1 /* $OpenBSD: sa.h,v 1.36 2004/05/13 06:56:34 ho Exp $ */ 2 /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2004 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #ifndef _SA_H_ 35 #define _SA_H_ 36 37 #include <sys/param.h> 38 #include <sys/types.h> 39 #include <sys/queue.h> 40 #include <sys/socket.h> 41 42 #include "isakmp.h" 43 44 /* Remove a SA if it has not been fully negotiated in this time. */ 45 #define SA_NEGOTIATION_MAX_TIME 120 46 47 struct crypto_xf; 48 struct doi; 49 struct event; 50 struct exchange; 51 struct keystate; 52 struct message; 53 struct payload; 54 struct proto_attr; 55 struct sa; 56 struct transport; 57 58 /* A protection suite consists of a set of protocol descriptions like this. */ 59 struct proto { 60 /* Link to the next protocol in the suite. */ 61 TAILQ_ENTRY(proto) link; 62 63 /* The SA we belong to. */ 64 struct sa *sa; 65 66 /* The protocol number as found in the proposal payload. */ 67 u_int8_t no; 68 69 /* The protocol this SA is for. */ 70 u_int8_t proto; 71 72 /* 73 * Security parameter index info. Element 0 - outgoing, 1 - 74 * incoming. 75 */ 76 u_int8_t spi_sz[2]; 77 u_int8_t *spi[2]; 78 79 /* 80 * The chosen transform, only valid while the incoming SA payload that held 81 * it is available for duplicate testing. 82 */ 83 struct payload *chosen; 84 85 /* The chosen transform's ID. */ 86 u_int8_t id; 87 88 /* DOI-specific data. */ 89 void *data; 90 91 /* Proposal transforms data, for validating the responders selection. */ 92 TAILQ_HEAD(proto_attr_head, proto_attr) xfs; 93 size_t xf_cnt; 94 }; 95 96 struct proto_attr { 97 /* Link to next transform. */ 98 TAILQ_ENTRY(proto_attr) next; 99 100 /* Transform attribute data and size, suitable for attribute_map(). */ 101 u_int8_t *attrs; 102 size_t len; 103 }; 104 105 struct sa { 106 /* Link to SAs with the same hash value. */ 107 LIST_ENTRY(sa) link; 108 109 /* 110 * When several SA's are being negotiated in one message we connect them 111 * through this link. 112 */ 113 TAILQ_ENTRY(sa) next; 114 115 /* 116 * A name of the major policy deciding offers and acceptable 117 * proposals. 118 */ 119 char *name; 120 121 /* The transport this SA got negotiated over. */ 122 struct transport *transport; 123 124 /* Both initiator and responder cookies. */ 125 u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; 126 127 /* The message ID signifying non-ISAKMP SAs. */ 128 u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; 129 130 /* The protection suite chosen. */ 131 TAILQ_HEAD(proto_head, proto) protos; 132 133 /* The exchange type we should use when rekeying. */ 134 u_int8_t exch_type; 135 136 /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ 137 u_int8_t phase; 138 139 /* A reference counter for this structure. */ 140 u_int16_t refcnt; 141 142 /* Various flags, look below for descriptions. */ 143 u_int32_t flags; 144 145 /* The DOI that is to handle DOI-specific issues for this SA. */ 146 struct doi *doi; 147 148 /* 149 * Crypto info needed to encrypt/decrypt packets protected by this 150 * SA. 151 */ 152 struct crypto_xf *crypto; 153 int key_length; 154 struct keystate *keystate; 155 156 /* IDs from Phase 1 */ 157 u_int8_t *id_i; 158 size_t id_i_len; 159 u_int8_t *id_r; 160 size_t id_r_len; 161 162 /* Set if we were the initiator of the SA/exchange in Phase 1 */ 163 int initiator; 164 165 /* Policy session ID, where applicable, copied over from the exchange */ 166 int policy_id; 167 168 /* 169 * The key used to authenticate phase 1, in printable format, used only by 170 * KeyNote. 171 */ 172 char *keynote_key; 173 174 /* 175 * Certificates or other information from Phase 1; these are copied from the 176 * exchange, so look at exchange.h for an explanation of their use. 177 */ 178 int recv_certtype, recv_keytype; 179 /* Certificate received from peer, native format. */ 180 void *recv_cert; 181 /* Key peer used to authenticate, native format. */ 182 void *recv_key; 183 184 /* 185 * Certificates or other information we used to authenticate to the peer, 186 * Phase 1. 187 */ 188 int sent_certtype; 189 /* Certificate (to be) sent to peer, native format. */ 190 void *sent_cert; 191 192 /* DOI-specific opaque data. */ 193 void *data; 194 195 /* Lifetime data. */ 196 u_int64_t seconds; 197 u_int64_t kilobytes; 198 199 /* ACQUIRE sequence number */ 200 u_int32_t seq; 201 202 /* The events that will occur when an SA has timed out. */ 203 struct event *soft_death; 204 struct event *death; 205 }; 206 207 /* This SA is alive. */ 208 #define SA_FLAG_READY 0x01 209 210 /* Renegotiate the SA at each expiry. */ 211 #define SA_FLAG_STAYALIVE 0x02 212 213 /* Establish the SA when it is needed. */ 214 #define SA_FLAG_ONDEMAND 0x04 215 216 /* This SA has been replaced by another newer one. */ 217 #define SA_FLAG_REPLACED 0x08 218 219 /* This SA has seen a soft timeout and wants to be renegotiated on use. */ 220 #define SA_FLAG_FADING 0x10 221 222 /* This SA should always be actively renegotiated (with us as initiator). */ 223 #define SA_FLAG_ACTIVE_ONLY 0x20 224 225 /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ 226 #define SA_FLAG_IKECFG 0x40 227 228 extern void proto_free(struct proto * proto); 229 extern int 230 sa_add_transform(struct sa *, struct payload *, int, 231 struct proto **); 232 extern int sa_create(struct exchange *, struct transport *); 233 extern int sa_enter(struct sa *); 234 extern void sa_delete(struct sa *, int); 235 extern void sa_teardown_all(void); 236 extern struct sa *sa_find(int (*) (struct sa *, void *), void *); 237 extern int sa_flag(char *); 238 extern void sa_free(struct sa *); 239 extern void sa_init(void); 240 extern void sa_reinit(void); 241 extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t); 242 extern void sa_isakmp_upgrade(struct message *); 243 extern struct sa *sa_lookup(u_int8_t *, u_int8_t *); 244 extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t); 245 extern struct sa *sa_lookup_by_header(u_int8_t *, int); 246 extern struct sa *sa_lookup_by_name(char *, int); 247 extern struct sa *sa_lookup_from_icookie(u_int8_t *); 248 extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *); 249 extern void sa_mark_replaced(struct sa *); 250 extern void sa_reference(struct sa *); 251 extern void sa_release(struct sa *); 252 extern void sa_remove(struct sa *); 253 extern void sa_report(void); 254 extern void sa_dump(int, int, char *, struct sa *); 255 extern void sa_report_all(FILE *); 256 extern int sa_setup_expirations(struct sa *); 257 #endif /* _SA_H_ */ 258