struct iked_addr flow_src; 153 struct iked_addr flow_dst; 154 unsigned int flow_dir; /* in/out */ 155 int flow_rdomain; 156 struct iked_addr flow_prenat; 157 int flow_fixed; 158 159 unsigned int flow_loaded; /* pfkey done */ 160 161 uint8_t flow_saproto; 162 uint8_t flow_ipproto; 163 164 struct iked_addr *flow_local; /* outer source */ 165 struct iked_addr *flow_peer; /* outer dest */ 166 struct iked_sa *flow_ikesa; /* parent SA */ 167 168 RB_ENTRY(iked_flow) flow_node; 169 TAILQ_ENTRY(iked_flow) flow_entry; 170 }; 171 RB_HEAD(iked_flows, iked_flow); 172 TAILQ_HEAD(iked_saflows, iked_flow); 173 174 struct iked_childsa { 175 uint8_t csa_saproto; /* IPsec protocol */ 176 unsigned int csa_dir; /* in/out */ 177 178 uint64_t csa_peerspi; /* peer relation */ 179 uint8_t csa_loaded; /* pfkey done */ 180 uint8_t csa_rekey; /* will be deleted */ 181 uint8_t csa_allocated; /* from the kernel */ 182 uint8_t csa_persistent;/* do not rekey */ 183 uint8_t csa_esn; /* use ESN */ 184 uint8_t csa_transport; /* transport mode */ 185 186 struct iked_spi csa_spi; 187 188 struct ibuf *csa_encrkey; /* encryption key */ 189 uint16_t csa_encrid; /* encryption xform id */ 190 191 struct ibuf *csa_integrkey; /* auth key */ 192 uint16_t csa_integrid; /* auth xform id */ 193 194 struct iked_addr *csa_local; /* outer source */ 195 struct iked_addr *csa_peer; /* outer dest */ 196 struct iked_sa *csa_ikesa; /* parent SA */ 197 198 struct iked_childsa *csa_peersa; /* peer */ 199 200 struct iked_childsa *csa_bundled; /* IPCOMP */ 201 202 uint16_t csa_pfsgrpid; /* pfs group id */ 203 204 RB_ENTRY(iked_childsa) csa_node; 205 TAILQ_ENTRY(iked_childsa) csa_entry; 206 }; 207 RB_HEAD(iked_activesas, iked_childsa); 208 TAILQ_HEAD(iked_childsas, iked_childsa); 209 210 211 struct iked_static_id { 212 uint8_t id_type; 213 uint8_t id_length; 214 uint8_t id_offset; 215 uint8_t id_data[IKED_ID_SIZE]; 216 }; 217 218 struct iked_auth { 219 uint8_t auth_method; 220 uint8_t auth_eap; /* optional EAP */ 221 uint8_t auth_length; /* zero if EAP */ 222 uint8_t auth_data[IKED_PSK_SIZE]; 223 }; 224 225 struct iked_cfg { 226 uint8_t cfg_action; 227 uint16_t cfg_type; 228 union { 229 struct iked_addr address; 230 } cfg; 231 }; 232 233 TAILQ_HEAD(iked_sapeers, iked_sa); 234 235 struct iked_lifetime { 236 uint64_t lt_bytes; 237 uint64_t lt_seconds; 238 }; 239 240 struct iked_policy { 241 unsigned int pol_id; 242 char pol_name[IKED_ID_SIZE]; 243 unsigned int pol_iface; 244 245 #define IKED_SKIP_FLAGS 0 246 #define IKED_SKIP_AF 1 247 #define IKED_SKIP_SRC_ADDR 2 248 #define IKED_SKIP_DST_ADDR 3 249 #define IKED_SKIP_COUNT 4 250 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 251 252 uint8_t pol_flags; 253 #define IKED_POLICY_PASSIVE 0x00 254 #define IKED_POLICY_DEFAULT 0x01 255 #define IKED_POLICY_ACTIVE 0x02 256 #define IKED_POLICY_REFCNT 0x04 257 #define IKED_POLICY_QUICK 0x08 258 #define IKED_POLICY_SKIP 0x10 259 #define IKED_POLICY_IPCOMP 0x20 260 #define IKED_POLICY_TRANSPORT 0x40 261 #define IKED_POLICY_ROUTING 0x80 262 263 int pol_refcnt; 264 265 uint8_t pol_certreqtype; 266 267 int pol_af; 268 int pol_rdomain; 269 uint8_t pol_saproto; 270 unsigned int pol_ipproto[IKED_IPPROTO_MAX]; 271 unsigned int pol_nipproto; 272 273 struct iked_addr pol_peer; 274 struct iked_static_id pol_peerid; 275 uint32_t pol_peerdh; 276 277 struct iked_addr pol_local; 278 struct iked_static_id pol_localid; 279 280 struct iked_auth pol_auth; 281 282 char pol_tag[IKED_TAG_SIZE]; 283 unsigned int pol_tap; 284 285 struct iked_proposals pol_proposals; 286 size_t pol_nproposals; 287 288 struct iked_flows pol_flows; 289 size_t pol_nflows; 290 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 291 size_t pol_tssrc_count; 292 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 293 size_t pol_tsdst_count; 294 295 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 296 unsigned int pol_ncfg; 297 298 uint32_t pol_rekey; /* ike SA lifetime */ 299 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 300 301 struct iked_sapeers pol_sapeers; 302 303 TAILQ_ENTRY(iked_policy) pol_entry; 304 }; 305 TAILQ_HEAD(iked_policies, iked_policy); 306 307 struct iked_hash { 308 uint8_t hash_type; /* PRF or INTEGR */ 309 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 310 const void *hash_priv; /* Identifying the hash alg */ 311 void *hash_ctx; /* Context of the current invocation */ 312 int hash_fixedkey; /* Requires fixed key length */ 313 struct ibuf *hash_key; /* MAC key derived from key seed */ 314 size_t hash_length; /* Output length */ 315 size_t hash_trunc; /* Truncate the output length */ 316 struct iked_hash *hash_prf; /* PRF pointer */ 317 int hash_isaead; 318 }; 319 320 struct iked_cipher { 321 uint8_t encr_type; /* ENCR */ 322 uint16_t encr_id; /* IKE ENCR hash id */ 323 const void *encr_priv; /* Identifying the hash alg */ 324 void *encr_ctx; /* Context of the current invocation */ 325 int encr_fixedkey; /* Requires fixed key length */ 326 struct ibuf *encr_key; /* MAC key derived from key seed */ 327 struct ibuf *encr_iv; /* Initialization Vector */ 328 uint64_t encr_civ; /* Counter IV for GCM */ 329 size_t encr_ivlength; /* IV length */ 330 size_t encr_length; /* Block length */ 331 size_t encr_saltlength; /* IV