1 /* $OpenBSD: iked.h,v 1.207 2022/09/19 20:54:02 tobhe Exp $ */ 2 3 /* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20 #include <sys/types.h> 21 #include <sys/tree.h> 22 #include <sys/queue.h> 23 #include <arpa/inet.h> 24 #include <limits.h> 25 #include <imsg.h> 26 27 #include <openssl/evp.h> 28 29 #include "types.h" 30 #include "dh.h" 31 32 #define MAXIMUM(a,b) (((a)>(b))?(a):(b)) 33 #define MINIMUM(a,b) (((a)<(b))?(a):(b)) 34 #define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) 35 36 #ifndef IKED_H 37 #define IKED_H 38 39 /* 40 * Common IKEv1/IKEv2 header 41 */ 42 43 struct ike_header { 44 uint64_t ike_ispi; /* Initiator cookie */ 45 uint64_t ike_rspi; /* Responder cookie */ 46 uint8_t ike_nextpayload; /* Next payload type */ 47 uint8_t ike_version; /* Major/Minor version number */ 48 uint8_t ike_exchange; /* Exchange type */ 49 uint8_t ike_flags; /* Message options */ 50 uint32_t ike_msgid; /* Message identifier */ 51 uint32_t ike_length; /* Total message length */ 52 } __packed; 53 54 /* 55 * Common daemon infrastructure, local imsg etc. 56 */ 57 58 struct imsgev { 59 struct imsgbuf ibuf; 60 void (*handler)(int, short, void *); 61 struct event ev; 62 struct privsep_proc *proc; 63 void *data; 64 short events; 65 const char *name; 66 }; 67 68 #define IMSG_SIZE_CHECK(imsg, p) do { \ 69 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 70 fatalx("bad length imsg received"); \ 71 } while (0) 72 #define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 73 74 #define IKED_ADDR_EQ(_a, _b) \ 75 ((_a)->addr_mask == (_b)->addr_mask && \ 76 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 77 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 78 79 #define IKED_ADDR_NEQ(_a, _b) \ 80 ((_a)->addr_mask != (_b)->addr_mask || \ 81 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 82 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 83 84 /* initially control.h */ 85 struct control_sock { 86 const char *cs_name; 87 struct event cs_ev; 88 struct event cs_evt; 89 int cs_fd; 90 int cs_restricted; 91 void *cs_env; 92 93 TAILQ_ENTRY(control_sock) cs_entry; 94 }; 95 TAILQ_HEAD(control_socks, control_sock); 96 97 struct ctl_conn { 98 TAILQ_ENTRY(ctl_conn) entry; 99 uint8_t flags; 100 #define CTL_CONN_NOTIFY 0x01 101 struct imsgev iev; 102 }; 103 TAILQ_HEAD(ctl_connlist, ctl_conn); 104 105 extern enum privsep_procid privsep_process; 106 107 /* 108 * Runtime structures 109 */ 110 111 struct iked_timer { 112 struct event tmr_ev; 113 struct iked *tmr_env; 114 void (*tmr_cb)(struct iked *, void *); 115 void *tmr_cbarg; 116 }; 117 118 struct iked_spi { 119 uint64_t spi; 120 uint8_t spi_size; 121 uint8_t spi_protoid; 122 }; 123 124 struct iked_proposal { 125 uint8_t prop_id; 126 uint8_t prop_protoid; 127 128 struct iked_spi prop_localspi; 129 struct iked_spi prop_peerspi; 130 131 struct iked_transform *prop_xforms; 132 unsigned int prop_nxforms; 133 134 TAILQ_ENTRY(iked_proposal) prop_entry; 135 }; 136 TAILQ_HEAD(iked_proposals, iked_proposal); 137 138 struct iked_addr { 139 int addr_af; 140 struct sockaddr_storage addr; 141 uint8_t addr_mask; 142 int addr_net; 143 in_port_t addr_port; 144 }; 145 146 struct iked_ts { 147 struct iked_addr ts_addr; 148 uint8_t ts_ipproto; 149 TAILQ_ENTRY(iked_ts) ts_entry; 150 }; 151 TAILQ_HEAD(iked_tss, iked_ts); 152 153 struct iked_flow { 154 struct iked_addr flow_src; 155 struct iked_addr flow_dst; 156 unsigned int flow_dir; /* in/out */ 157 int flow_rdomain; 158 struct iked_addr flow_prenat; 159 int flow_fixed; 160 161 unsigned int flow_loaded; /* pfkey done */ 162 163 uint8_t flow_saproto; 164 uint8_t flow_ipproto; 165 166 struct iked_addr *flow_local; /* outer source */ 167 struct iked_addr *flow_peer; /* outer dest */ 168 struct iked_sa *flow_ikesa; /* parent SA */ 169 170 RB_ENTRY(iked_flow) flow_node; 171 TAILQ_ENTRY(iked_flow) flow_entry; 172 }; 173 RB_HEAD(iked_flows, iked_flow); 174 TAILQ_HEAD(iked_saflows, iked_flow); 175 176 struct iked_childsa { 177 uint8_t csa_saproto; /* IPsec protocol */ 178 unsigned int csa_dir; /* in/out */ 179 180 uint64_t csa_peerspi; /* peer relation */ 181 uint8_t csa_loaded; /* pfkey done */ 182 uint8_t csa_rekey; /* will be deleted */ 183 uint8_t csa_allocated; /* from the kernel */ 184 uint8_t csa_persistent;/* do not rekey */ 185 uint8_t csa_esn; /* use ESN */ 186 uint8_t csa_transport; /* transport mode */ 187 188 struct iked_spi csa_spi; 189 190 struct ibuf *csa_encrkey; /* encryption key */ 191 uint16_t csa_encrid; /* encryption xform id */ 192 193 struct ibuf *csa_integrkey; /* auth key */ 194 uint16_t csa_integrid; /* auth xform id */ 195 196 struct iked_addr *csa_local; /* outer source */ 197 struct iked_addr *csa_peer; /* outer dest */ 198 struct iked_sa *csa_ikesa; /* parent SA */ 199 200 struct iked_childsa *csa_peersa; /* peer */ 201 202 struct iked_childsa *csa_bundled; /* IPCOMP */ 203 204 uint16_t csa_pfsgrpid; /* pfs group id */ 205 206 RB_ENTRY(iked_childsa) csa_node; 207 TAILQ_ENTRY(iked_childsa) csa_entry; 208 }; 209 RB_HEAD(iked_activesas, iked_childsa); 210 TAILQ_HEAD(iked_childsas, iked_childsa); 211 212 213 struct iked_static_id { 214 uint8_t id_type; 215 uint8_t id_length; 216 uint8_t id_offset; 217 uint8_t id_data[IKED_ID_SIZE]; 218 }; 219 220 struct iked_auth { 221 uint8_t auth_method; 222 uint8_t auth_eap; /* optional EAP */ 223 uint8_t auth_length; /* zero if EAP */ 224 uint8_t auth_data[IKED_PSK_SIZE]; 225 }; 226 227 struct iked_cfg { 228 uint8_t cfg_action; 229 uint16_t cfg_type; 230 union { 231 struct iked_addr address; 232 } cfg; 233 }; 234 235 TAILQ_HEAD(iked_sapeers, iked_sa); 236 237 struct iked_lifetime { 238 uint64_t lt_bytes; 239 