xref: /openbsd/sbin/isakmpd/sa.h (revision adfd2491) 
1 /* $OpenBSD: sa.h,v 1.40 2004/06/21 23:27:10 ho Exp $	 */
2 /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $	 */
3 
4 /*
5  * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist.  All rights reserved.
6  * Copyright (c) 1999, 2001 Angelos D. Keromytis.  All rights reserved.
7  * Copyright (c) 2004 H�kan Olsson.  All rights reserved.
8  *
9  * Redistribution and use in source and binary forms, with or without
10  * modification, are permitted provided that the following conditions
11  * are met:
12  * 1. Redistributions of source code must retain the above copyright
13  *    notice, this list of conditions and the following disclaimer.
14  * 2. Redistributions in binary form must reproduce the above copyright
15  *    notice, this list of conditions and the following disclaimer in the
16  *    documentation and/or other materials provided with the distribution.
17  *
18  * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19  * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20  * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21  * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22  * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24  * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25  * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26  * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27  * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28  */
29 
30 /*
31  * This code was written under funding by Ericsson Radio Systems.
32  */
33 
34 #ifndef _SA_H_
35 #define _SA_H_
36 
37 #include <sys/param.h>
38 #include <sys/types.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
41 
42 #include "isakmp.h"
43 
44 /* Remove a SA if it has not been fully negotiated in this time.  */
45 #define SA_NEGOTIATION_MAX_TIME 120
46 
47 struct crypto_xf;
48 struct doi;
49 struct event;
50 struct exchange;
51 struct keystate;
52 struct message;
53 struct payload;
54 struct proto_attr;
55 struct sa;
56 struct transport;
57 
58 /* A protection suite consists of a set of protocol descriptions like this.  */
59 struct proto {
60 	/* Link to the next protocol in the suite.  */
61 	TAILQ_ENTRY(proto) link;
62 
63 	/* The SA we belong to.  */
64 	struct sa      *sa;
65 
66 	/* The protocol number as found in the proposal payload.  */
67 	u_int8_t        no;
68 
69 	/* The protocol this SA is for.  */
70 	u_int8_t        proto;
71 
72 	/*
73 	 * Security parameter index info.  Element 0 - outgoing, 1 -
74 	 * incoming.
75 	 */
76 	u_int8_t        spi_sz[2];
77 	u_int8_t       *spi[2];
78 
79 	/*
80 	 * The chosen transform, only valid while the incoming SA payload that
81 	 * held it is available for duplicate testing.
82          */
83 	struct payload *chosen;
84 
85 	/* The chosen transform's ID.  */
86 	u_int8_t        id;
87 
88 	/* DOI-specific data.  */
89 	void           *data;
90 
91 	/* Proposal transforms data, for validating the responders selection. */
92 	                TAILQ_HEAD(proto_attr_head, proto_attr) xfs;
93 	size_t          xf_cnt;
94 };
95 
96 struct proto_attr {
97 	/* Link to next transform.  */
98 	TAILQ_ENTRY(proto_attr) next;
99 
100 	/* Transform attribute data and size, suitable for attribute_map().  */
101 	u_int8_t       *attrs;
102 	size_t          len;
103 };
104 
105 struct sa {
106 	/* Link to SAs with the same hash value.  */
107 	LIST_ENTRY(sa) link;
108 
109 	/*
110 	 * When several SA's are being negotiated in one message we connect
111 	 * them through this link.
112          */
113 	TAILQ_ENTRY(sa) next;
114 
115 	/*
116 	 * A name of the major policy deciding offers and acceptable
117 	 * proposals.
118 	 */
119 	char           *name;
120 
121 	/* The transport this SA got negotiated over.  */
122 	struct transport *transport;
123 
124 	/* Both initiator and responder cookies.  */
125 	u_int8_t        cookies[ISAKMP_HDR_COOKIES_LEN];
126 
127 	/* The message ID signifying non-ISAKMP SAs.  */
128 	u_int8_t        message_id[ISAKMP_HDR_MESSAGE_ID_LEN];
129 
130 	/* The protection suite chosen.  */
131 	TAILQ_HEAD(proto_head, proto) protos;
132 
133 	/* The exchange type we should use when rekeying.  */
134 	u_int8_t        exch_type;
135 
136 	/* Phase is 1 for ISAKMP SAs, and 2 for application ones.  */
137 	u_int8_t        phase;
138 
139 	/* A reference counter for this structure.  */
140 	u_int16_t       refcnt;
141 
142 	/* Various flags, look below for descriptions.  */
143 	u_int32_t       flags;
144 
145 	/* The DOI that is to handle DOI-specific issues for this SA.  */
146 	struct doi     *doi;
147 
148 	/*
149 	 * Crypto info needed to encrypt/decrypt packets protected by this
150 	 * SA.
