1/* $OpenBSD: iked.h,v 1.230 2024/03/02 16:16:07 tobhe Exp $ */ 2 3/* 4 * Copyright (c) 2019 Tobias Heider <tobias.heider@stusta.de> 5 * Copyright (c) 2010-2013 Reyk Floeter <reyk@openbsd.org> 6 * 7 * Permission to use, copy, modify, and distribute this software for any 8 * purpose with or without fee is hereby granted, provided that the above 9 * copyright notice and this permission notice appear in all copies. 10 * 11 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 12 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 13 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 14 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 15 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 16 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 17 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 18 */ 19 20#include <sys/types.h> 21#include <sys/tree.h> 22#include <sys/queue.h> 23#include <arpa/inet.h> 24#include <limits.h> 25#include <imsg.h> 26 27#include <openssl/evp.h> 28 29#include "types.h" 30#include "dh.h" 31 32#define MAXIMUM(a,b) (((a)>(b))?(a):(b)) 33#define MINIMUM(a,b) (((a)<(b))?(a):(b)) 34#define roundup(x, y) ((((x)+((y)-1))/(y))*(y)) 35 36#ifndef IKED_H 37#define IKED_H 38 39/* 40 * Common IKEv1/IKEv2 header 41 */ 42 43struct ike_header { 44 uint64_t ike_ispi; /* Initiator cookie */ 45 uint64_t ike_rspi; /* Responder cookie */ 46 uint8_t ike_nextpayload; /* Next payload type */ 47 uint8_t ike_version; /* Major/Minor version number */ 48 uint8_t ike_exchange; /* Exchange type */ 49 uint8_t ike_flags; /* Message options */ 50 uint32_t ike_msgid; /* Message identifier */ 51 uint32_t ike_length; /* Total message length */ 52} __packed; 53 54/* 55 * Common daemon infrastructure, local imsg etc. 56 */ 57 58struct imsgev { 59 struct imsgbuf ibuf; 60 void (*handler)(int, short, void *); 61 struct event ev; 62 struct privsep_proc *proc; 63 void *data; 64 short events; 65 const char *name; 66}; 67 68#define IMSG_SIZE_CHECK(imsg, p) do { \ 69 if (IMSG_DATA_SIZE(imsg) < sizeof(*p)) \ 70 fatalx("bad length imsg received"); \ 71} while (0) 72#define IMSG_DATA_SIZE(imsg) ((imsg)->hdr.len - IMSG_HEADER_SIZE) 73 74#define IKED_ADDR_EQ(_a, _b) \ 75 ((_a)->addr_mask == (_b)->addr_mask && \ 76 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 77 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) == 0) 78 79#define IKED_ADDR_NEQ(_a, _b) \ 80 ((_a)->addr_mask != (_b)->addr_mask || \ 81 sockaddr_cmp((struct sockaddr *)&(_a)->addr, \ 82 (struct sockaddr *)&(_b)->addr, (_a)->addr_mask) != 0) 83 84/* initially control.h */ 85struct control_sock { 86 const char *cs_name; 87 struct event cs_ev; 88 struct event cs_evt; 89 int cs_fd; 90 int cs_restricted; 91 void *cs_env; 92}; 93 94struct ctl_conn { 95 TAILQ_ENTRY(ctl_conn) entry; 96 uint8_t flags; 97#define CTL_CONN_NOTIFY 0x01 98 struct imsgev iev; 99 uint32_t peerid; 100}; 101TAILQ_HEAD(ctl_connlist, ctl_conn); 102 103extern enum privsep_procid privsep_process; 104 105/* 106 * Runtime structures 107 */ 108 109struct iked_timer { 110 struct event tmr_ev; 111 struct iked *tmr_env; 112 void (*tmr_cb)(struct iked *, void *); 113 void *tmr_cbarg; 114}; 115 116struct iked_spi { 117 uint64_t spi; 118 uint8_t spi_size; 119 uint8_t