uint64_t lt_seconds; 240 }; 241 242 struct iked_policy { 243 unsigned int pol_id; 244 char pol_name[IKED_ID_SIZE]; 245 unsigned int pol_iface; 246 247 #define IKED_SKIP_FLAGS 0 248 #define IKED_SKIP_AF 1 249 #define IKED_SKIP_SRC_ADDR 2 250 #define IKED_SKIP_DST_ADDR 3 251 #define IKED_SKIP_COUNT 4 252 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 253 254 uint8_t pol_flags; 255 #define IKED_POLICY_PASSIVE 0x00 256 #define IKED_POLICY_DEFAULT 0x01 257 #define IKED_POLICY_ACTIVE 0x02 258 #define IKED_POLICY_REFCNT 0x04 259 #define IKED_POLICY_QUICK 0x08 260 #define IKED_POLICY_SKIP 0x10 261 #define IKED_POLICY_IPCOMP 0x20 262 #define IKED_POLICY_TRANSPORT 0x40 263 264 int pol_refcnt; 265 266 uint8_t pol_certreqtype; 267 268 int pol_af; 269 int pol_rdomain; 270 uint8_t pol_saproto; 271 unsigned int pol_ipproto[IKED_IPPROTO_MAX]; 272 unsigned int pol_nipproto; 273 274 struct iked_addr pol_peer; 275 struct iked_static_id pol_peerid; 276 uint32_t pol_peerdh; 277 278 struct iked_addr pol_local; 279 struct iked_static_id pol_localid; 280 281 struct iked_auth pol_auth; 282 283 char pol_tag[IKED_TAG_SIZE]; 284 unsigned int pol_tap; 285 286 struct iked_proposals pol_proposals; 287 size_t pol_nproposals; 288 289 struct iked_flows pol_flows; 290 size_t pol_nflows; 291 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 292 size_t pol_tssrc_count; 293 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 294 size_t pol_tsdst_count; 295 296 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 297 unsigned int pol_ncfg; 298 299 uint32_t pol_rekey; /* ike SA lifetime */ 300 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 301 302 struct iked_sapeers pol_sapeers; 303 304 TAILQ_ENTRY(iked_policy) pol_entry; 305 }; 306 TAILQ_HEAD(iked_policies, iked_policy); 307 308 struct iked_hash { 309 uint8_t hash_type; /* PRF or INTEGR */ 310 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 311 const void *hash_priv; /* Identifying the hash alg */ 312 void *hash_ctx; /* Context of the current invocation */ 313 int hash_fixedkey; /* Requires fixed key length */ 314 struct ibuf *hash_key; /* MAC key derived from key seed */ 315 size_t hash_length; /* Output length */ 316 size_t hash_trunc; /* Truncate the output length */ 317 struct iked_hash *hash_prf; /* PRF pointer */ 318 int hash_isaead; 319 }; 320 321 struct iked_cipher { 322 uint8_t encr_type; /* ENCR */ 323 uint16_t encr_id; /* IKE ENCR hash id */ 324 const void *encr_priv; /* Identifying the hash alg */ 325 void *encr_ctx; /* Context of the current invocation */ 326 int encr_fixedkey; /* Requires fixed key length */ 327 struct ibuf *encr_key; /* MAC key derived from key seed */ 328 struct ibuf *encr_iv; /* Initialization Vector */ 329 uint64_t encr_civ; /* Counter IV for GCM */ 330 size_t encr_ivlength; /* IV length */ 331 size_t encr_length; /* Block length */ 332 size_t encr_saltlength; /* IV salt length */ 333 uint16_t encr_authid; /* ID of associated authentication */ 334 }; 335 336 struct iked_dsa { 337 uint8_t dsa_method; /* AUTH method */ 338 const void *dsa_priv; /* PRF or signature hash function */ 339 void *dsa_ctx; /* PRF or signature hash ctx */ 340 struct ibuf *dsa_keydata; /* public, private or shared key */ 341 void *dsa_key; /* parsed public or private key */ 342 int dsa_hmac; /* HMAC or public/private key */ 343 int dsa_sign; /* Sign or verify operation */ 344 uint32_t dsa_flags; /* State flags */ 345 }; 346 347 struct iked_id { 348 uint8_t id_type; 349 uint8_t id_offset; 350 struct ibuf *id_buf; 351 }; 352 353 #define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 354 #define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 355 #define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 356 #define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 357 #define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 358 #define IKED_REQ_SA 0x0020 /* SA available */ 359 #define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 360 #define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 361 #define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 362 363 #define IKED_REQ_BITS \ 364 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 365 "\10CHILDSA\11INF" 366 367 TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit); 368 TAILQ_HEAD(iked_msg_fragqueue, iked_message); 369 370 struct iked_sahdr { 371 uint64_t sh_ispi; /* Initiator SPI */ 372 uint64_t sh_rspi; /* Responder SPI */ 373 unsigned int sh_initiator; /* Is initiator? */ 374 } __packed; 375 376 struct iked_kex { 377 struct ibuf *kex_inonce; /* Ni */ 378 struct ibuf *kex_rnonce; /* Nr */ 379 380 struct dh_group *kex_dhgroup; /* DH group */ 381 struct ibuf *kex_dhiexchange; 382 struct ibuf *kex_dhrexchange; 383 struct ibuf *kex_dhpeer; /* pointer to i or r */ 384 }; 385 386 struct iked_frag_entry { 387 uint8_t *frag_data; 388 size_t frag_size; 389 }; 390 391 struct iked_frag { 392 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 393 size_t frag_count; /* number of fragments received */ 394 #define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 395 size_t frag_total; /* total numbe of fragments */ 396 size_t frag_total_size; 397 uint8_t frag_nextpayload; 398 399 }; 400 401 struct iked_ipcomp { 402 uint16_t ic_cpi_out; /* outgoing CPI */ 403 uint16_t ic_cpi_in; /* incoming CPI */ 404 uint8_t ic_transform; /* transform */ 405 }; 406 407 struct iked_sa { 408 struct iked_sahdr sa_hdr; 409 uint32_t sa_msgid; /* Last request rcvd */ 410 int sa_msgid_set; /* msgid initialized */ 411 uint32_t sa_msgid_current; /* Current requested rcvd */ 412 uint32_t sa_reqid; /* Next request sent */ 413 414 int sa_type; 415 #define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 416 #define IKED_SATYPE_LOCAL 1 /* Local SA */ 417 418 struct iked_addr sa_peer; 419 struct iked_addr sa_peer_loaded;/* MOBIKE */ 420 struct iked_addr sa_local; 421 int sa_fd; 422 423 struct iked_frag sa_fragments; 424 425 int sa_natt; /* for IKE messages */ 426 int sa_udpencap; /* for pfkey */ 427 int sa_usekeepalive;/* NAT-T keepalive */ 428 429 int sa_state; 430 unsigned int sa_stateflags; 431 unsigned int sa_stateinit; /* SA_INIT */ 432 unsigned int sa_statevalid; /* IKE_AUTH */ 433 434 int sa_cp; /* XXX */ 435 struct iked_addr *sa_cp_addr; /* requested address */ 436 struct iked_addr *sa_cp_addr6; /* requested address */ 437 struct iked_addr *sa_cp_dns; /* requested dns */ 438 439 struct iked_policy *sa_policy; 440 struct timeval sa_timecreated; 441 struct timeval sa_timeused; 442 443 char *sa_tag; 444 const char *sa_reason; /* reason for close */ 445 446 struct iked_kex sa_kex; 447 /* XXX compat defines until everything is converted */ 448 #define sa_inonce sa_kex.kex_inonce 449 #define sa_rnonce sa_kex.kex_rnonce 450 #define sa_dhgroup sa_kex.kex_dhgroup 451 #define sa_dhiexchange sa_kex.kex_dhiexchange 452 #define sa_dhrexchange sa_kex.kex_dhrexchange 453 #define sa_dhpeer sa_kex.kex_dhpeer 454 455 struct iked_hash *sa_prf; /* PRF alg */ 456 struct iked_hash *sa_integr; /* integrity alg */ 457 struct iked_cipher *sa_encr; /* encryption alg */ 458 459 struct ibuf *sa_key_d; /* SK_d */ 460 struct ibuf *sa_key_iauth; /* SK_ai */ 461 struct ibuf *sa_key_rauth; /* SK_ar */ 462 struct ibuf *sa_key_iencr; /* SK_ei */ 463 struct ibuf *sa_key_rencr; /* SK_er */ 464 struct ibuf *sa_key_iprf; /* SK_pi */ 465 struct ibuf *sa_key_rprf; /* SK_pr */ 466 467 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 468 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 469 struct iked_id sa_localauth; /* local AUTH message */ 470 struct iked_id sa_peerauth; /* peer AUTH message */ 471 int sa_sigsha2; /* use SHA2 for signatures */ 472 #define IKED_SCERT_MAX 3 /* max # of supplemental cert payloads */ 473 474 struct iked_id sa_iid; /* initiator id */ 475 struct iked_id sa_rid; /* responder id */ 476 struct iked_id sa_icert; /* initiator cert */ 477 struct iked_id sa_rcert; /* responder cert */ 478 struct iked_id sa_scert[IKED_SCERT_MAX]; /* supplemental certs */ 479 #define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 480 #define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 481 482 char *sa_eapid; /* EAP identity */ 483 struct iked_id sa_eap; /* EAP challenge */ 484 struct ibuf *sa_eapmsk; /* EAK session key */ 485 486 struct iked_proposals sa_proposals; /* SA proposals */ 487 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 488 struct iked_saflows sa_flows; /* IPsec flows */ 489 490 struct iked_sa *sa_nexti; /* initiated IKE SA */ 491 struct iked_sa *sa_previ; /* matching back pointer */ 492 struct iked_sa *sa_nextr; /* simultaneous rekey */ 493 struct iked_sa *sa_prevr; /* matching back pointer */ 494 uint64_t sa_rekeyspi; /* peerspi CSA rekey */ 495 struct ibuf *sa_simult; /* simultaneous rekey */ 496 497 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 498 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 499 500 int sa_mobike; /* MOBIKE */ 501 int sa_frag; /* fragmentation */ 502 503 int sa_use_transport_mode; /* peer requested */ 504 int sa_used_transport_mode; /* we enabled */ 505 506 struct iked_timer sa_timer; /* SA timeouts */ 507 #define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 508 #define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 509 #define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 510 #define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 511 512 struct iked_timer sa_keepalive; /* keepalive timer */ 513 #define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 514 515 struct iked_timer sa_rekey; /* rekey timeout */ 516 int sa_tmpfail; 517 518 struct iked_msgqueue sa_requests; /* request queue */ 519 #define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 520 521 struct iked_msgqueue sa_responses; /* response queue */ 522 #define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 523 524 TAILQ_ENTRY(iked_sa) sa_peer_entry; 525 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 526 527 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 528 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 529 530 struct iked_addr *sa_addrpool; /* address from pool */ 531 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 532 533 struct iked_addr *sa_addrpool6; /* address from pool */ 534 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 535 time_t sa_last_recvd; 536 #define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 537 }; 538 RB_HEAD(iked_sas, iked_sa); 539 RB_HEAD(iked_dstid_sas, iked_sa); 540 RB_HEAD(iked_addrpool, iked_sa); 541 RB_HEAD(iked_addrpool6, iked_sa); 542 543 /* stats */ 544 545 struct iked_stats { 546 uint64_t ikes_sa_created; 547 uint64_t ikes_sa_established_total; 548 uint64_t ikes_sa_established_current; /* gauge */ 549 uint64_t ikes_sa_established_failures; 550 uint64_t ikes_sa_proposals_negotiate_failures; 551 uint64_t ikes_sa_rekeyed; 552 uint64_t ikes_sa_removed; 553 uint64_t ikes_csa_created; 554 uint64_t ikes_csa_removed; 555 uint64_t ikes_msg_sent; 556 uint64_t ikes_msg_send_failures; 557 uint64_t ikes_msg_rcvd; 558 uint64_t ikes_msg_rcvd_busy; 559 uint64_t ikes_msg_rcvd_dropped; 560 uint64_t ikes_retransmit_request; 561 uint64_t ikes_retransmit_response; 562 uint64_t ikes_retransmit_limit; 563 uint64_t ikes_frag_sent; 564 uint64_t ikes_frag_send_failures; 565 uint64_t ikes_frag_rcvd; 566 