salt length */ 332 uint16_t encr_authid; /* ID of associated authentication */ 333 }; 334 335 struct iked_dsa { 336 uint8_t dsa_method; /* AUTH method */ 337 const void *dsa_priv; /* PRF or signature hash function */ 338 void *dsa_ctx; /* PRF or signature hash ctx */ 339 struct ibuf *dsa_keydata; /* public, private or shared key */ 340 void *dsa_key; /* parsed public or private key */ 341 int dsa_hmac; /* HMAC or public/private key */ 342 int dsa_sign; /* Sign or verify operation */ 343 uint32_t dsa_flags; /* State flags */ 344 }; 345 346 struct iked_id { 347 uint8_t id_type; 348 uint8_t id_offset; 349 struct ibuf *id_buf; 350 }; 351 352 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 353 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 354 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 355 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 356 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 357 #define IKED_REQ_SA 0x0020 /* SA available */ 358 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 359 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 360 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 361 362 #define IKED_REQ_BITS \ 363 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 364 "\10CHILDSA\11INF" 365 366 TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit); 367 TAILQ_HEAD(iked_msg_fragqueue, iked_message); 368 369 struct iked_sahdr { 370 uint64_t sh_ispi; /* Initiator SPI */ 371 uint64_t sh_rspi; /* Responder SPI */ 372 unsigned int sh_initiator; /* Is initiator? */ 373 } __packed; 374 375 struct iked_kex { 376 struct ibuf *kex_inonce; /* Ni */ 377 struct ibuf *kex_rnonce; /* Nr */ 378 379 struct dh_group *kex_dhgroup; /* DH group */ 380 struct ibuf *kex_dhiexchange; 381 struct ibuf *kex_dhrexchange; 382 struct ibuf *kex_dhpeer; /* pointer to i or r */ 383 }; 384 385 struct iked_frag_entry { 386 uint8_t *frag_data; 387 size_t frag_size; 388 }; 389 390 struct iked_frag { 391 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 392 size_t frag_count; /* number of fragments received */ 393 #define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 394 size_t frag_total; /* total numbe of fragments */ 395 size_t frag_total_size; 396 uint8_t frag_nextpayload; 397 398 }; 399 400 struct iked_ipcomp { 401 uint16_t ic_cpi_out; /* outgoing CPI */ 402 uint16_t ic_cpi_in; /* incoming CPI */ 403 uint8_t ic_transform; /* transform */ 404 }; 405 406 struct iked_sa { 407 struct iked_sahdr sa_hdr; 408 uint32_t sa_msgid; /* Last request rcvd */ 409 int sa_msgid_set; /* msgid initialized */ 410 uint32_t sa_msgid_current; /* Current requested rcvd */ 411 uint32_t sa_reqid; /* Next request sent */ 412 413 int sa_type; 414 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 415 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 416 417 struct iked_addr sa_peer; 418 struct iked_addr sa_peer_loaded;/* MOBIKE */ 419 struct iked_addr sa_local; 420 int sa_fd; 421 422 struct iked_frag sa_fragments; 423 424 int sa_natt; /* for IKE messages */ 425 int sa_udpencap; /* for pfkey */ 426 int sa_usekeepalive;/* NAT-T keepalive */ 427 428 int sa_state; 429 unsigned int sa_stateflags; 430 unsigned int sa_stateinit; /* SA_INIT */ 431 unsigned int sa_statevalid; /* IKE_AUTH */ 432 433 int sa_cp; /* XXX */ 434 struct iked_addr *sa_cp_addr; /* requested address */ 435 struct iked_addr *sa_cp_addr6; /* requested address */ 436 struct iked_addr *sa_cp_dns; /* requested dns */ 437 438 struct iked_policy *sa_policy; 439 struct timeval sa_timecreated; 440 struct timeval sa_timeused; 441 442 char *sa_tag; 443 const char *sa_reason; /* reason for close */ 444 445 struct iked_kex sa_kex; 446 /* XXX compat defines until everything is converted */ 447 #define sa_inonce sa_kex.kex_inonce 448 #define sa_rnonce sa_kex.kex_rnonce 449 #define sa_dhgroup sa_kex.kex_dhgroup 450 #define sa_dhiexchange sa_kex.kex_dhiexchange 451 #define sa_dhrexchange sa_kex.kex_dhrexchange 452 #define sa_dhpeer sa_kex.kex_dhpeer 453 454 struct iked_hash *sa_prf; /* PRF alg */ 455 struct iked_hash *sa_integr; /* integrity alg */ 456 struct iked_cipher *sa_encr; /* encryption alg */ 457 458 struct ibuf *sa_key_d; /* SK_d */ 459 struct ibuf *sa_key_iauth; /* SK_ai */ 460 struct ibuf *sa_key_rauth; /* SK_ar */ 461 struct ibuf *sa_key_iencr; /* SK_ei */ 462 struct ibuf *sa_key_rencr; /* SK_er */ 463 struct ibuf *sa_key_iprf; /* SK_pi */ 464 struct ibuf *sa_key_rprf; /* SK_pr */ 465 466 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 467 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 468 struct iked_id sa_localauth; /* local AUTH message */ 469 struct iked_id sa_peerauth; /* peer AUTH message */ 470 int sa_sigsha2; /* use SHA2 for signatures */ 471 #define IKED_SCERT_MAX 3 /* max # of supplemental cert payloads */ 472 473 struct iked_id sa_iid; /* initiator id */ 474 struct iked_id sa_rid; /* responder id */ 475 struct iked_id sa_icert; /* initiator cert */ 476 struct iked_id sa_rcert; /* responder cert */ 477 struct iked_id sa_scert[IKED_SCERT_MAX]; /* supplemental certs */ 478 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 479 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 480 481 char *sa_eapid; /* EAP identity */ 482 