spi_protoid; 120}; 121 122struct iked_proposal { 123 uint8_t prop_id; 124 uint8_t prop_protoid; 125 126 struct iked_spi prop_localspi; 127 struct iked_spi prop_peerspi; 128 129 struct iked_transform *prop_xforms; 130 unsigned int prop_nxforms; 131 132 TAILQ_ENTRY(iked_proposal) prop_entry; 133}; 134TAILQ_HEAD(iked_proposals, iked_proposal); 135 136struct iked_addr { 137 int addr_af; 138 struct sockaddr_storage addr; 139 uint8_t addr_mask; 140 int addr_net; 141 in_port_t addr_port; 142}; 143 144struct iked_ts { 145 struct iked_addr ts_addr; 146 uint8_t ts_ipproto; 147 TAILQ_ENTRY(iked_ts) ts_entry; 148}; 149TAILQ_HEAD(iked_tss, iked_ts); 150 151struct iked_flow { 152 struct iked_addr flow_src; 153 struct iked_addr flow_dst; 154 unsigned int flow_dir; /* in/out */ 155 int flow_rdomain; 156 struct iked_addr flow_prenat; 157 int flow_fixed; 158 159 unsigned int flow_loaded; /* pfkey done */ 160 161 uint8_t flow_saproto; 162 uint8_t flow_ipproto; 163 164 struct iked_addr *flow_local; /* outer source */ 165 struct iked_addr *flow_peer; /* outer dest */ 166 struct iked_sa *flow_ikesa; /* parent SA */ 167 168 RB_ENTRY(iked_flow) flow_node; 169 TAILQ_ENTRY(iked_flow) flow_entry; 170}; 171RB_HEAD(iked_flows, iked_flow); 172TAILQ_HEAD(iked_saflows, iked_flow); 173 174struct iked_childsa { 175 uint8_t csa_saproto; /* IPsec protocol */ 176 unsigned int csa_dir; /* in/out */ 177 178 uint64_t csa_peerspi; /* peer relation */ 179 uint8_t csa_loaded; /* pfkey done */ 180 uint8_t csa_rekey; /* will be deleted */ 181 uint8_t csa_allocated; /* from the kernel */ 182 uint8_t csa_persistent;/* do not rekey */ 183 uint8_t csa_esn; /* use ESN */ 184 uint8_t csa_transport; /* transport mode */ 185 186 struct iked_spi csa_spi; 187 188 struct ibuf *csa_encrkey; /* encryption key */ 189 uint16_t csa_encrid; /* encryption xform id */ 190 191 struct ibuf *csa_integrkey; /* auth key */ 192 uint16_t csa_integrid; /* auth xform id */ 193 194 struct iked_addr *csa_local; /* outer source */ 195 struct iked_addr *csa_peer; /* outer dest */ 196 struct iked_sa *csa_ikesa; /* parent SA */ 197 198 struct iked_childsa *csa_peersa; /* peer */ 199 200 struct iked_childsa *csa_bundled; /* IPCOMP */ 201 202 uint16_t csa_pfsgrpid; /* pfs group id */ 203 204 RB_ENTRY(iked_childsa) csa_node; 205 TAILQ_ENTRY(iked_childsa) csa_entry; 206}; 207RB_HEAD(iked_activesas, iked_childsa); 208TAILQ_HEAD(iked_childsas, iked_childsa); 209 210 211struct iked_static_id { 212 uint8_t id_type; 213 uint8_t id_length; 214 uint8_t id_offset; 215 uint8_t id_data[IKED_ID_SIZE]; 216}; 217 218struct iked_auth { 219 uint8_t auth_method; 220 uint8_t auth_eap; /* optional EAP */ 221 uint8_t auth_length; /* zero if EAP */ 222 uint8_t auth_data[IKED_PSK_SIZE]; 223}; 224 225struct iked_cfg { 226 uint8_t cfg_action; 227 uint16_t cfg_type; 228 union { 229 struct iked_addr address; 230 } cfg; 231}; 232 233TAILQ_HEAD(iked_sapeers, iked_sa); 234 235struct iked_lifetime { 236 uint64_t lt_bytes; 237 uint64_t lt_seconds; 238}; 239 240struct iked_policy { 241 unsigned int pol_id; 242 char pol_name[IKED_ID_SIZE]; 243 unsigned int pol_iface; 244 245#define IKED_SKIP_FLAGS 0 246#define IKED_SKIP_AF 1 247#define IKED_SKIP_SRC_ADDR 2 248#define IKED_SKIP_DST_ADDR 3 