uint64_t ikes_frag_rcvd_drop; 567 uint64_t ikes_frag_reass_ok; 568 uint64_t ikes_frag_reass_drop; 569 uint64_t ikes_update_addresses_sent; 570 uint64_t ikes_dpd_sent; 571 uint64_t ikes_keepalive_sent; 572 }; 573 574 #define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0) 575 #define ikestat_inc(env, c) ikestat_add(env, c, 1) 576 #define ikestat_dec(env, c) ikestat_add(env, c, -1) 577 578 struct iked_certreq { 579 struct ibuf *cr_data; 580 uint8_t cr_type; 581 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 582 }; 583 SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 584 585 #define EAP_STATE_IDENTITY (1) 586 #define EAP_STATE_MSCHAPV2_CHALLENGE (2) 587 #define EAP_STATE_MSCHAPV2_SUCCESS (3) 588 #define EAP_STATE_SUCCESS (4) 589 590 struct eap_msg { 591 char *eam_identity; 592 char *eam_user; 593 int eam_type; 594 uint8_t eam_id; 595 uint8_t eam_msrid; 596 int eam_success; 597 int eam_found; 598 int eam_response; 599 uint8_t eam_challenge[16]; 600 uint8_t eam_ntresponse[24]; 601 uint32_t eam_state; 602 }; 603 604 struct iked_message { 605 struct ibuf *msg_data; 606 size_t msg_offset; 607 608 struct sockaddr_storage msg_local; 609 socklen_t msg_locallen; 610 611 struct sockaddr_storage msg_peer; 612 socklen_t msg_peerlen; 613 614 struct iked_socket *msg_sock; 615 616 int msg_fd; 617 int msg_response; 618 int msg_responded; 619 int msg_valid; 620 int msg_natt; 621 int msg_natt_rcvd; 622 int msg_nat_detected; 623 int msg_error; 624 int msg_e; 625 struct iked_message *msg_parent; 626 627 /* Associated policy and SA */ 628 struct iked_policy *msg_policy; 629 struct iked_sa *msg_sa; 630 631 uint32_t msg_msgid; 632 uint8_t msg_exchange; 633 634 /* Parsed information */ 635 struct iked_proposals msg_proposals; 636 struct iked_certreqs msg_certreqs; 637 struct iked_spi msg_rekey; 638 struct ibuf *msg_nonce; /* dh NONCE */ 639 uint16_t msg_dhgroup; /* dh group */ 640 struct ibuf *msg_ke; /* dh key exchange */ 641 struct iked_id msg_auth; /* AUTH payload */ 642 struct iked_id msg_peerid; 643 struct iked_id msg_localid; 644 struct iked_id msg_cert; 645 struct ibuf *msg_cookie; 646 uint16_t msg_group; 647 uint16_t msg_cpi; 648 uint8_t msg_transform; 649 uint16_t msg_flags; 650 struct eap_msg msg_eap; 651 size_t msg_del_spisize; 652 size_t msg_del_cnt; 653 struct ibuf *msg_del_buf; 654 int msg_del_protoid; 655 int msg_cp; 656 struct iked_addr *msg_cp_addr; /* requested address */ 657 struct iked_addr *msg_cp_addr6; /* requested address */ 658 struct iked_addr *msg_cp_dns; /* requested dns */ 659 660 /* MOBIKE */ 661 int msg_update_sa_addresses; 662 struct ibuf *msg_cookie2; 663 664 /* Parse stack */ 665 struct iked_proposal *msg_prop; 666 uint16_t msg_attrlength; 667 668 /* Retransmit queue */ 669 TAILQ_ENTRY(iked_message) 670 msg_entry; 671 }; 672 673 struct iked_msg_retransmit { 674 struct iked_msg_fragqueue mrt_frags; 675 TAILQ_ENTRY(iked_msg_retransmit) mrt_entry; 676 struct iked_timer mrt_timer; 677 int mrt_tries; 678 #define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 679 }; 680 681 #define IKED_MSG_NAT_SRC_IP 0x01 682 #define IKED_MSG_NAT_DST_IP 0x02 683 684 #define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 685 #define IKED_MSG_FLAGS_MOBIKE 0x0002 686 #define IKED_MSG_FLAGS_SIGSHA2 0x0004 687 #define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 688 #define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 689 #define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 690 #define IKED_MSG_FLAGS_INVALID_KE 0x0040 691 #define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 692 #define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 693 #define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 694 #define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400 695 696 697 struct iked_user { 698 char usr_name[LOGIN_NAME_MAX]; 699 char usr_pass[IKED_PASSWORD_SIZE]; 700 RB_ENTRY(iked_user) usr_entry; 701 }; 702 RB_HEAD(iked_users, iked_user); 703 704 struct privsep_pipes { 705 int *pp_pipes[PROC_MAX]; 706 }; 707 708 struct privsep { 709 struct privsep_pipes *ps_pipes[PROC_MAX]; 710 struct privsep_pipes *ps_pp; 711 712 struct imsgev *ps_ievs[PROC_MAX]; 713 const char *ps_title[PROC_MAX]; 714 pid_t ps_pid[PROC_MAX]; 715 struct passwd *ps_pw; 716 int ps_noaction; 717 718 struct control_sock ps_csock; 719 struct control_socks ps_rcsocks; 720 721 unsigned int ps_instances[PROC_MAX]; 722 unsigned int ps_ninstances; 723 unsigned int ps_instance; 724 725 /* Event and signal handlers */ 726 struct event ps_evsigint; 727 struct event ps_evsigterm; 728 struct event ps_evsigchld; 729 struct event ps_evsighup; 730 struct event ps_evsigpipe; 731 struct event ps_evsigusr1; 732 733 struct iked *ps_env; 734 }; 735 736 struct privsep_proc { 737 const char *p_title; 738 enum privsep_procid p_id; 739 int (*p_cb)(int, struct privsep_proc *, 740 struct imsg *); 741 pid_t (*p_init)(struct privsep *, 742 struct privsep_proc *); 743 const char *p_chroot; 744 struct privsep *p_ps; 745 struct iked *p_env; 746 void (*p_shutdown)(struct privsep_proc *); 747 unsigned int p_instance; 748 }; 749 750 struct iked_ocsp_entry { 751 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 752 void *ioe_ocsp; /* private ocsp request data */ 753 }; 754 TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 755 756 /* 757 * Daemon configuration 758 */ 759 760 enum natt_mode { 761 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 762 NATT_DISABLE, /* send/recv with only :500 */ 763 NATT_FORCE, /* send/recv with only NAT-T port */ 764 }; 765 766 struct iked_static { 767 uint64_t st_alive_timeout; 768 int st_enforcesingleikesa; 769 uint8_t