struct iked_id sa_eap; /* EAP challenge */ 483 struct ibuf *sa_eapmsk; /* EAK session key */ 484 485 struct iked_proposals sa_proposals; /* SA proposals */ 486 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 487 struct iked_saflows sa_flows; /* IPsec flows */ 488 489 struct iked_sa *sa_nexti; /* initiated IKE SA */ 490 struct iked_sa *sa_previ; /* matching back pointer */ 491 struct iked_sa *sa_nextr; /* simultaneous rekey */ 492 struct iked_sa *sa_prevr; /* matching back pointer */ 493 uint64_t sa_rekeyspi; /* peerspi CSA rekey */ 494 struct ibuf *sa_simult; /* simultaneous rekey */ 495 496 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 497 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 498 499 int sa_mobike; /* MOBIKE */ 500 int sa_frag; /* fragmentation */ 501 502 int sa_use_transport_mode; /* peer requested */ 503 int sa_used_transport_mode; /* we enabled */ 504 505 struct iked_timer sa_timer; /* SA timeouts */ 506 #define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 507 #define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 508 #define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 509 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 510 511 struct iked_timer sa_keepalive; /* keepalive timer */ 512 #define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 513 514 struct iked_timer sa_rekey; /* rekey timeout */ 515 int sa_tmpfail; 516 517 struct iked_msgqueue sa_requests; /* request queue */ 518 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 519 520 struct iked_msgqueue sa_responses; /* response queue */ 521 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 522 523 TAILQ_ENTRY(iked_sa) sa_peer_entry; 524 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 525 526 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 527 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 528 529 struct iked_addr *sa_addrpool; /* address from pool */ 530 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 531 532 struct iked_addr *sa_addrpool6; /* address from pool */ 533 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 534 time_t sa_last_recvd; 535 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 536 }; 537 RB_HEAD(iked_sas, iked_sa); 538 RB_HEAD(iked_dstid_sas, iked_sa); 539 RB_HEAD(iked_addrpool, iked_sa); 540 RB_HEAD(iked_addrpool6, iked_sa); 541 542 /* stats */ 543 544 struct iked_stats { 545 uint64_t ikes_sa_created; 546 uint64_t ikes_sa_established_total; 547 uint64_t ikes_sa_established_current; /* gauge */ 548 uint64_t ikes_sa_established_failures; 549 uint64_t ikes_sa_proposals_negotiate_failures; 550 uint64_t ikes_sa_rekeyed; 551 uint64_t ikes_sa_removed; 552 uint64_t ikes_csa_created; 553 uint64_t ikes_csa_removed; 554 uint64_t ikes_msg_sent; 555 uint64_t ikes_msg_send_failures; 556 uint64_t ikes_msg_rcvd; 557 uint64_t ikes_msg_rcvd_busy; 558 uint64_t ikes_msg_rcvd_dropped; 559 uint64_t ikes_retransmit_request; 560 uint64_t ikes_retransmit_response; 561 uint64_t ikes_retransmit_limit; 562 uint64_t ikes_frag_sent; 563 uint64_t ikes_frag_send_failures; 564 uint64_t ikes_frag_rcvd; 565 uint64_t ikes_frag_rcvd_drop; 566 uint64_t ikes_frag_reass_ok; 567 uint64_t ikes_frag_reass_drop; 568 uint64_t ikes_update_addresses_sent; 569 uint64_t ikes_dpd_sent; 570 uint64_t ikes_keepalive_sent; 571 }; 572 573 #define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0) 574 #define ikestat_inc(env, c) ikestat_add(env, c, 1) 575 #define ikestat_dec(env, c) ikestat_add(env, c, -1) 576 577 struct iked_certreq { 578 struct ibuf *cr_data; 579 uint8_t cr_type; 580 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 581 }; 582 SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 583 584 #define EAP_STATE_IDENTITY (1) 585 #define EAP_STATE_MSCHAPV2_CHALLENGE (2) 586 #define EAP_STATE_MSCHAPV2_SUCCESS (3) 587 #define EAP_STATE_SUCCESS (4) 588 589 struct eap_msg { 590 char *eam_identity; 591 char *eam_user; 592 int eam_type; 593 uint8_t eam_id; 594 uint8_t eam_msrid; 595 int eam_success; 596 int eam_found; 597 int eam_response; 598 uint8_t eam_challenge[16]; 599 uint8_t eam_ntresponse[24]; 600 uint32_t eam_state; 601 }; 602 603 struct iked_message { 604 struct ibuf *msg_data; 605 size_t msg_offset; 606 607 struct sockaddr_storage msg_local; 608 socklen_t msg_locallen; 609 610 struct sockaddr_storage msg_peer; 611 socklen_t msg_peerlen; 612 613 struct iked_socket *msg_sock; 614 615 int msg_fd; 616 int msg_response; 617 int msg_responded; 618 int msg_valid; 619 int msg_natt; 620 int msg_natt_rcvd; 621 int msg_nat_detected; 622 int msg_error; 623 int msg_e; 624 struct iked_message *msg_parent; 625 626 /* Associated policy and SA */ 627 struct iked_policy *msg_policy; 628 struct iked_sa *msg_sa; 629 630 uint32_t msg_msgid; 631 uint8_t msg_exchange; 632 633 /* Parsed information */ 634 struct iked_proposals msg_proposals; 635 struct iked_certreqs msg_certreqs; 636 struct iked_spi msg_rekey; 637 struct ibuf *msg_nonce; /* dh NONCE */ 638 uint16_t msg_dhgroup; /* dh group */ 639 struct ibuf *msg_ke; /* dh key exchange */ 640 struct iked_id msg_auth; /* AUTH payload */ 641 struct iked_id msg_peerid; 642 struct iked_id msg_localid; 643 struct iked_id msg_cert; 644 struct iked_id