249#define IKED_SKIP_COUNT 4 250 struct iked_policy *pol_skip[IKED_SKIP_COUNT]; 251 252 uint8_t pol_flags; 253#define IKED_POLICY_PASSIVE 0x00 254#define IKED_POLICY_DEFAULT 0x01 255#define IKED_POLICY_ACTIVE 0x02 256#define IKED_POLICY_REFCNT 0x04 257#define IKED_POLICY_QUICK 0x08 258#define IKED_POLICY_SKIP 0x10 259#define IKED_POLICY_IPCOMP 0x20 260#define IKED_POLICY_TRANSPORT 0x40 261#define IKED_POLICY_ROUTING 0x80 262 263 int pol_refcnt; 264 265 uint8_t pol_certreqtype; 266 267 int pol_af; 268 int pol_rdomain; 269 uint8_t pol_saproto; 270 unsigned int pol_ipproto[IKED_IPPROTO_MAX]; 271 unsigned int pol_nipproto; 272 273 struct iked_addr pol_peer; 274 struct iked_static_id pol_peerid; 275 uint32_t pol_peerdh; 276 277 struct iked_addr pol_local; 278 struct iked_static_id pol_localid; 279 280 struct iked_auth pol_auth; 281 282 char pol_tag[IKED_TAG_SIZE]; 283 unsigned int pol_tap; 284 285 struct iked_proposals pol_proposals; 286 size_t pol_nproposals; 287 288 struct iked_flows pol_flows; 289 size_t pol_nflows; 290 struct iked_tss pol_tssrc; /* Traffic Selectors Initiator*/ 291 size_t pol_tssrc_count; 292 struct iked_tss pol_tsdst; /* Traffic Selectors Responder*/ 293 size_t pol_tsdst_count; 294 295 struct iked_cfg pol_cfg[IKED_CFG_MAX]; 296 unsigned int pol_ncfg; 297 298 uint32_t pol_rekey; /* ike SA lifetime */ 299 struct iked_lifetime pol_lifetime; /* child SA lifetime */ 300 301 struct iked_sapeers pol_sapeers; 302 303 TAILQ_ENTRY(iked_policy) pol_entry; 304}; 305TAILQ_HEAD(iked_policies, iked_policy); 306 307struct iked_hash { 308 uint8_t hash_type; /* PRF or INTEGR */ 309 uint16_t hash_id; /* IKE PRF/INTEGR hash id */ 310 const void *hash_priv; /* Identifying the hash alg */ 311 void *hash_ctx; /* Context of the current invocation */ 312 int hash_fixedkey; /* Requires fixed key length */ 313 struct ibuf *hash_key; /* MAC key derived from key seed */ 314 size_t hash_length; /* Output length */ 315 size_t hash_trunc; /* Truncate the output length */ 316 struct iked_hash *hash_prf; /* PRF pointer */ 317 int hash_isaead; 318}; 319 320struct iked_cipher { 321 uint8_t encr_type; /* ENCR */ 322 uint16_t encr_id; /* IKE ENCR hash id */ 323 const void *encr_priv; /* Identifying the hash alg */ 324 void *encr_ctx; /* Context of the current invocation */ 325 int encr_fixedkey; /* Requires fixed key length */ 326 struct ibuf *encr_key; /* MAC key derived from key seed */ 327 struct ibuf *encr_iv; /* Initialization Vector */ 328 uint64_t encr_civ; /* Counter IV for GCM */ 329 size_t encr_ivlength; /* IV length */ 330 size_t encr_length; /* Block length */ 331 size_t encr_saltlength; /* IV salt length */ 332 uint16_t encr_authid; /* ID of associated authentication */ 333}; 334 335struct iked_dsa { 336 uint8_t dsa_method; /* AUTH method */ 337 const void *dsa_priv; /* PRF or signature hash function */ 338 void *dsa_ctx; /* PRF or signature hash ctx */ 339 struct ibuf *dsa_keydata; /* public, private or shared key */ 340 void *dsa_key; /* parsed public or private key */ 341 int dsa_hmac; /* HMAC or public/private key */ 342 int dsa_sign; /* Sign or verify operation */ 343 uint32_t dsa_flags; /* State flags */ 344}; 345 346struct iked_id { 347 uint8_t id_type; 348 uint8_t id_offset; 349 