diff options
Diffstat (limited to 'keyexchange/isakmpd-20041012/sa.h')
-rw-r--r-- | keyexchange/isakmpd-20041012/sa.h | 318 |
1 files changed, 318 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/sa.h b/keyexchange/isakmpd-20041012/sa.h new file mode 100644 index 0000000..4f6100f --- /dev/null +++ b/keyexchange/isakmpd-20041012/sa.h @@ -0,0 +1,318 @@ +/* $OpenBSD: sa.h,v 1.41 2004/08/10 15:59:10 ho Exp $ */ +/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ + +/* + * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved. + * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved. + * Copyright (c) 2004 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +/* + * This code was written under funding by Ericsson Radio Systems. + */ + +#ifndef _SA_H_ +#define _SA_H_ + +#include <sys/param.h> +#include <sys/types.h> +#include <sys/queue.h> +#include <sys/socket.h> + +#include "isakmp.h" + +/* Remove a SA if it has not been fully negotiated in this time. */ +#define SA_NEGOTIATION_MAX_TIME 120 + +struct crypto_xf; +struct doi; +struct event; +struct exchange; +struct keystate; +struct message; +struct payload; +struct proto_attr; +struct sa; +struct transport; + +/* A protection suite consists of a set of protocol descriptions like this. */ +struct proto { + /* Link to the next protocol in the suite. */ + TAILQ_ENTRY(proto) link; + + /* The SA we belong to. */ + struct sa *sa; + + /* The protocol number as found in the proposal payload. */ + u_int8_t no; + + /* The protocol this SA is for. */ + u_int8_t proto; + + /* + * Security parameter index info. Element 0 - outgoing, 1 - + * incoming. + */ + u_int8_t spi_sz[2]; + u_int8_t *spi[2]; + + /* + * The chosen transform, only valid while the incoming SA payload that + * held it is available for duplicate testing. + */ + struct payload *chosen; + + /* The chosen transform's ID. */ + u_int8_t id; + + /* DOI-specific data. */ + void *data; + + /* Proposal transforms data, for validating the responders selection. */ + TAILQ_HEAD(proto_attr_head, proto_attr) xfs; + size_t xf_cnt; +}; + +struct proto_attr { + /* Link to next transform. */ + TAILQ_ENTRY(proto_attr) next; + + /* Transform attribute data and size, suitable for attribute_map(). */ + u_int8_t *attrs; + size_t len; +}; + +struct sa { + /* Link to SAs with the same hash value. */ + LIST_ENTRY(sa) link; + + /* + * When several SA's are being negotiated in one message we connect + * them through this link. + */ + TAILQ_ENTRY(sa) next; + + /* + * A name of the major policy deciding offers and acceptable + * proposals. + */ + char *name; + + /* The transport this SA got negotiated over. */ + struct transport *transport; + + /* Both initiator and responder cookies. */ + u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN]; + + /* The message ID signifying non-ISAKMP SAs. */ + u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN]; + + /* The protection suite chosen. */ + TAILQ_HEAD(proto_head, proto) protos; + + /* The exchange type we should use when rekeying. */ + u_int8_t exch_type; + + /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */ + u_int8_t phase; + + /* A reference counter for this structure. */ + u_int16_t refcnt; + + /* Various flags, look below for descriptions. */ + u_int32_t flags; + + /* The DOI that is to handle DOI-specific issues for this SA. */ + struct doi *doi; + + /* + * Crypto info needed to encrypt/decrypt packets protected by this + * SA. + */ + struct crypto_xf *crypto; + int key_length; + struct keystate *keystate; + + /* IDs from Phase 1 */ + u_int8_t *id_i; + size_t id_i_len; + u_int8_t *id_r; + size_t id_r_len; + + /* Set if we were the initiator of the SA/exchange in Phase 1 */ + int initiator; + + /* Policy session ID, where applicable, copied over from the exchange */ + int policy_id; + + /* + * The key used to authenticate phase 1, in printable format, used + * only by KeyNote. + */ + char *keynote_key; + + /* + * Certificates or other information from Phase 1; these are copied + * from the exchange, so look at exchange.h for an