st_frag; /* fragmentation */ 770 uint8_t st_mobike; /* MOBIKE */ 771 in_port_t st_nattport; 772 int st_stickyaddress; /* addr per DSTID */ 773 int st_vendorid; 774 }; 775 776 struct iked { 777 char sc_conffile[PATH_MAX]; 778 779 uint32_t sc_opts; 780 enum natt_mode sc_nattmode; 781 uint8_t sc_passive; 782 uint8_t sc_decoupled; 783 784 struct iked_static sc_static; 785 786 #define sc_alive_timeout sc_static.st_alive_timeout 787 #define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 788 #define sc_frag sc_static.st_frag 789 #define sc_mobike sc_static.st_mobike 790 #define sc_nattport sc_static.st_nattport 791 #define sc_stickyaddress sc_static.st_stickyaddress 792 #define sc_vendorid sc_static.st_vendorid 793 794 struct iked_policies sc_policies; 795 struct iked_policy *sc_defaultcon; 796 797 struct iked_sas sc_sas; 798 struct iked_dstid_sas sc_dstid_sas; 799 struct iked_activesas sc_activesas; 800 struct iked_flows sc_activeflows; 801 struct iked_users sc_users; 802 803 struct iked_stats sc_stats; 804 805 void *sc_priv; /* per-process */ 806 807 int sc_pfkey; /* ike process */ 808 struct event sc_pfkeyev; 809 struct event sc_routeev; 810 uint8_t sc_certreqtype; 811 struct ibuf *sc_certreq; 812 void *sc_vroute; 813 814 struct iked_socket *sc_sock4[2]; 815 struct iked_socket *sc_sock6[2]; 816 817 struct iked_timer sc_inittmr; 818 #define IKED_INITIATOR_INITIAL 2 819 #define IKED_INITIATOR_INTERVAL 60 820 821 struct privsep sc_ps; 822 823 struct iked_ocsp_requests sc_ocsp; 824 char *sc_ocsp_url; 825 long sc_ocsp_tolerate; 826 long sc_ocsp_maxage; 827 828 struct iked_addrpool sc_addrpool; 829 struct iked_addrpool6 sc_addrpool6; 830 831 int sc_cert_partial_chain; 832 }; 833 834 struct iked_socket { 835 int sock_fd; 836 struct event sock_ev; 837 struct iked *sock_env; 838 struct sockaddr_storage sock_addr; 839 }; 840 841 struct ipsec_xf { 842 const char *name; 843 unsigned int id; 844 unsigned int length; 845 unsigned int keylength; 846 unsigned int nonce; 847 unsigned int noauth; 848 }; 849 850 struct ipsec_transforms { 851 const struct ipsec_xf **authxf; 852 unsigned int nauthxf; 853 const struct ipsec_xf **prfxf; 854 unsigned int nprfxf; 855 const struct ipsec_xf **encxf; 856 unsigned int nencxf; 857 const struct ipsec_xf **groupxf; 858 unsigned int ngroupxf; 859 const struct ipsec_xf **esnxf; 860 unsigned int nesnxf; 861 }; 862 863 struct ipsec_mode { 864 struct ipsec_transforms **xfs; 865 unsigned int nxfs; 866 }; 867 868 /* iked.c */ 869 void parent_reload(struct iked *, int, const char *); 870 871 /* control.c */ 872 pid_t control(struct privsep *, struct privsep_proc *); 873 int control_init(struct privsep *, struct control_sock *); 874 int control_listen(struct control_sock *); 875 876 /* config.c */ 877 struct iked_policy * 878 config_new_policy(struct iked *); 879 void config_free_kex(struct iked_kex *); 880 void config_free_fragments(struct iked_frag *); 881 void config_free_sa(struct iked *, struct iked_sa *); 882 struct iked_sa * 883 config_new_sa(struct iked *, int); 884 struct iked_user * 885 config_new_user(struct iked *, struct iked_user *); 886 uint64_t 887 config_getspi(void); 888 struct iked_transform * 889 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 890 struct iked_transform * 891 config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int); 892 void config_free_policy(struct iked *, struct iked_policy *); 893 struct iked_proposal * 894 config_add_proposal(struct iked_proposals *, unsigned int, 895 unsigned int); 896 void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 897 void config_free_proposals(struct iked_proposals *, unsigned int); 898 void config_free_flows(struct iked *, struct iked_flows *); 899 void config_free_childsas(struct iked *, struct iked_childsas *, 900 struct iked_spi *, struct iked_spi *); 901 int config_add_transform(struct iked_proposal *, 902 unsigned int, unsigned int, unsigned int, unsigned int); 903 int config_setcoupled(struct iked *, unsigned int); 904 int config_getcoupled(struct iked *, unsigned int); 905 int config_setmode(struct iked *, unsigned int); 906 int config_getmode(struct iked *, unsigned int); 907 int config_setreset(struct iked *, unsigned int, enum privsep_procid); 908 int config_getreset(struct iked *, struct imsg *); 909 int config_doreset(struct iked *, unsigned int); 910 int config_setpolicy(struct iked *, struct iked_policy *, 911 enum privsep_procid); 912 int config_getpolicy(struct iked *, struct imsg *); 913 int config_setflow(struct iked *, struct iked_policy *, 914 enum privsep_procid); 915 int config_getflow(struct iked *, struct imsg *); 916 int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 917 enum privsep_procid); 918 int config_getsocket(struct iked *env, struct imsg *, 919 void (*cb)(int, short, void *)); 920 int config_setpfkey(struct iked *); 921 int config_getpfkey(struct iked *, struct imsg *); 922 int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 923 int config_getuser(struct iked *, struct imsg *); 924 int config_setcompile(struct iked *, enum privsep_procid); 925 int config_getcompile(struct iked *); 926 int config_setocsp(struct iked *); 927 int config_getocsp(struct iked *, struct imsg *); 928 int config_setkeys(struct iked *); 929 int config_getkey(struct iked *, struct imsg *); 930 int config_setstatic(struct iked *); 931 int config_getstatic(struct iked *, struct imsg *); 932 int config_setcertpartialchain(struct iked *); 933 int config_getcertpartialchain(struct iked *, struct imsg *); 934 935 /* policy.c */ 936 void policy_init(struct iked *); 937 int policy_lookup(struct iked *, struct iked_message *, 938 struct iked_proposals *, struct