struct ibuf *id_buf; 350}; 351 352#define IKED_REQ_CERT 0x0001 /* get local certificate (if required) */ 353#define IKED_REQ_CERTVALID 0x0002 /* validated the peer cert */ 354#define IKED_REQ_CERTREQ 0x0004 /* CERTREQ has been received */ 355#define IKED_REQ_AUTH 0x0008 /* AUTH payload */ 356#define IKED_REQ_AUTHVALID 0x0010 /* AUTH payload has been verified */ 357#define IKED_REQ_SA 0x0020 /* SA available */ 358#define IKED_REQ_EAPVALID 0x0040 /* EAP payload has been verified */ 359#define IKED_REQ_CHILDSA 0x0080 /* Child SA initiated */ 360#define IKED_REQ_INF 0x0100 /* Informational exchange initiated */ 361 362#define IKED_REQ_BITS \ 363 "\20\01CERT\02CERTVALID\03CERTREQ\04AUTH\05AUTHVALID\06SA\07EAPVALID" \ 364 "\10CHILDSA\11INF" 365 366TAILQ_HEAD(iked_msgqueue, iked_msg_retransmit); 367TAILQ_HEAD(iked_msg_fragqueue, iked_message); 368 369struct iked_sahdr { 370 uint64_t sh_ispi; /* Initiator SPI */ 371 uint64_t sh_rspi; /* Responder SPI */ 372 unsigned int sh_initiator; /* Is initiator? */ 373} __packed; 374 375struct iked_kex { 376 struct ibuf *kex_inonce; /* Ni */ 377 struct ibuf *kex_rnonce; /* Nr */ 378 379 struct dh_group *kex_dhgroup; /* DH group */ 380 struct ibuf *kex_dhiexchange; 381 struct ibuf *kex_dhrexchange; 382 struct ibuf *kex_dhpeer; /* pointer to i or r */ 383}; 384 385struct iked_frag_entry { 386 uint8_t *frag_data; 387 size_t frag_size; 388}; 389 390struct iked_frag { 391 struct iked_frag_entry **frag_arr; /* list of fragment buffers */ 392 size_t frag_count; /* number of fragments received */ 393#define IKED_FRAG_TOTAL_MAX 111 /* upper limit (64kB / 576B) */ 394 size_t frag_total; /* total numbe of fragments */ 395 size_t frag_total_size; 396 uint8_t frag_nextpayload; 397 398}; 399 400struct iked_ipcomp { 401 uint16_t ic_cpi_out; /* outgoing CPI */ 402 uint16_t ic_cpi_in; /* incoming CPI */ 403 uint8_t ic_transform; /* transform */ 404}; 405 406struct iked_sa { 407 struct iked_sahdr sa_hdr; 408 uint32_t sa_msgid; /* Last request rcvd */ 409 int sa_msgid_set; /* msgid initialized */ 410 uint32_t sa_msgid_current; /* Current requested rcvd */ 411 uint32_t sa_reqid; /* Next request sent */ 412 413 int sa_type; 414#define IKED_SATYPE_LOOKUP 0 /* Used for lookup */ 415#define IKED_SATYPE_LOCAL 1 /* Local SA */ 416 417 struct iked_addr sa_peer; 418 struct iked_addr sa_peer_loaded;/* MOBIKE */ 419 struct iked_addr sa_local; 420 int sa_fd; 421 422 struct iked_frag sa_fragments; 423 424 int sa_natt; /* for IKE messages */ 425 int sa_udpencap; /* for pfkey */ 426 int sa_usekeepalive;/* NAT-T keepalive */ 427 428 int sa_state; 429 unsigned int sa_stateflags; 430 unsigned int sa_stateinit; /* SA_INIT */ 431 unsigned int sa_statevalid; /* IKE_AUTH */ 432 433 int sa_cp; /* XXX */ 434 struct iked_addr *sa_cp_addr; /* requested address */ 435 struct iked_addr *sa_cp_addr6; /* requested address */ 436 struct iked_addr *sa_cp_dns; /* requested dns */ 437 438 struct iked_policy *sa_policy; 439 struct timeval sa_timecreated; 440 struct timeval sa_timeused; 441 442 char *sa_tag; 443 const char *sa_reason; /* reason for close */ 444 445 struct iked_kex sa_kex; 446/* XXX compat defines until everything is converted */ 447#define sa_inonce sa_kex.kex_inonce 448#define sa_rnonce