msg_scert[IKED_SCERT_MAX]; /* supplemental certs */ 645 struct ibuf *msg_cookie; 646 uint16_t msg_group; 647 uint16_t msg_cpi; 648 uint8_t msg_transform; 649 uint16_t msg_flags; 650 struct eap_msg msg_eap; 651 size_t msg_del_spisize; 652 size_t msg_del_cnt; 653 struct ibuf *msg_del_buf; 654 int msg_del_protoid; 655 int msg_cp; 656 struct iked_addr *msg_cp_addr; /* requested address */ 657 struct iked_addr *msg_cp_addr6; /* requested address */ 658 struct iked_addr *msg_cp_dns; /* requested dns */ 659 660 /* MOBIKE */ 661 int msg_update_sa_addresses; 662 struct ibuf *msg_cookie2; 663 664 /* Parse stack */ 665 struct iked_proposal *msg_prop; 666 uint16_t msg_attrlength; 667 668 /* Retransmit queue */ 669 TAILQ_ENTRY(iked_message) 670 msg_entry; 671 }; 672 673 struct iked_msg_retransmit { 674 struct iked_msg_fragqueue mrt_frags; 675 TAILQ_ENTRY(iked_msg_retransmit) mrt_entry; 676 struct iked_timer mrt_timer; 677 int mrt_tries; 678 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 679 }; 680 681 #define IKED_MSG_NAT_SRC_IP 0x01 682 #define IKED_MSG_NAT_DST_IP 0x02 683 684 #define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 685 #define IKED_MSG_FLAGS_MOBIKE 0x0002 686 #define IKED_MSG_FLAGS_SIGSHA2 0x0004 687 #define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 688 #define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 689 #define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 690 #define IKED_MSG_FLAGS_INVALID_KE 0x0040 691 #define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 692 #define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 693 #define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 694 #define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400 695 696 697 struct iked_user { 698 char usr_name[LOGIN_NAME_MAX]; 699 char usr_pass[IKED_PASSWORD_SIZE]; 700 RB_ENTRY(iked_user) usr_entry; 701 }; 702 RB_HEAD(iked_users, iked_user); 703 704 struct privsep_pipes { 705 int *pp_pipes[PROC_MAX]; 706 }; 707 708 struct privsep { 709 struct privsep_pipes *ps_pipes[PROC_MAX]; 710 struct privsep_pipes *ps_pp; 711 712 struct imsgev *ps_ievs[PROC_MAX]; 713 const char *ps_title[PROC_MAX]; 714 pid_t ps_pid[PROC_MAX]; 715 struct passwd *ps_pw; 716 int ps_noaction; 717 718 struct control_sock ps_csock; 719 720 unsigned int ps_instances[PROC_MAX]; 721 unsigned int ps_ninstances; 722 unsigned int ps_instance; 723 724 /* Event and signal handlers */ 725 struct event ps_evsigint; 726 struct event ps_evsigterm; 727 struct event ps_evsigchld; 728 struct event ps_evsighup; 729 struct event ps_evsigpipe; 730 struct event ps_evsigusr1; 731 732 struct iked *ps_env; 733 unsigned int ps_connecting; 734 void (*ps_connected)(struct privsep *); 735 }; 736 737 struct privsep_proc { 738 const char *p_title; 739 enum privsep_procid p_id; 740 int (*p_cb)(int, struct privsep_proc *, 741 struct imsg *); 742 void (*p_init)(struct privsep *, 743 struct privsep_proc *); 744 const char *p_chroot; 745 struct passwd *p_pw; 746 struct privsep *p_ps; 747 void (*p_shutdown)(void); 748 }; 749 750 struct privsep_fd { 751 enum privsep_procid pf_procid; 752 unsigned int pf_instance; 753 }; 754 755 #define PROC_PARENT_SOCK_FILENO 3 756 #define PROC_MAX_INSTANCES 32 757 758 struct iked_ocsp_entry { 759 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 760 void *ioe_ocsp; /* private ocsp request data */ 761 }; 762 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 763 764 /* 765 * Daemon configuration 766 */ 767 768 enum natt_mode { 769 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 770 NATT_DISABLE, /* send/recv with only :500 */ 771 NATT_FORCE, /* send/recv with only NAT-T port */ 772 }; 773 774 struct iked_static { 775 uint64_t st_alive_timeout; 776 int st_cert_partial_chain; 777 int st_enforcesingleikesa; 778 uint8_t st_frag; /* fragmentation */ 779 uint8_t st_mobike; /* MOBIKE */ 780 in_port_t st_nattport; 781 int st_stickyaddress; /* addr per DSTID */ 782 int st_vendorid; 783 }; 784 785 struct iked { 786 char sc_conffile[PATH_MAX]; 787 788 uint32_t sc_opts; 789 enum natt_mode sc_nattmode; 790 uint8_t sc_passive; 791 uint8_t sc_decoupled; 792 793 struct iked_static sc_static; 794 795 #define sc_alive_timeout sc_static.st_alive_timeout 796 #define sc_cert_partial_chain sc_static.st_cert_partial_chain 797 #define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 798 #define sc_frag sc_static.st_frag 799 #define sc_mobike sc_static.st_mobike 800 #define sc_nattport sc_static.st_nattport 801 #define sc_stickyaddress sc_static.st_stickyaddress 802 #define sc_vendorid sc_static.st_vendorid 803 804 struct iked_policies sc_policies; 805 struct iked_policy *sc_defaultcon; 806 807 struct iked_sas sc_sas; 808 struct iked_dstid_sas sc_dstid_sas; 809 struct iked_activesas sc_activesas; 810 struct iked_flows sc_activeflows; 811 struct iked_users sc_users; 812 813 struct iked_stats sc_stats; 814 815 void *sc_priv; /* per-process */ 816 817 int sc_pfkey; /* ike process */ 818 struct event sc_pfkeyev; 819 struct event sc_routeev; 820 uint8_t sc_certreqtype; 821 struct ibuf *sc_certreq; 822 void *sc_vroute; 823 824 struct iked_socket *sc_sock4[2]; 825 struct iked_socket *sc_sock6[2]; 826 827 struct iked_timer sc_inittmr; 828 #define