iked_flows *, int); 939 int policy_lookup_sa(struct iked *, struct iked_sa *); 940 struct iked_policy * 941 policy_test(struct iked *, struct iked_policy *); 942 int policy_generate_ts(struct iked_policy *); 943 void policy_calc_skip_steps(struct iked_policies *); 944 void policy_ref(struct iked *, struct iked_policy *); 945 void policy_unref(struct iked *, struct iked_policy *); 946 void sa_state(struct iked *, struct iked_sa *, int); 947 void sa_stateflags(struct iked_sa *, unsigned int); 948 int sa_stateok(const struct iked_sa *, int); 949 struct iked_sa * 950 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 951 struct iked_policy *); 952 void sa_free(struct iked *, struct iked_sa *); 953 void sa_free_flows(struct iked *, struct iked_saflows *); 954 int sa_configure_iface(struct iked *, struct iked_sa *, int); 955 int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 956 void childsa_free(struct iked_childsa *); 957 struct iked_childsa * 958 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 959 void flow_free(struct iked_flow *); 960 int flow_equal(struct iked_flow *, struct iked_flow *); 961 struct iked_sa * 962 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 963 struct iked_user * 964 user_lookup(struct iked *, const char *); 965 struct iked_sa * 966 sa_dstid_lookup(struct iked *, struct iked_sa *); 967 struct iked_sa * 968 sa_dstid_insert(struct iked *, struct iked_sa *); 969 void sa_dstid_remove(struct iked *, struct iked_sa *); 970 int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 971 struct iked_proposals *, int, int); 972 RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 973 RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 974 RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 975 RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 976 RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 977 RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 978 RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 979 980 /* crypto.c */ 981 struct iked_hash * 982 hash_new(uint8_t, uint16_t); 983 struct ibuf * 984 hash_setkey(struct iked_hash *, void *, size_t); 985 void hash_free(struct iked_hash *); 986 void hash_init(struct iked_hash *); 987 void hash_update(struct iked_hash *, void *, size_t); 988 void hash_final(struct iked_hash *, void *, size_t *); 989 size_t hash_keylength(struct iked_hash *); 990 size_t hash_length(struct iked_hash *); 991 992 struct iked_cipher * 993 cipher_new(uint8_t, uint16_t, uint16_t); 994 struct ibuf * 995 cipher_setkey(struct iked_cipher *, const void *, size_t); 996 struct ibuf * 997 cipher_setiv(struct iked_cipher *, const void *, size_t); 998 int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 999 int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 1000 void cipher_free(struct iked_cipher *); 1001 int cipher_init(struct iked_cipher *, int); 1002 int cipher_init_encrypt(struct iked_cipher *); 1003 int cipher_init_decrypt(struct iked_cipher *); 1004 void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *); 1005 int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *); 1006 int cipher_final(struct iked_cipher *); 1007 size_t cipher_length(struct iked_cipher *); 1008 size_t cipher_keylength(struct iked_cipher *); 1009 size_t cipher_ivlength(struct iked_cipher *); 1010 size_t cipher_outlength(struct iked_cipher *, size_t); 1011 1012 struct iked_dsa * 1013 dsa_new(uint8_t, struct iked_hash *, int); 1014 struct iked_dsa * 1015 dsa_sign_new(uint8_t, struct iked_hash *); 1016 struct iked_dsa * 1017 dsa_verify_new(uint8_t, struct iked_hash *); 1018 struct ibuf * 1019 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 1020 void dsa_free(struct iked_dsa *); 1021 int dsa_init(struct iked_dsa *, const void *, size_t); 1022 size_t dsa_prefix(struct iked_dsa *); 1023 size_t dsa_length(struct iked_dsa *); 1024 int dsa_update(struct iked_dsa *, const void *, size_t); 1025 ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 1026 ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 1027 1028 /* vroute.c */ 1029 void vroute_init(struct iked *); 1030 int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int); 1031 void vroute_cleanup(struct iked *); 1032 int vroute_getaddr(struct iked *, struct imsg *); 1033 int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int); 1034 int vroute_getdns(struct iked *, struct imsg *); 1035 int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *, 1036 uint8_t, struct sockaddr *); 1037 int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *, 1038 uint8_t, struct sockaddr *); 1039 int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *, 1040 uint8_t, struct sockaddr *); 1041 int vroute_getroute(struct iked *, struct imsg *); 1042 int vroute_getcloneroute(struct iked *, struct imsg *); 1043 1044 /* ikev2.c */ 1045 pid_t ikev2(struct privsep *, struct privsep_proc *); 1046 void ikev2_recv(struct iked *, struct iked_message *); 1047 void ikev2_init_ike_sa(struct iked *, void *); 1048 int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 1049 int ikev2_childsa_enable(struct iked *, struct iked_sa *); 1050 int ikev2_childsa_delete(struct iked *, struct iked_sa *, 1051 uint8_t, uint64_t, uint64_t *, int); 1052 void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 1053 void ikev2_ike_sa_timeout(struct iked *env, void *); 1054 void ikev2_ike_sa_setreason(struct iked_sa *, char *); 1055 void ikev2_reset_alive_timer(struct iked *); 1056 int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 1057 1058 struct ibuf * 1059 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 1060 size_t); 1061 ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 