sa_kex.kex_rnonce 449#define sa_dhgroup sa_kex.kex_dhgroup 450#define sa_dhiexchange sa_kex.kex_dhiexchange 451#define sa_dhrexchange sa_kex.kex_dhrexchange 452#define sa_dhpeer sa_kex.kex_dhpeer 453 454 struct iked_hash *sa_prf; /* PRF alg */ 455 struct iked_hash *sa_integr; /* integrity alg */ 456 struct iked_cipher *sa_encr; /* encryption alg */ 457 458 struct ibuf *sa_key_d; /* SK_d */ 459 struct ibuf *sa_key_iauth; /* SK_ai */ 460 struct ibuf *sa_key_rauth; /* SK_ar */ 461 struct ibuf *sa_key_iencr; /* SK_ei */ 462 struct ibuf *sa_key_rencr; /* SK_er */ 463 struct ibuf *sa_key_iprf; /* SK_pi */ 464 struct ibuf *sa_key_rprf; /* SK_pr */ 465 466 struct ibuf *sa_1stmsg; /* for initiator AUTH */ 467 struct ibuf *sa_2ndmsg; /* for responder AUTH */ 468 struct iked_id sa_localauth; /* local AUTH message */ 469 struct iked_id sa_peerauth; /* peer AUTH message */ 470 int sa_sigsha2; /* use SHA2 for signatures */ 471#define IKED_SCERT_MAX 3 /* max # of supplemental cert payloads */ 472 473 struct iked_id sa_iid; /* initiator id */ 474 struct iked_id sa_rid; /* responder id */ 475 struct iked_id sa_icert; /* initiator cert */ 476 struct iked_id sa_rcert; /* responder cert */ 477 struct iked_id sa_scert[IKED_SCERT_MAX]; /* supplemental certs */ 478#define IKESA_SRCID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_iid : &(x)->sa_rid) 479#define IKESA_DSTID(x) ((x)->sa_hdr.sh_initiator ? &(x)->sa_rid : &(x)->sa_iid) 480 481 char *sa_eapid; /* EAP identity */ 482 struct iked_id sa_eap; /* EAP challenge */ 483 struct ibuf *sa_eapmsk; /* EAK session key */ 484 485 struct iked_proposals sa_proposals; /* SA proposals */ 486 struct iked_childsas sa_childsas; /* IPsec Child SAs */ 487 struct iked_saflows sa_flows; /* IPsec flows */ 488 489 struct iked_sa *sa_nexti; /* initiated IKE SA */ 490 struct iked_sa *sa_previ; /* matching back pointer */ 491 struct iked_sa *sa_nextr; /* simultaneous rekey */ 492 struct iked_sa *sa_prevr; /* matching back pointer */ 493 uint64_t sa_rekeyspi; /* peerspi CSA rekey */ 494 struct ibuf *sa_simult; /* simultaneous rekey */ 495 496 struct iked_ipcomp sa_ipcompi; /* IPcomp initator */ 497 struct iked_ipcomp sa_ipcompr; /* IPcomp responder */ 498 499 int sa_mobike; /* MOBIKE */ 500 int sa_frag; /* fragmentation */ 501 502 int sa_use_transport_mode; /* peer requested */ 503 int sa_used_transport_mode; /* we enabled */ 504 505 struct iked_timer sa_timer; /* SA timeouts */ 506#define IKED_IKE_SA_EXCHANGE_TIMEOUT 300 /* 5 minutes */ 507#define IKED_IKE_SA_REKEY_TIMEOUT 120 /* 2 minutes */ 508#define IKED_IKE_SA_DELETE_TIMEOUT 120 /* 2 minutes */ 509#define IKED_IKE_SA_ALIVE_TIMEOUT 60 /* 1 minute */ 510 511 struct iked_timer sa_keepalive; /* keepalive timer */ 512#define IKED_IKE_SA_KEEPALIVE_TIMEOUT 20 513 514 struct iked_timer sa_rekey; /* rekey timeout */ 515 int sa_tmpfail; 516 517 struct iked_msgqueue sa_requests; /* request queue */ 518#define IKED_RETRANSMIT_TIMEOUT 2 /* 2 seconds */ 519 520 struct iked_msgqueue sa_responses; /* response queue */ 521#define IKED_RESPONSE_TIMEOUT 120 /* 2 minutes */ 522 523 TAILQ_ENTRY(iked_sa) sa_peer_entry; 524 RB_ENTRY(iked_sa) sa_entry; /* all SAs */ 525 526 RB_ENTRY(iked_sa) sa_dstid_entry; /* SAs by DSTID */ 527 int