1 /* $OpenBSD: sa.h,v 1.41 2004/08/10 15:59:10 ho Exp $ */ 2 /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ 3 4 /* 5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. 6 * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. 7 * Copyright (c) 2004 H�kan Olsson. All rights reserved. 8 * 9 * Redistribution and use in source and binary forms, with or without 10 * modification, are permitted provided that the following conditions 11 * are met: 12 * 1. Redistributions of source code must retain the above copyright 13 * notice, this list of conditions and the following disclaimer. 14 * 2. Redistributions in binary form must reproduce the above copyright 15 * notice, this list of conditions and the following disclaimer in the 16 * documentation and/or other materials provided with the distribution. 17 * 18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR 19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES 20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. 21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, 22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, 24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY 25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT 26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF 27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. 28 */ 29 30 /* 31 * This code was written under funding by Ericsson Radio Systems. 32 */ 33 34 #ifndef _SA_H_ 35 #define _SA_H_ 36 37 #include <sys/param.h> 38 #include <sys/types.h> 39 #include <sys/queue.h> 40 #include <sys/socket.h> 41 42 #include "isakmp.h" 43 44 /* Remove a SA if it has not been fully negotiated in this time. */ 45 #define SA_NEGOTIATION_MAX_TIME 120 46 47 struct crypto_xf; 48 struct doi; 49 struct event; 50 struct exchange; 51 struct keystate; 52 struct message; 53 struct payload; 54 struct proto_attr; 55 struct sa; 56 struct transport; 57 58 /* A protection suite consists of a set of protocol descriptions like this. */ 59 struct proto { 60 /* Link to the next protocol in the suite. */ 61 TAILQ_ENTRY(proto) link; 62 63 /* The SA we belong to. */ 64 struct sa *sa; 65 66 /* The protocol number as found in the proposal payload. */ 67 u_int8_t no; 68 69 /* The protocol this SA is for. */ 70 u_int8_t proto; 71 72 /* 73 * Security parameter index info. Element 0 - outgoing, 1 - 74 * incoming. 75 */ 76 u_int8_t spi_sz[2]; 77 u_int8_t *spi[2]; 78 79 /* 80 * The chosen transform, only valid while the incoming SA payload that 81 * held it is available for duplicate testing. 82 */ 83 struct payload *chosen; 84 85 /* The chosen transform's ID. */ 86 u_int8_t id; 87 88 /* DOI-specific data. */ 89 void *data; 90 91 /* Proposal transforms data, for validating the responders selection. */ 92 TAILQ_HEAD(proto_attr_head, proto_attr) xfs; 93 size_t xf_cnt; 94 }; 95 96 struct proto_attr { 97 /* Link to next transform. */ 98 TAILQ_ENTRY(proto_attr) next; 99 100 /* Transform attribute data and size, suitable for attribute_map(). */ 101 u_int8_t *attrs; 102 size_t len; 103 }; 104 105 struct sa { 106 /* Link to SAs with the same hash value. */ 107 LIST_ENTRY(sa) link; 108 109 /* 110 * When several SA's are being negotiated in one message we connect 111 * them through this link. 112 */ 113 TAILQ_ENTRY(sa) next; 114 115 /* 116 * A name of the major policy deciding offers and acceptable 117 * proposals. 118 */ 119 char *name; 120 121 /* The transport this SA got negotiated over. */ 122 struct transport *transport; 123 124 /* Both initiator and responder cookies. */ 125 u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; 126 127 /* The message ID signifying non-ISAKMP SAs. */ 128 u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; 129 130 /* The protection suite chosen. */ 131 TAILQ_HEAD(proto_head, proto) protos; 132 133 /* The exchange type we should use when rekeying. */ 134 u_int8_t exch_type; 135 136 /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ 137 u_int8_t phase; 138 139 /* A reference counter for this structure. */ 140 u_int16_t refcnt; 141 142 /* Various flags, look below for descriptions. */ 143 u_int32_t flags; 144 145 /* The DOI that is to handle DOI-specific issues for this SA. */ 146 struct doi *doi; 147 148 /* 149 * Crypto info needed to encrypt/decrypt packets protected by this 150 * SA. 151 */ 152 struct crypto_xf *crypto; 153 int key_length; 154 struct keystate *keystate; 155 156 /* IDs from Phase 1 */ 157 u_int8_t *id_i; 158 size_t id_i_len; 159 u_int8_t *id_r; 160 size_t id_r_len; 161 162 /* Set if we were the initiator of the SA/exchange in Phase 1 */ 163 int initiator; 164 165 /* Policy session ID, where applicable, copied over from the exchange */ 166 int policy_id; 167 168 /* 169 * The key used to authenticate phase 1, in printable format, used 170 * only by KeyNote. 