IKED_INITIATOR_INITIAL 2 829 #define IKED_INITIATOR_INTERVAL 60 830 831 struct privsep sc_ps; 832 833 struct iked_ocsp_requests sc_ocsp; 834 char *sc_ocsp_url; 835 long sc_ocsp_tolerate; 836 long sc_ocsp_maxage; 837 838 struct iked_addrpool sc_addrpool; 839 struct iked_addrpool6 sc_addrpool6; 840 }; 841 842 struct iked_socket { 843 int sock_fd; 844 struct event sock_ev; 845 struct iked *sock_env; 846 struct sockaddr_storage sock_addr; 847 }; 848 849 struct ipsec_xf { 850 const char *name; 851 unsigned int id; 852 unsigned int length; 853 unsigned int keylength; 854 unsigned int nonce; 855 unsigned int noauth; 856 }; 857 858 struct ipsec_transforms { 859 const struct ipsec_xf **authxf; 860 unsigned int nauthxf; 861 const struct ipsec_xf **prfxf; 862 unsigned int nprfxf; 863 const struct ipsec_xf **encxf; 864 unsigned int nencxf; 865 const struct ipsec_xf **groupxf; 866 unsigned int ngroupxf; 867 const struct ipsec_xf **esnxf; 868 unsigned int nesnxf; 869 }; 870 871 struct ipsec_mode { 872 struct ipsec_transforms **xfs; 873 unsigned int nxfs; 874 }; 875 876 /* iked.c */ 877 void parent_reload(struct iked *, int, const char *); 878 879 extern struct iked *iked_env; 880 881 /* control.c */ 882 void control(struct privsep *, struct privsep_proc *); 883 int control_init(struct privsep *, struct control_sock *); 884 int control_listen(struct control_sock *); 885 886 /* config.c */ 887 struct iked_policy * 888 config_new_policy(struct iked *); 889 void config_free_kex(struct iked_kex *); 890 void config_free_fragments(struct iked_frag *); 891 void config_free_sa(struct iked *, struct iked_sa *); 892 struct iked_sa * 893 config_new_sa(struct iked *, int); 894 struct iked_user * 895 config_new_user(struct iked *, struct iked_user *); 896 uint64_t 897 config_getspi(void); 898 struct iked_transform * 899 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 900 struct iked_transform * 901 config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int); 902 void config_free_policy(struct iked *, struct iked_policy *); 903 struct iked_proposal * 904 config_add_proposal(struct iked_proposals *, unsigned int, 905 unsigned int); 906 void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 907 void config_free_proposals(struct iked_proposals *, unsigned int); 908 void config_free_flows(struct iked *, struct iked_flows *); 909 void config_free_childsas(struct iked *, struct iked_childsas *, 910 struct iked_spi *, struct iked_spi *); 911 int config_add_transform(struct iked_proposal *, 912 unsigned int, unsigned int, unsigned int, unsigned int); 913 int config_setcoupled(struct iked *, unsigned int); 914 int config_getcoupled(struct iked *, unsigned int); 915 int config_setmode(struct iked *, unsigned int); 916 int config_getmode(struct iked *, unsigned int); 917 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 918 int config_getreset(struct iked *, struct imsg *); 919 int config_doreset(struct iked *, unsigned int); 920 int config_setpolicy(struct iked *, struct iked_policy *, 921 enum privsep_procid); 922 int config_getpolicy(struct iked *, struct imsg *); 923 int config_setflow(struct iked *, struct iked_policy *, 924 enum privsep_procid); 925 int config_getflow(struct iked *, struct imsg *); 926 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 927 enum privsep_procid); 928 int config_getsocket(struct iked *env, struct imsg *, 929 void (*cb)(int, short, void *)); 930 void config_enablesocket(struct iked *env); 931 int config_setpfkey(struct iked *); 932 int config_getpfkey(struct iked *, struct imsg *); 933 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 934 int config_getuser(struct iked *, struct imsg *); 935 int config_setcompile(struct iked *, enum privsep_procid); 936 int config_getcompile(struct iked *); 937 int config_setocsp(struct iked *); 938 int config_getocsp(struct iked *, struct imsg *); 939 int config_setkeys(struct iked *); 940 int config_getkey(struct iked *, struct imsg *); 941 int config_setstatic(struct iked *); 942 int config_getstatic(struct iked *, struct imsg *); 943 944 /* policy.c */ 945 void policy_init(struct iked *); 946 int policy_lookup(struct iked *, struct iked_message *, 947 struct iked_proposals *, struct iked_flows *, int); 948 int policy_lookup_sa(struct iked *, struct iked_sa *); 949 struct iked_policy * 950 policy_test(struct iked *, struct iked_policy *); 951 int policy_generate_ts(struct iked_policy *); 952 void policy_calc_skip_steps(struct iked_policies *); 953 void policy_ref(struct iked *, struct iked_policy *); 954 void policy_unref(struct iked *, struct iked_policy *); 955 void sa_state(struct iked *, struct iked_sa *, int); 956 void sa_stateflags(struct iked_sa *, unsigned int); 957 int sa_stateok(const struct iked_sa *, int); 958 struct iked_sa * 959 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 960 struct iked_policy *); 961 void sa_free(struct iked *, struct iked_sa *); 962 void sa_free_flows(struct iked *, struct iked_saflows *); 963 int sa_configure_iface(struct iked *, struct iked_sa *, int); 964 int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 965 void childsa_free(struct iked_childsa *); 966 struct iked_childsa * 967 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 968 void