sa_dstid_entry_valid; /* sa_dstid_entry valid */ 528 529 struct iked_addr *sa_addrpool; /* address from pool */ 530 RB_ENTRY(iked_sa) sa_addrpool_entry; /* pool entries */ 531 532 struct iked_addr *sa_addrpool6; /* address from pool */ 533 RB_ENTRY(iked_sa) sa_addrpool6_entry; /* pool entries */ 534 time_t sa_last_recvd; 535#define IKED_IKE_SA_LAST_RECVD_TIMEOUT 300 /* 5 minutes */ 536}; 537RB_HEAD(iked_sas, iked_sa); 538RB_HEAD(iked_dstid_sas, iked_sa); 539RB_HEAD(iked_addrpool, iked_sa); 540RB_HEAD(iked_addrpool6, iked_sa); 541 542/* stats */ 543 544struct iked_stats { 545 uint64_t ikes_sa_created; 546 uint64_t ikes_sa_established_total; 547 uint64_t ikes_sa_established_current; /* gauge */ 548 uint64_t ikes_sa_established_failures; 549 uint64_t ikes_sa_proposals_negotiate_failures; 550 uint64_t ikes_sa_rekeyed; 551 uint64_t ikes_sa_removed; 552 uint64_t ikes_csa_created; 553 uint64_t ikes_csa_removed; 554 uint64_t ikes_msg_sent; 555 uint64_t ikes_msg_send_failures; 556 uint64_t ikes_msg_rcvd; 557 uint64_t ikes_msg_rcvd_busy; 558 uint64_t ikes_msg_rcvd_dropped; 559 uint64_t ikes_retransmit_request; 560 uint64_t ikes_retransmit_response; 561 uint64_t ikes_retransmit_limit; 562 uint64_t ikes_frag_sent; 563 uint64_t ikes_frag_send_failures; 564 uint64_t ikes_frag_rcvd; 565 uint64_t ikes_frag_rcvd_drop; 566 uint64_t ikes_frag_reass_ok; 567 uint64_t ikes_frag_reass_drop; 568 uint64_t ikes_update_addresses_sent; 569 uint64_t ikes_dpd_sent; 570 uint64_t ikes_keepalive_sent; 571}; 572 573#define ikestat_add(env, c, n) do { env->sc_stats.c += (n); } while(0) 574#define ikestat_inc(env, c) ikestat_add(env, c, 1) 575#define ikestat_dec(env, c) ikestat_add(env, c, -1) 576 577struct iked_certreq { 578 struct ibuf *cr_data; 579 uint8_t cr_type; 580 SIMPLEQ_ENTRY(iked_certreq) cr_entry; 581}; 582SIMPLEQ_HEAD(iked_certreqs, iked_certreq); 583 584#define EAP_STATE_IDENTITY (1) 585#define EAP_STATE_MSCHAPV2_CHALLENGE (2) 586#define EAP_STATE_MSCHAPV2_SUCCESS (3) 587#define EAP_STATE_SUCCESS (4) 588 589struct eap_msg { 590 char *eam_identity; 591 char *eam_user; 592 int eam_type; 593 uint8_t eam_id; 594 uint8_t eam_msrid; 595 int eam_success; 596 int eam_found; 597 int eam_response; 598 uint8_t eam_challenge[16]; 599 uint8_t eam_ntresponse[24]; 600 uint32_t eam_state; 601}; 602 603struct iked_message { 604 struct ibuf *msg_data; 605 size_t msg_offset; 606 607 struct sockaddr_storage msg_local; 608 socklen_t msg_locallen; 609 610 struct sockaddr_storage msg_peer; 611 socklen_t msg_peerlen; 612 613 struct iked_socket *msg_sock; 614 615 int msg_fd; 616 int msg_response; 617 int msg_responded; 618 int msg_valid; 619 int msg_natt; 620 int msg_natt_rcvd; 621 int msg_nat_detected; 622 int msg_error; 623 int msg_e; 624 struct iked_message *msg_parent; 625 626 /* Associated policy and SA */ 627 struct iked_policy *msg_policy; 628 struct iked_sa *msg_sa; 629 630 uint32_t msg_msgid; 631 uint8_t msg_exchange; 632 633 /* Parsed information */ 634 struct iked_proposals msg_proposals; 635 struct iked_certreqs msg_certreqs; 636 struct iked_spi msg_rekey; 637 struct ibuf *msg_nonce; /* dh NONCE */ 638 uint16_t msg_dhgroup; /* dh group */ 639 struct ibuf *msg_ke; /* dh key exchange */ 640 struct iked_id