explanation of + * their use. + */ + int recv_certtype, recv_keytype; + /* Certificate received from peer, native format. */ + void *recv_cert; + /* Key peer used to authenticate, native format. */ + void *recv_key; + + /* + * Certificates or other information we used to authenticate to the + * peer, Phase 1. + */ + int sent_certtype; + /* Certificate (to be) sent to peer, native format. */ + void *sent_cert; + + /* DOI-specific opaque data. */ + void *data; + + /* Lifetime data. */ + u_int64_t seconds; + u_int64_t kilobytes; + + /* ACQUIRE sequence number */ + u_int32_t seq; + + /* The events that will occur when an SA has timed out. */ + struct event *soft_death; + struct event *death; + +#if defined (USE_NAT_TRAVERSAL) + struct event *nat_t_keepalive; +#endif + +#if defined (USE_DPD) + /* IKE DPD (RFC3706) message sequence number. */ + u_int32_t dpd_seq; /* sent */ + u_int32_t dpd_rseq; /* recieved */ + u_int32_t dpd_failcount; /* # of subsequent failures */ + struct event *dpd_event; /* time of next event */ +#endif +}; + +/* This SA is alive. */ +#define SA_FLAG_READY 0x01 + +/* Renegotiate the SA at each expiry. */ +#define SA_FLAG_STAYALIVE 0x02 + +/* Establish the SA when it is needed. */ +#define SA_FLAG_ONDEMAND 0x04 + +/* This SA has been replaced by another newer one. */ +#define SA_FLAG_REPLACED 0x08 + +/* This SA has seen a soft timeout and wants to be renegotiated on use. */ +#define SA_FLAG_FADING 0x10 + +/* This SA should always be actively renegotiated (with us as initiator). */ +#define SA_FLAG_ACTIVE_ONLY 0x20 + +/* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ +#define SA_FLAG_IKECFG 0x40 + +/* This SA flag indicates if we should do DPD with the phase 1 SA peer. */ +#define SA_FLAG_DPD 0x80 + +/* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange. */ +#define SA_FLAG_NAT_T_ENABLE 0x100 +#define SA_FLAG_NAT_T_KEEPALIVE 0x200 + +extern void proto_free(struct proto * proto); +extern int sa_add_transform(struct sa *, struct payload *, int, + struct proto **); +extern int sa_create(struct exchange *, struct transport *); +extern int sa_enter(struct sa *); +extern void sa_delete(struct sa *, int); +extern void sa_teardown_all(void); +extern struct sa *sa_find(int (*) (struct sa *, void *), void *); +extern int sa_flag(char *); +extern void sa_free(struct sa *); +extern void sa_init(void); +extern void sa_reinit(void); +extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t); +extern void sa_isakmp_upgrade(struct message *); +extern struct sa *sa_lookup(u_int8_t *, u_int8_t *); +extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t); +extern struct sa *sa_lookup_by_header(u_int8_t *, int); +extern struct sa *sa_lookup_by_name(char *, int); +extern struct sa *sa_lookup_from_icookie(u_int8_t *); +extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *); +extern void sa_mark_replaced(struct sa *); +extern void sa_reference(struct sa *); +extern void sa_release(struct sa *); +extern void sa_remove(struct sa *); +extern void sa_report(void); +extern void sa_dump(int, int, char *, struct sa *); +extern void sa_report_all(FILE *); +extern int sa_setup_expirations(struct sa *); + +/* + * This structure contains most of the data of the in-kernel SA. + * Currently only used to collect the tdb_last_used time for DPD. + */ +struct sa_kinfo { + u_int32_t flags; /* /usr/include/netinet/ip_ipsp.h */ + + u_int32_t exp_allocations; + u_int32_t soft_allocations; + u_int32_t cur_allocations; + + u_int64_t exp_bytes; + u_int64_t soft_bytes; + u_int64_t cur_bytes; + + u_int64_t exp_timeout; + u_int64_t soft_timeout; + + u_int64_t first_use; + u_int64_t established; + u_int64_t soft_first_use; + u_int64_t exp_first_use; + + u_int64_t last_used; + u_int64_t last_marked; + + struct sockaddr_storage dst; + struct sockaddr_storage src; + struct sockaddr_storage proxy; + + u_int32_t spi; + u_int32_t rpl; + u_int16_t udpencap_port; + u_int16_t amxkeylen; + u_int16_t emxkeylen; + u_int16_t ivlen; + u_int8_t sproto; + u_int8_t wnd; + u_int8_t satype; +}; + +#endif /* _SA_H_ */ |