151 	 */
152 	struct crypto_xf *crypto;
153 	int             key_length;
154 	struct keystate *keystate;
155 
156 	/* IDs from Phase 1 */
157 	u_int8_t       *id_i;
158 	size_t          id_i_len;
159 	u_int8_t       *id_r;
160 	size_t          id_r_len;
161 
162 	/* Set if we were the initiator of the SA/exchange in Phase 1 */
163 	int             initiator;
164 
165 	/* Policy session ID, where applicable, copied over from the exchange */
166 	int             policy_id;
167 
168 	/*
169 	 * The key used to authenticate phase 1, in printable format, used
170 	 * only by KeyNote.
171          */
172 	char           *keynote_key;
173 
174 	/*
175 	 * Certificates or other information from Phase 1; these are copied
176 	 * from the exchange, so look at exchange.h for an explanation of
177 	 * their use.
178          */
179 	int             recv_certtype, recv_keytype;
180 	/* Certificate received from peer, native format.  */
181 	void           *recv_cert;
182 	/* Key peer used to authenticate, native format.  */
183 	void           *recv_key;
184 
185 	/*
186 	 * Certificates or other information we used to authenticate to the
187 	 * peer, Phase 1.
188          */
189 	int             sent_certtype;
190 	/* Certificate (to be) sent to peer, native format.  */
191 	void           *sent_cert;
192 
193 	/* DOI-specific opaque data.  */
194 	void           *data;
195 
196 	/* Lifetime data.  */
197 	u_int64_t       seconds;
198 	u_int64_t       kilobytes;
199 
200 	/* ACQUIRE sequence number */
201 	u_int32_t       seq;
202 
203 	/* The events that will occur when an SA has timed out.  */
204 	struct event   *soft_death;
205 	struct event   *death;
206 
207 #if defined (USE_NAT_TRAVERSAL)
208 	struct event   *nat_t_keepalive;
209 #endif
210 
211 #if defined (USE_DPD)
212 	/* IKE DPD (RFC3706) message sequence number.  */
213 	u_int32_t	dpd_seq;	/* sent */
214 	u_int32_t	dpd_rseq;	/* recieved */
215 	struct event   *dpd_nextev;	/* time of next event */
216 #endif
217 };
218 
219 /* This SA is alive.  */
220 #define SA_FLAG_READY		0x01
221 
222 /* Renegotiate the SA at each expiry.  */
223 #define SA_FLAG_STAYALIVE	0x02
224 
225 /* Establish the SA when it is needed.  */
226 #define SA_FLAG_ONDEMAND	0x04
227 
228 /* This SA has been replaced by another newer one.  */
229 #define SA_FLAG_REPLACED	0x08
230 
231 /* This SA has seen a soft timeout and wants to be renegotiated on use.  */
232 #define SA_FLAG_FADING		0x10
233 
234 /* This SA should always be actively renegotiated (with us as initiator).  */
235 #define SA_FLAG_ACTIVE_ONLY	0x20
236 
237 /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag".  */
238 #define SA_FLAG_IKECFG		0x40
239 
240 /* This SA flag indicates if we should do DPD with the phase 1 SA peer.  */
241 #define SA_FLAG_DPD		0x80
242 
243 /* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange.  */
244 #define SA_FLAG_NAT_T_ENABLE	0x100
245 #define SA_FLAG_NAT_T_KEEPALIVE	0x200
246 
247 extern void     proto_free(struct proto * proto);
248 extern int	sa_add_transform(struct sa *, struct payload *, int,
249 		    struct proto **);
250 extern int      sa_create(struct exchange *, struct transport *);
251 extern int      sa_enter(struct sa *);
252 extern void     sa_delete(struct sa *, int);
253 extern void     sa_teardown_all(void);
254 extern struct sa *sa_find(int (*) (struct sa *, void *), void *);
255 extern int      sa_flag(char *);
256 extern void     sa_free(struct sa *);
257 extern void     sa_init(void);
258 extern void     sa_reinit(void);
259 extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t);
260 extern void     sa_isakmp_upgrade(struct message *);
261 extern struct sa *sa_lookup(u_int8_t *, u_int8_t *);
262 extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t);
263 extern struct sa *sa_lookup_by_header(u_int8_t *, int);
264 extern struct sa *sa_lookup_by_name(char *, int);
265 extern struct sa *sa_lookup_from_icookie(u_int8_t *);
266 extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *);
267 extern void     sa_mark_replaced(struct sa *);
268 extern void     sa_reference(struct sa *);
269 extern void     sa_release(struct sa *);
270 extern void     sa_remove(struct sa *);
271 extern void     sa_report(void);
272 extern void     sa_dump(int, int, char *, struct sa *);
273 extern void     sa_report_all(FILE *);
274 extern int      sa_setup_expirations(struct sa *);
275 #endif				/* _SA_H_ */
276