msg_auth; /* AUTH payload */ 641 struct iked_id msg_peerid; 642 struct iked_id msg_localid; 643 struct iked_id msg_cert; 644 struct iked_id msg_scert[IKED_SCERT_MAX]; /* supplemental certs */ 645 struct ibuf *msg_cookie; 646 uint16_t msg_group; 647 uint16_t msg_cpi; 648 uint8_t msg_transform; 649 uint16_t msg_flags; 650 struct eap_msg msg_eap; 651 size_t msg_del_spisize; 652 size_t msg_del_cnt; 653 struct ibuf *msg_del_buf; 654 int msg_del_protoid; 655 int msg_cp; 656 struct iked_addr *msg_cp_addr; /* requested address */ 657 struct iked_addr *msg_cp_addr6; /* requested address */ 658 struct iked_addr *msg_cp_dns; /* requested dns */ 659 uint16_t msg_frag_num; 660 661 /* MOBIKE */ 662 int msg_update_sa_addresses; 663 struct ibuf *msg_cookie2; 664 665 /* Parse stack */ 666 struct iked_proposal *msg_prop; 667 uint16_t msg_attrlength; 668 669 /* Retransmit queue */ 670 TAILQ_ENTRY(iked_message) 671 msg_entry; 672}; 673 674struct iked_msg_retransmit { 675 struct iked_msg_fragqueue mrt_frags; 676 TAILQ_ENTRY(iked_msg_retransmit) mrt_entry; 677 struct iked_timer mrt_timer; 678 int mrt_tries; 679#define IKED_RETRANSMIT_TRIES 5 /* try 5 times */ 680}; 681 682#define IKED_MSG_NAT_SRC_IP 0x01 683#define IKED_MSG_NAT_DST_IP 0x02 684 685#define IKED_MSG_FLAGS_FRAGMENTATION 0x0001 686#define IKED_MSG_FLAGS_MOBIKE 0x0002 687#define IKED_MSG_FLAGS_SIGSHA2 0x0004 688#define IKED_MSG_FLAGS_CHILD_SA_NOT_FOUND 0x0008 689#define IKED_MSG_FLAGS_NO_ADDITIONAL_SAS 0x0010 690#define IKED_MSG_FLAGS_AUTHENTICATION_FAILED 0x0020 691#define IKED_MSG_FLAGS_INVALID_KE 0x0040 692#define IKED_MSG_FLAGS_IPCOMP_SUPPORTED 0x0080 693#define IKED_MSG_FLAGS_USE_TRANSPORT 0x0100 694#define IKED_MSG_FLAGS_TEMPORARY_FAILURE 0x0200 695#define IKED_MSG_FLAGS_NO_PROPOSAL_CHOSEN 0x0400 696 697 698struct iked_user { 699 char usr_name[LOGIN_NAME_MAX]; 700 char usr_pass[IKED_PASSWORD_SIZE]; 701 RB_ENTRY(iked_user) usr_entry; 702}; 703RB_HEAD(iked_users, iked_user); 704 705struct privsep_pipes { 706 int *pp_pipes[PROC_MAX]; 707}; 708 709struct privsep { 710 struct privsep_pipes *ps_pipes[PROC_MAX]; 711 struct privsep_pipes *ps_pp; 712 713 struct imsgev *ps_ievs[PROC_MAX]; 714 const char *ps_title[PROC_MAX]; 715 pid_t ps_pid[PROC_MAX]; 716 struct passwd *ps_pw; 717 int ps_noaction; 718 719 struct control_sock ps_csock; 720 721 unsigned int ps_instances[PROC_MAX]; 722 unsigned int ps_ninstances; 723 unsigned int ps_instance; 724 725 /* Event and signal handlers */ 726 struct event ps_evsigint; 727 struct event ps_evsigterm; 728 struct event ps_evsigchld; 729 struct event ps_evsighup; 730 struct event ps_evsigpipe; 731 struct event ps_evsigusr1; 732 733 struct iked *ps_env; 734 unsigned int ps_connecting; 735 void (*ps_connected)(struct privsep *); 736}; 737 738struct privsep_proc { 739 const char *p_title; 740 enum privsep_procid p_id; 741 int (*p_cb)(int, struct privsep_proc *, 742 struct imsg *); 743 void (*p_init)(struct privsep *, 744 struct privsep_proc *); 745 const char *p_chroot; 746 struct passwd *p_pw; 747 struct privsep *p_ps; 748 void (*p_shutdown)(void); 749}; 750 751struct privsep_fd { 752 enum privsep_procid pf_procid; 753 unsigned int pf_instance; 754}; 755 756#define PROC_PARENT_SOCK_FILENO 3 757#define PROC_MAX_INSTANCES 