1062 ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 1063 void *, size_t, unsigned int, int); 1064 void ikev2_enable_natt(struct iked *, struct iked_sa *, 1065 struct iked_message *, int); 1066 int ikev2_send_informational(struct iked *, struct iked_message *); 1067 int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 1068 uint8_t, uint8_t, int); 1069 struct ike_header * 1070 ikev2_add_header(struct ibuf *, struct iked_sa *, 1071 uint32_t, uint8_t, uint8_t, uint8_t); 1072 int ikev2_set_header(struct ike_header *, size_t); 1073 struct ikev2_payload * 1074 ikev2_add_payload(struct ibuf *); 1075 int ikev2_next_payload(struct ikev2_payload *, size_t, 1076 uint8_t); 1077 int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 1078 int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 1079 int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 1080 void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 1081 int ikev2_print_id(struct iked_id *, char *, size_t); 1082 int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 1083 1084 const char *ikev2_ikesa_info(uint64_t, const char *msg); 1085 #define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 1086 #define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 1087 #define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 1088 1089 /* ikev2_msg.c */ 1090 void ikev2_msg_cb(int, short, void *); 1091 struct ibuf * 1092 ikev2_msg_init(struct iked *, struct iked_message *, 1093 struct sockaddr_storage *, socklen_t, 1094 struct sockaddr_storage *, socklen_t, int); 1095 struct iked_message * 1096 ikev2_msg_copy(struct iked *, struct iked_message *); 1097 void ikev2_msg_cleanup(struct iked *, struct iked_message *); 1098 uint32_t 1099 ikev2_msg_id(struct iked *, struct iked_sa *); 1100 struct ibuf 1101 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 1102 int ikev2_msg_authsign(struct iked *, struct iked_sa *, 1103 struct iked_auth *, struct ibuf *); 1104 int ikev2_msg_authverify(struct iked *, struct iked_sa *, 1105 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 1106 int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 1107 struct iked_message *); 1108 int ikev2_msg_send(struct iked *, struct iked_message *); 1109 int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 1110 struct ibuf **, uint8_t, uint8_t, int); 1111 struct ibuf 1112 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 1113 struct ibuf *); 1114 struct ibuf * 1115 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 1116 struct ibuf *, struct ibuf *); 1117 int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1118 int ikev2_msg_frompeer(struct iked_message *); 1119 struct iked_socket * 1120 ikev2_msg_getsocket(struct iked *, int, int); 1121 int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *, 1122 struct iked_message *, int); 1123 int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1124 struct iked_message *, uint8_t); 1125 void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1126 struct iked_message *); 1127 void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1128 struct iked_msg_retransmit *); 1129 void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1130 struct iked_msg_retransmit * 1131 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1132 struct iked_message *, uint8_t); 1133 1134 /* ikev2_pld.c */ 1135 int ikev2_pld_parse(struct iked *, struct ike_header *, 1136 struct iked_message *, size_t); 1137 1138 /* eap.c */ 1139 int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*, 1140 void *, int); 1141 int eap_success(struct iked *, struct iked_sa *, int); 1142 int eap_identity_request(struct iked *, struct iked_sa *); 1143 int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1144 uint8_t *, size_t); 1145 int eap_mschap_success(struct iked *, struct iked_sa *, int); 1146 int eap_challenge_request(struct iked *, struct iked_sa *, int); 1147 1148 /* pfkey.c */ 1149 int pfkey_couple(struct iked *, struct iked_sas *, int); 1150 int pfkey_flow_add(struct iked *, struct iked_flow *); 1151 int pfkey_flow_delete(struct iked *, struct iked_flow *); 1152 int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *); 1153 int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *); 1154 int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *); 1155 int pfkey_sa_delete(struct iked *, struct iked_childsa *); 1156 int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *); 1157 int pfkey_flush(struct iked *); 1158 int pfkey_socket(struct iked *); 1159 void pfkey_init(struct iked *, int fd); 1160 1161 /* ca.c */ 1162 pid_t caproc(struct privsep *, struct privsep_proc *); 1163 int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1164 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1165 int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1166 uint8_t, uint8_t *, size_t, enum privsep_procid); 1167 int ca_setauth(struct iked *, struct iked_sa *, 1168 struct ibuf *, enum privsep_procid); 1169 void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1170 int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1171 int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1172 void ca_sslinit(void); 1173 void ca_sslerror(const char *); 1174 char *ca_asn1_name(uint8_t *, size_t); 1175 void *ca_x509_name_parse(char *); 1176 void ca_cert_info(const char *, X509 *); 1177 1178 /* timer.c */ 1179 void timer_set(struct iked *, struct iked_timer *, 1180 void (*)(struct iked *, void *), void *); 1181 void timer_add(struct iked *, struct iked_timer *, int); 1182 void timer_del(struct iked *, struct iked_timer *); 1183 1184 /* proc.c */ 1185 void proc_init(struct privsep *, struct