flow_free(struct iked_flow *); 969 int flow_equal(struct iked_flow *, struct iked_flow *); 970 struct iked_sa * 971 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 972 struct iked_user * 973 user_lookup(struct iked *, const char *); 974 struct iked_sa * 975 sa_dstid_lookup(struct iked *, struct iked_sa *); 976 struct iked_sa * 977 sa_dstid_insert(struct iked *, struct iked_sa *); 978 void sa_dstid_remove(struct iked *, struct iked_sa *); 979 int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 980 struct iked_proposals *, int, int); 981 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 982 RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 983 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 984 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 985 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 986 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 987 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 988 989 /* crypto.c */ 990 struct iked_hash * 991 hash_new(uint8_t, uint16_t); 992 struct ibuf * 993 hash_setkey(struct iked_hash *, void *, size_t); 994 void hash_free(struct iked_hash *); 995 void hash_init(struct iked_hash *); 996 void hash_update(struct iked_hash *, void *, size_t); 997 void hash_final(struct iked_hash *, void *, size_t *); 998 size_t hash_keylength(struct iked_hash *); 999 size_t hash_length(struct iked_hash *); 1000 1001 struct iked_cipher * 1002 cipher_new(uint8_t, uint16_t, uint16_t); 1003 struct ibuf * 1004 cipher_setkey(struct iked_cipher *, const void *, size_t); 1005 struct ibuf * 1006 cipher_setiv(struct iked_cipher *, const void *, size_t); 1007 int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 1008 int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 1009 void cipher_free(struct iked_cipher *); 1010 int cipher_init(struct iked_cipher *, int); 1011 int cipher_init_encrypt(struct iked_cipher *); 1012 int cipher_init_decrypt(struct iked_cipher *); 1013 void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *); 1014 int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *); 1015 int cipher_final(struct iked_cipher *); 1016 size_t cipher_length(struct iked_cipher *); 1017 size_t cipher_keylength(struct iked_cipher *); 1018 size_t cipher_ivlength(struct iked_cipher *); 1019 size_t cipher_outlength(struct iked_cipher *, size_t); 1020 1021 struct iked_dsa * 1022 dsa_new(uint8_t, struct iked_hash *, int); 1023 struct iked_dsa * 1024 dsa_sign_new(uint8_t, struct iked_hash *); 1025 struct iked_dsa * 1026 dsa_verify_new(uint8_t, struct iked_hash *); 1027 struct ibuf * 1028 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 1029 void dsa_free(struct iked_dsa *); 1030 int dsa_init(struct iked_dsa *, const void *, size_t); 1031 size_t dsa_prefix(struct iked_dsa *); 1032 size_t dsa_length(struct iked_dsa *); 1033 int dsa_update(struct iked_dsa *, const void *, size_t); 1034 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 1035 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 1036 1037 /* vroute.c */ 1038 void vroute_init(struct iked *); 1039 int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int); 1040 void vroute_cleanup(struct iked *); 1041 int vroute_getaddr(struct iked *, struct imsg *); 1042 int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int); 1043 int vroute_getdns(struct iked *, struct imsg *); 1044 int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *, 1045 uint8_t, struct sockaddr *); 1046 int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *, 1047 uint8_t, struct sockaddr *); 1048 int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *, 1049 uint8_t, struct sockaddr *); 1050 int vroute_getroute(struct iked *, struct imsg *); 1051 int vroute_getcloneroute(struct iked *, struct imsg *); 1052 1053 /* ikev2.c */ 1054 void ikev2(struct privsep *, struct privsep_proc *); 1055 void ikev2_recv(struct iked *, struct iked_message *); 1056 void ikev2_init_ike_sa(struct iked *, void *); 1057 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 1058 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 1059 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 1060 uint8_t, uint64_t, uint64_t *, int); 1061 void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 1062 void ikev2_ike_sa_timeout(struct iked *env, void *); 1063 void ikev2_ike_sa_setreason(struct iked_sa *, char *); 1064 void ikev2_reset_alive_timer(struct iked *); 1065 int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 1066 1067 struct ibuf * 1068 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 1069 size_t); 1070 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 1071 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 1072 void *, size_t, unsigned int, int); 1073 void ikev2_enable_natt(struct iked *, struct iked_sa *, 1074 struct iked_message *, int); 1075 int ikev2_send_informational(struct iked *, struct iked_message *); 1076 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 1077 uint8_t, uint8_t, int); 1078 struct ike_header * 1079 ikev2_add_header(struct ibuf *, struct iked_sa *, 1080 uint32_t, uint8_t, uint8_t, uint8_t); 1081 int ikev2_set_header(struct ike_header *, size_t); 1082 struct ikev2_payload * 1083 ikev2_add_payload(struct ibuf *); 