1 /* $OpenBSD: sa.h,v 1.33 2004/02/27 09:01:19 ho Exp $ */ 2 /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. 7 * 8 * Redistribution and use in source and binary forms, with or without 9 * modification, are permitted provided that the following conditions 10 * are met: 11 * 1. Redistributions of source code must retain the above copyright 12 * notice, this list of conditions and the following disclaimer. 13 * 2. Redistributions in binary form must reproduce the above copyright 14 * notice, this list of conditions and the following disclaimer in the 15 * documentation and/or other materials provided with the distribution. 16 * 17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 18 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 19 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 20 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 21 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 22 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 23 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 24 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 25 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 26 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 27 */ 28 29 /* 30 * This code was written under funding by Ericsson Radio Systems. 31 */ 32 33 #ifndef _SA_H_ 34 #define _SA_H_ 35 36 #include <sys/param.h> 37 #include <sys/types.h> 38 #include <sys/queue.h> 39 #include <sys/socket.h> 40 41 #include "isakmp.h" 42 43 /* Remove a SA if it has not been fully negotiated in this time. */ 44 #define SA_NEGOTIATION_MAX_TIME 120 45 46 struct crypto_xf; 47 struct doi; 48 struct event; 49 struct exchange; 50 struct keystate; 51 struct message; 52 struct payload; 53 struct proto_attr; 54 struct sa; 55 struct transport; 56 57 /* A protection suite consists of a set of protocol descriptions like this. */ 58 struct proto { 59 /* Link to the next protocol in the suite. */ 60 TAILQ_ENTRY (proto) link; 61 62 /* The SA we belong to. */ 63 struct sa *sa; 64 65 /* The protocol number as found in the proposal payload. */ 66 u_int8_t no; 67 68 /* The protocol this SA is for. */ 69 u_int8_t proto; 70 71 /* Security parameter index info. Element 0 - outgoing, 1 - incoming. */ 72 u_int8_t spi_sz[2]; 73 u_int8_t *spi[2]; 74 75 /* 76 * The chosen transform, only valid while the incoming SA payload that held 77 * it is available for duplicate testing. 78 */ 79 struct payload *chosen; 80 81 /* The chosen transform's ID. */ 82 u_int8_t id; 83 84 /* DOI-specific data. */ 85 void *data; 86 87 /* Proposal transforms data, for validating the responders selection. */ 88 TAILQ_HEAD (proto_attr_head, proto_attr) xfs; 89 size_t xf_cnt; 90 }; 91 92 struct proto_attr { 93 /* Link to next transform. */ 94 TAILQ_ENTRY (proto_attr) next; 95 96 /* Transform attribute data and size, suitable for attribute_map(). */ 97 u_int8_t *attrs; 98 size_t len; 99 }; 100 101 struct sa { 102 /* Link to SAs with the same hash value. */ 103 LIST_ENTRY (sa) link; 104 105 /* 106 * When several SA's are being negotiated in one message we connect them 107 * through this link. 108 */ 109 TAILQ_ENTRY (sa) next; 110 111 /* A name of the major policy deciding offers and acceptable proposals. */ 112 char *name; 113 114 /* The transport this SA got negotiated over. */ 115 struct transport *transport; 116 117 /* Both initiator and responder cookies. */ 118 u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; 119 120 /* The message ID signifying non-ISAKMP SAs. */ 121 u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; 122 123 /* The protection suite chosen. */ 124 TAILQ_HEAD (proto_head, proto) protos; 125 126 /* The exchange type we should use when rekeying. */ 127 u_int8_t exch_type; 128 129 /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ 130 u_int8_t phase; 131 132 /* A reference counter for this structure. */ 133 