privsep_proc *, unsigned int); 1186 void proc_kill(struct privsep *); 1187 void proc_listen(struct privsep *, struct privsep_proc *, size_t); 1188 void proc_dispatch(int, short event, void *); 1189 pid_t proc_run(struct privsep *, struct privsep_proc *, 1190 struct privsep_proc *, unsigned int, 1191 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1192 void imsg_event_add(struct imsgev *); 1193 int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1194 pid_t, int, void *, uint16_t); 1195 int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1196 pid_t, int, const struct iovec *, int); 1197 int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1198 u_int16_t, u_int32_t, int, void *, u_int16_t); 1199 int proc_compose(struct privsep *, enum privsep_procid, 1200 uint16_t, void *, uint16_t); 1201 int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1202 u_int16_t, u_int32_t, int, const struct iovec *, int); 1203 int proc_composev(struct privsep *, enum privsep_procid, 1204 uint16_t, const struct iovec *, int); 1205 int proc_forward_imsg(struct privsep *, struct imsg *, 1206 enum privsep_procid, int); 1207 struct imsgbuf * 1208 proc_ibuf(struct privsep *, enum privsep_procid, int); 1209 struct imsgev * 1210 proc_iev(struct privsep *, enum privsep_procid, int); 1211 1212 /* util.c */ 1213 int socket_af(struct sockaddr *, in_port_t); 1214 in_port_t 1215 socket_getport(struct sockaddr *); 1216 int socket_setport(struct sockaddr *, in_port_t); 1217 int socket_getaddr(int, struct sockaddr_storage *); 1218 int socket_bypass(int, struct sockaddr *); 1219 int udp_bind(struct sockaddr *, in_port_t); 1220 ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1221 socklen_t, struct sockaddr *, socklen_t); 1222 ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1223 socklen_t *, struct sockaddr *, socklen_t *); 1224 const char * 1225 print_spi(uint64_t, int); 1226 const char * 1227 print_map(unsigned int, struct iked_constmap *); 1228 void lc_idtype(char *); 1229 void print_hex(const uint8_t *, off_t, size_t); 1230 void print_hexval(const uint8_t *, off_t, size_t); 1231 const char * 1232 print_bits(unsigned short, unsigned char *); 1233 int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1234 uint8_t mask2prefixlen(struct sockaddr *); 1235 uint8_t mask2prefixlen6(struct sockaddr *); 1236 struct in6_addr * 1237 prefixlen2mask6(uint8_t, uint32_t *); 1238 uint32_t 1239 prefixlen2mask(uint8_t); 1240 const char * 1241 print_host(struct sockaddr *, char *, size_t); 1242 char *get_string(uint8_t *, size_t); 1243 const char * 1244 print_proto(uint8_t); 1245 int expand_string(char *, size_t, const char *, const char *); 1246 uint8_t *string2unicode(const char *, size_t *); 1247 void print_debug(const char *, ...) 1248 __attribute__((format(printf, 1, 2))); 1249 void print_verbose(const char *, ...) 1250 __attribute__((format(printf, 1, 2))); 1251 1252 /* imsg_util.c */ 1253 struct ibuf * 1254 ibuf_new(const void *, size_t); 1255 struct ibuf * 1256 ibuf_static(void); 1257 int ibuf_cat(struct ibuf *, struct ibuf *); 1258 void ibuf_release(struct ibuf *); 1259 size_t ibuf_length(struct ibuf *); 1260 int ibuf_setsize(struct ibuf *, size_t); 1261 uint8_t * 1262 ibuf_data(struct ibuf *); 1263 void *ibuf_getdata(struct ibuf *, size_t); 1264 struct ibuf * 1265 ibuf_get(struct ibuf *, size_t); 1266 struct ibuf * 1267 ibuf_dup(struct ibuf *); 1268 struct ibuf * 1269 ibuf_random(size_t); 1270 int ibuf_prepend(struct ibuf *, void *, size_t); 1271 void *ibuf_advance(struct ibuf *, size_t); 1272 void ibuf_zero(struct ibuf *); 1273 int ibuf_strcat(struct ibuf **, const char *); 1274 int ibuf_strlen(struct ibuf *); 1275 1276 /* log.c */ 1277 void log_init(int, int); 1278 void log_procinit(const char *); 1279 void log_setverbose(int); 1280 int log_getverbose(void); 1281 void log_warn(const char *, ...) 1282 __attribute__((__format__ (printf, 1, 2))); 1283 void log_warnx(const char *, ...) 1284 __attribute__((__format__ (printf, 1, 2))); 1285 void log_info(const char *, ...) 1286 __attribute__((__format__ (printf, 1, 2))); 1287 void log_debug(const char *, ...) 1288 __attribute__((__format__ (printf, 1, 2))); 1289 void logit(int, const char *, ...) 1290 __attribute__((__format__ (printf, 2, 3))); 1291 void vlog(int, const char *, va_list) 1292 __attribute__((__format__ (printf, 2, 0))); 1293 __dead void fatal(const char *, ...) 1294 __attribute__((__format__ (printf, 1, 2))); 1295 __dead void fatalx(const char *, ...) 1296 __attribute__((__format__ (printf, 1, 2))); 1297 1298 /* ocsp.c */ 1299 int ocsp_connect(struct iked *, struct imsg *); 1300 int ocsp_receive_fd(struct iked *, struct imsg *); 1301 int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1302 uint8_t, X509 *); 1303 1304 /* parse.y */ 1305 int parse_config(const char *, struct iked *); 1306 int cmdline_symset(char *); 1307 extern const struct ipsec_xf authxfs[]; 1308 extern const struct ipsec_xf prfxfs[]; 1309 extern const struct ipsec_xf *encxfs; 1310 extern const struct ipsec_xf ikeencxfs[]; 1311 extern const struct ipsec_xf ipsecencxfs[]; 1312 extern const struct ipsec_xf groupxfs[]; 1313 extern const struct ipsec_xf esnxfs[]; 1314 extern const struct ipsec_xf methodxfs[]; 1315 extern const struct ipsec_xf saxfs[]; 1316 extern const struct ipsec_xf cpxfs[]; 1317 size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1318 size_t noncelength_xf(unsigned int, unsigned int); 1319 int encxf_noauth(unsigned int); 1320 1321 /* print.c */ 1322 void print_user(struct iked_user *); 1323 void print_policy(struct iked_policy *); 1324 const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); 1325 1326 #endif /* IKED_H */ 1327