1084 int ikev2_next_payload(struct ikev2_payload *, size_t, 1085 uint8_t); 1086 int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 1087 int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 1088 int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 1089 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 1090 int ikev2_print_id(struct iked_id *, char *, size_t); 1091 int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 1092 1093 const char *ikev2_ikesa_info(uint64_t, const char *msg); 1094 #define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 1095 #define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 1096 #define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 1097 1098 /* ikev2_msg.c */ 1099 void ikev2_msg_cb(int, short, void *); 1100 struct ibuf * 1101 ikev2_msg_init(struct iked *, struct iked_message *, 1102 struct sockaddr_storage *, socklen_t, 1103 struct sockaddr_storage *, socklen_t, int); 1104 struct iked_message * 1105 ikev2_msg_copy(struct iked *, struct iked_message *); 1106 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 1107 uint32_t 1108 ikev2_msg_id(struct iked *, struct iked_sa *); 1109 struct ibuf 1110 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 1111 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 1112 struct iked_auth *, struct ibuf *); 1113 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 1114 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 1115 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 1116 struct iked_message *); 1117 int ikev2_msg_send(struct iked *, struct iked_message *); 1118 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 1119 struct ibuf **, uint8_t, uint8_t, int); 1120 struct ibuf 1121 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 1122 struct ibuf *); 1123 struct ibuf * 1124 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 1125 struct ibuf *, struct ibuf *); 1126 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1127 int ikev2_msg_frompeer(struct iked_message *); 1128 struct iked_socket * 1129 ikev2_msg_getsocket(struct iked *, int, int); 1130 int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *, 1131 struct iked_message *, int); 1132 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1133 struct iked_message *, uint8_t); 1134 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1135 struct iked_message *); 1136 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1137 struct iked_msg_retransmit *); 1138 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1139 struct iked_msg_retransmit * 1140 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1141 struct iked_message *, uint8_t); 1142 1143 /* ikev2_pld.c */ 1144 int ikev2_pld_parse(struct iked *, struct ike_header *, 1145 struct iked_message *, size_t); 1146 1147 /* eap.c */ 1148 int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*, 1149 void *, int); 1150 int eap_success(struct iked *, struct iked_sa *, int); 1151 int eap_identity_request(struct iked *, struct iked_sa *); 1152 int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1153 uint8_t *, size_t); 1154 int eap_mschap_success(struct iked *, struct iked_sa *, int); 1155 int eap_challenge_request(struct iked *, struct iked_sa *, int); 1156 1157 /* pfkey.c */ 1158 int pfkey_couple(struct iked *, struct iked_sas *, int); 1159 int pfkey_flow_add(struct iked *, struct iked_flow *); 1160 int pfkey_flow_delete(struct iked *, struct iked_flow *); 1161 int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *); 1162 int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *); 1163 int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *); 1164 int pfkey_sa_delete(struct iked *, struct iked_childsa *); 1165 int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *); 1166 int pfkey_flush(struct iked *); 1167 int pfkey_socket(struct iked *); 1168 void pfkey_init(struct iked *, int fd); 1169 1170 /* ca.c */ 1171 void caproc(struct privsep *, struct privsep_proc *); 1172 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1173 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1174 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1175 uint8_t, uint8_t *, size_t, enum privsep_procid); 1176 int ca_setauth(struct iked *, struct iked_sa *, 1177 struct ibuf *, enum privsep_procid); 1178 void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1179 int ca_certbundle_add(struct ibuf *, struct iked_id *); 1180 int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1181 int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1182 void ca_sslerror(const char *); 1183 char *ca_asn1_name(uint8_t *, size_t); 1184 void *ca_x509_name_parse(char *); 1185 void ca_cert_info(const char *, X509 *); 1186 1187 /* timer.c */ 1188 void timer_set(struct iked *, struct iked_timer *, 1189 void (*)(struct iked *, void *), void *); 1190 void timer_add(struct iked *, struct iked_timer *, int); 1191 void timer_del(struct iked *, struct iked_timer *); 1192 1193 /* proc.c */ 1194 void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int, 1195 int, char **, enum privsep_procid); 1196 void proc_kill(struct privsep *); 1197 void proc_connect(struct privsep *, void (*)(struct privsep *)); 1198 void proc_dispatch(int, short