u_int16_t refcnt; 134 135 /* Various flags, look below for descriptions. */ 136 u_int32_t flags; 137 138 /* The DOI that is to handle DOI-specific issues for this SA. */ 139 struct doi *doi; 140 141 /* Crypto info needed to encrypt/decrypt packets protected by this SA. */ 142 struct crypto_xf *crypto; 143 int key_length; 144 struct keystate *keystate; 145 146 /* IDs from Phase 1 */ 147 u_int8_t *id_i; 148 size_t id_i_len; 149 u_int8_t *id_r; 150 size_t id_r_len; 151 152 /* Set if we were the initiator of the SA/exchange in Phase 1 */ 153 int initiator; 154 155 /* Policy session ID, where applicable, copied over from the exchange */ 156 int policy_id; 157 158 /* 159 * The key used to authenticate phase 1, in printable format, used only by 160 * KeyNote. 161 */ 162 char *keynote_key; 163 164 /* 165 * Certificates or other information from Phase 1; these are copied from the 166 * exchange, so look at exchange.h for an explanation of their use. 167 */ 168 int recv_certtype, recv_keytype; 169 /* Certificate received from peer, native format. */ 170 void *recv_cert; 171 /* Key peer used to authenticate, native format. */ 172 void *recv_key; 173 174 /* 175 * Certificates or other information we used to authenticate to the peer, 176 * Phase 1. 177 */ 178 int sent_certtype; 179 /* Certificate (to be) sent to peer, native format. */ 180 void *sent_cert; 181 182 /* DOI-specific opaque data. */ 183 void *data; 184 185 /* Lifetime data. */ 186 u_int64_t seconds; 187 u_int64_t kilobytes; 188 189 /* ACQUIRE sequence number */ 190 u_int32_t seq; 191 192 /* The events that will occur when an SA has timed out. */ 193 struct event *soft_death; 194 struct event *death; 195 }; 196 197 /* This SA is alive. */ 198 #define SA_FLAG_READY 0x01 199 200 /* Renegotiate the SA at each expiry. */ 201 #define SA_FLAG_STAYALIVE 0x02 202 203 /* Establish the SA when it is needed. */ 204 #define SA_FLAG_ONDEMAND 0x04 205 206 /* This SA has been replaced by another newer one. */ 207 #define SA_FLAG_REPLACED 0x08 208 209 /* This SA has seen a soft timeout and wants to be renegotiated on use. */ 210 #define SA_FLAG_FADING 0x10 211 212 /* This SA should always be actively renegotiated (with us as initiator). */ 213 #define SA_FLAG_ACTIVE_ONLY 0x20 214 215 /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ 216 #define SA_FLAG_IKECFG 0x40 217 218 /* Outfile for detailed SA information. */ 219 #define SA_FILE "/var/run/isakmpd_sa" 220 221 extern void proto_free (struct proto *proto); 222 extern int sa_add_transform (struct sa *, struct payload *, int, 223 struct proto **); 224 extern int sa_create (struct exchange *, struct transport *); 225 extern int sa_enter (struct sa *); 226 extern void sa_delete (struct sa *, int); 227 extern void sa_teardown_all (void); 228 extern struct sa *sa_find (int (*) (struct sa *, void *), void *); 229 extern int sa_flag (char *); 230 extern void sa_free (struct sa *); 231 extern void sa_init (void); 232 extern void sa_reinit (void); 233 extern struct sa *sa_isakmp_lookup_by_peer (struct sockaddr *, socklen_t); 234 extern void sa_isakmp_upgrade (struct message *); 235 extern struct sa *sa_lookup (u_int8_t *, u_int8_t *); 236 extern struct sa *sa_lookup_by_peer (struct sockaddr *, socklen_t); 237 extern struct sa *sa_lookup_by_header (u_int8_t *, int); 238 extern struct sa *sa_lookup_by_name (char *, int); 239 extern struct sa *sa_lookup_from_icookie (u_int8_t *); 240 extern struct sa *sa_lookup_isakmp_sa (struct sockaddr *, u_int8_t *); 241 extern void sa_mark_replaced (struct sa *); 242 extern void sa_reference (struct sa *); 243 extern void sa_release (struct sa *); 244 extern void sa_remove (struct sa *); 245 extern void sa_report (void); 246 extern void sa_dump (int, int, char *, struct sa *); 247 extern void sa_report_all (void); 248 extern int sa_setup_expirations (struct sa *); 249 #endif /* _SA_H_ */ 250