171 */ 172 char *keynote_key; 173 174 /* 175 * Certificates or other information from Phase 1; these are copied 176 * from the exchange, so look at exchange.h for an explanation of 177 * their use. 178 */ 179 int recv_certtype, recv_keytype; 180 /* Certificate received from peer, native format. */ 181 void *recv_cert; 182 /* Key peer used to authenticate, native format. */ 183 void *recv_key; 184 185 /* 186 * Certificates or other information we used to authenticate to the 187 * peer, Phase 1. 188 */ 189 int sent_certtype; 190 /* Certificate (to be) sent to peer, native format. */ 191 void *sent_cert; 192 193 /* DOI-specific opaque data. */ 194 void *data; 195 196 /* Lifetime data. */ 197 u_int64_t seconds; 198 u_int64_t kilobytes; 199 200 /* ACQUIRE sequence number */ 201 u_int32_t seq; 202 203 /* The events that will occur when an SA has timed out. */ 204 struct event *soft_death; 205 struct event *death; 206 207 #if defined (USE_NAT_TRAVERSAL) 208 struct event *nat_t_keepalive; 209 #endif 210 211 #if defined (USE_DPD) 212 /* IKE DPD (RFC3706) message sequence number. */ 213 u_int32_t dpd_seq; /* sent */ 214 u_int32_t dpd_rseq; /* recieved */ 215 u_int32_t dpd_failcount; /* # of subsequent failures */ 216 struct event *dpd_event; /* time of next event */ 217 #endif 218 }; 219 220 /* This SA is alive. */ 221 #define SA_FLAG_READY 0x01 222 223 /* Renegotiate the SA at each expiry. */ 224 #define SA_FLAG_STAYALIVE 0x02 225 226 /* Establish the SA when it is needed. */ 227 #define SA_FLAG_ONDEMAND 0x04 228 229 /* This SA has been replaced by another newer one. */ 230 #define SA_FLAG_REPLACED 0x08 231 232 /* This SA has seen a soft timeout and wants to be renegotiated on use. */ 233 #define SA_FLAG_FADING 0x10 234 235 /* This SA should always be actively renegotiated (with us as initiator). */ 236 #define SA_FLAG_ACTIVE_ONLY 0x20 237 238 /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ 239 #define SA_FLAG_IKECFG 0x40 240 241 /* This SA flag indicates if we should do DPD with the phase 1 SA peer. */ 242 #define SA_FLAG_DPD 0x80 243 244 /* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange. */ 245 #define SA_FLAG_NAT_T_ENABLE 0x100 246 #define SA_FLAG_NAT_T_KEEPALIVE 0x200 247 248 extern void proto_free(struct proto * proto); 249 extern int sa_add_transform(struct sa *, struct payload *, int, 250 struct proto **); 251 extern int sa_create(struct exchange *, struct transport *); 252 extern int sa_enter(struct sa *); 253 extern void sa_delete(struct sa *, int); 254 extern void sa_teardown_all(void); 255 extern struct sa *sa_find(int (*) (struct sa *, void *), void *); 256 extern int sa_flag(char *); 257 extern void sa_free(struct sa *); 258 extern void sa_init(void); 259 extern void sa_reinit(void); 260 extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t); 261 extern void sa_isakmp_upgrade(struct message *); 262 extern struct sa *sa_lookup(u_int8_t *, u_int8_t *); 263 extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t); 264 extern struct sa *sa_lookup_by_header(u_int8_t *, int); 265 extern struct sa *sa_lookup_by_name(char *, int); 266 extern struct sa *sa_lookup_from_icookie(u_int8_t *); 267 extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *); 268 extern void sa_mark_replaced(struct sa *); 269 extern void sa_reference(struct sa *); 270 extern void sa_release(struct sa *); 271 extern void sa_remove(struct sa *); 272 extern void sa_report(void); 273 extern void sa_dump(int, int, char *, struct sa *); 274 extern void sa_report_all(FILE *); 275 extern int sa_setup_expirations(struct sa *); 276 277 /* 278 * This structure contains most of the data of the in-kernel SA. 279 * Currently only used to collect the tdb_last_used time for DPD. 280 */ 281 struct sa_kinfo { 282 u_int32_t flags; /* /usr/include/netinet/ip_ipsp.h */ 283 284 u_int32_t exp_allocations; 285 u_int32_t soft_allocations; 286 u_int32_t cur_allocations; 287 288 u_int64_t exp_bytes; 289 u_int64_t soft_bytes; 290 u_int64_t cur_bytes; 291 292 u_int64_t exp_timeout; 293 u_int64_t soft_timeout; 294 295 u_int64_t first_use; 296 u_int64_t established; 297 u_int64_t soft_first_use; 298 u_int64_t exp_first_use; 299 300 u_int64_t last_used; 301 u_int64_t last_marked; 302 303 struct sockaddr_storage dst; 304 struct sockaddr_storage src; 305 struct sockaddr_storage proxy; 306 307 u_int32_t spi; 308 u_int32_t rpl; 309 u_int16_t udpencap_port; 310 u_int16_t amxkeylen; 311 u_int16_t emxkeylen; 312 u_int16_t ivlen; 313 u_int8_t sproto; 314 u_int8_t wnd; 315 u_int8_t satype; 316 }; 317 318 #endif /* _SA_H_ */ 319