event, void *); 1199 void proc_run(struct privsep *, struct privsep_proc *, 1200 struct privsep_proc *, unsigned int, 1201 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1202 void imsg_event_add(struct imsgev *); 1203 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1204 pid_t, int, void *, uint16_t); 1205 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1206 pid_t, int, const struct iovec *, int); 1207 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1208 uint16_t, uint32_t, int, void *, uint16_t); 1209 int proc_compose(struct privsep *, enum privsep_procid, 1210 uint16_t, void *, uint16_t); 1211 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1212 uint16_t, uint32_t, int, const struct iovec *, int); 1213 int proc_composev(struct privsep *, enum privsep_procid, 1214 uint16_t, const struct iovec *, int); 1215 int proc_forward_imsg(struct privsep *, struct imsg *, 1216 enum privsep_procid, int); 1217 struct imsgbuf * 1218 proc_ibuf(struct privsep *, enum privsep_procid, int); 1219 struct imsgev * 1220 proc_iev(struct privsep *, enum privsep_procid, int); 1221 enum privsep_procid 1222 proc_getid(struct privsep_proc *, unsigned int, const char *); 1223 int proc_flush_imsg(struct privsep *, enum privsep_procid, int); 1224 1225 /* util.c */ 1226 int socket_af(struct sockaddr *, in_port_t); 1227 in_port_t 1228 socket_getport(struct sockaddr *); 1229 int socket_setport(struct sockaddr *, in_port_t); 1230 int socket_getaddr(int, struct sockaddr_storage *); 1231 int socket_bypass(int, struct sockaddr *); 1232 int udp_bind(struct sockaddr *, in_port_t); 1233 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1234 socklen_t, struct sockaddr *, socklen_t); 1235 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1236 socklen_t *, struct sockaddr *, socklen_t *); 1237 const char * 1238 print_spi(uint64_t, int); 1239 const char * 1240 print_map(unsigned int, struct iked_constmap *); 1241 void lc_idtype(char *); 1242 void print_hex(const uint8_t *, off_t, size_t); 1243 void print_hexval(const uint8_t *, off_t, size_t); 1244 void print_hexbuf(struct ibuf *); 1245 const char * 1246 print_bits(unsigned short, unsigned char *); 1247 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1248 uint8_t mask2prefixlen(struct sockaddr *); 1249 uint8_t mask2prefixlen6(struct sockaddr *); 1250 struct in6_addr * 1251 prefixlen2mask6(uint8_t, uint32_t *); 1252 uint32_t 1253 prefixlen2mask(uint8_t); 1254 const char * 1255 print_addr(void *); 1256 char *get_string(uint8_t *, size_t); 1257 const char * 1258 print_proto(uint8_t); 1259 int expand_string(char *, size_t, const char *, const char *); 1260 uint8_t *string2unicode(const char *, size_t *); 1261 void print_debug(const char *, ...) 1262 __attribute__((format(printf, 1, 2))); 1263 void print_verbose(const char *, ...) 1264 __attribute__((format(printf, 1, 2))); 1265 1266 /* imsg_util.c */ 1267 struct ibuf * 1268 ibuf_new(const void *, size_t); 1269 struct ibuf * 1270 ibuf_static(void); 1271 size_t ibuf_length(struct ibuf *); 1272 int ibuf_setsize(struct ibuf *, size_t); 1273 struct ibuf * 1274 ibuf_getdata(struct ibuf *, size_t); 1275 struct ibuf * 1276 ibuf_dup(struct ibuf *); 1277 struct ibuf * 1278 ibuf_random(size_t); 1279 1280 /* log.c */ 1281 void log_init(int, int); 1282 void log_procinit(const char *); 1283 void log_setverbose(int); 1284 int log_getverbose(void); 1285 void log_warn(const char *, ...) 1286 __attribute__((__format__ (printf, 1, 2))); 1287 void log_warnx(const char *, ...) 1288 __attribute__((__format__ (printf, 1, 2))); 1289 void log_info(const char *, ...) 1290 __attribute__((__format__ (printf, 1, 2))); 1291 void log_debug(const char *, ...) 1292 __attribute__((__format__ (printf, 1, 2))); 1293 void logit(int, const char *, ...) 1294 __attribute__((__format__ (printf, 2, 3))); 1295 void vlog(int, const char *, va_list) 1296 __attribute__((__format__ (printf, 2, 0))); 1297 __dead void fatal(const char *, ...) 1298 __attribute__((__format__ (printf, 1, 2))); 1299 __dead void fatalx(const char *, ...) 1300 __attribute__((__format__ (printf, 1, 2))); 1301 1302 /* ocsp.c */ 1303 int ocsp_connect(struct iked *, struct imsg *); 1304 int ocsp_receive_fd(struct iked *, struct imsg *); 1305 int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1306 uint8_t, X509 *); 1307 1308 /* parse.y */ 1309 int parse_config(const char *, struct iked *); 1310 int cmdline_symset(char *); 1311 extern const struct ipsec_xf authxfs[]; 1312 extern const struct ipsec_xf prfxfs[]; 1313 extern const struct ipsec_xf *encxfs; 1314 extern const struct ipsec_xf ikeencxfs[]; 1315 extern const struct ipsec_xf ipsecencxfs[]; 1316 extern const struct ipsec_xf groupxfs[]; 1317 extern const struct ipsec_xf esnxfs[]; 1318 extern const struct ipsec_xf methodxfs[]; 1319 extern const struct ipsec_xf saxfs[]; 1320 extern const struct ipsec_xf cpxfs[]; 1321 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1322 size_t noncelength_xf(unsigned int, unsigned int); 1323 int encxf_noauth(unsigned int); 1324 1325 /* print.c */ 1326 void print_user(struct iked_user *); 1327 void print_policy(struct iked_policy *); 1328 const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); 1329 1330 #endif /* IKED_H */ 1331