32 758 759struct iked_ocsp_entry { 760 TAILQ_ENTRY(iked_ocsp_entry) ioe_entry; /* next request */ 761 void *ioe_ocsp; /* private ocsp request data */ 762}; 763TAILQ_HEAD(iked_ocsp_requests, iked_ocsp_entry); 764 765/* 766 * Daemon configuration 767 */ 768 769enum natt_mode { 770 NATT_DEFAULT, /* send/recv with both :500 and NAT-T port */ 771 NATT_DISABLE, /* send/recv with only :500 */ 772 NATT_FORCE, /* send/recv with only NAT-T port */ 773}; 774 775struct iked_static { 776 uint64_t st_alive_timeout; 777 int st_cert_partial_chain; 778 int st_enforcesingleikesa; 779 uint8_t st_frag; /* fragmentation */ 780 uint8_t st_mobike; /* MOBIKE */ 781 in_port_t st_nattport; 782 int st_stickyaddress; /* addr per DSTID */ 783 int st_vendorid; 784}; 785 786struct iked { 787 char sc_conffile[PATH_MAX]; 788 789 uint32_t sc_opts; 790 enum natt_mode sc_nattmode; 791 uint8_t sc_passive; 792 uint8_t sc_decoupled; 793 794 struct iked_static sc_static; 795 796#define sc_alive_timeout sc_static.st_alive_timeout 797#define sc_cert_partial_chain sc_static.st_cert_partial_chain 798#define sc_enforcesingleikesa sc_static.st_enforcesingleikesa 799#define sc_frag sc_static.st_frag 800#define sc_mobike sc_static.st_mobike 801#define sc_nattport sc_static.st_nattport 802#define sc_stickyaddress sc_static.st_stickyaddress 803#define sc_vendorid sc_static.st_vendorid 804 805 struct iked_policies sc_policies; 806 struct iked_policy *sc_defaultcon; 807 808 struct iked_sas sc_sas; 809 struct iked_dstid_sas sc_dstid_sas; 810 struct iked_activesas sc_activesas; 811 struct iked_flows sc_activeflows; 812 struct iked_users sc_users; 813 814 struct iked_stats sc_stats; 815 816 void *sc_priv; /* per-process */ 817 818 int sc_pfkey; /* ike process */ 819 struct event sc_pfkeyev; 820 struct event sc_routeev; 821 uint8_t sc_certreqtype; 822 struct ibuf *sc_certreq; 823 void *sc_vroute; 824 825 struct iked_socket *sc_sock4[2]; 826 struct iked_socket *sc_sock6[2]; 827 828 struct iked_timer sc_inittmr; 829#define IKED_INITIATOR_INITIAL 2 830#define IKED_INITIATOR_INTERVAL 60 831 832 struct privsep sc_ps; 833 834 struct iked_ocsp_requests sc_ocsp; 835 char *sc_ocsp_url; 836 long sc_ocsp_tolerate; 837 long sc_ocsp_maxage; 838 839 struct iked_addrpool sc_addrpool; 840 struct iked_addrpool6 sc_addrpool6; 841}; 842 843struct iked_socket { 844 int sock_fd; 845 struct event sock_ev; 846 struct iked *sock_env; 847 struct sockaddr_storage sock_addr; 848}; 849 850struct ipsec_xf { 851 const char *name; 852 unsigned int id; 853 unsigned int length; 854 unsigned int keylength; 855 unsigned int nonce; 856 unsigned int noauth; 857}; 858 859struct ipsec_transforms { 860 const struct ipsec_xf **authxf; 861 unsigned int nauthxf; 862 const struct ipsec_xf **prfxf; 863 unsigned int nprfxf; 864 const struct ipsec_xf **encxf; 865 unsigned int nencxf; 866 const struct ipsec_xf **groupxf; 867 unsigned int ngroupxf; 868 const struct ipsec_xf **esnxf; 869 unsigned int nesnxf; 870}; 871 872struct ipsec_mode { 873 struct ipsec_transforms **xfs; 874 unsigned int nxfs; 875}; 876 877/* iked.c */ 878void parent_reload(struct iked *, int, const char *); 879 880extern struct iked *iked_env; 881 882/* control.c */ 883void control(struct privsep *, struct privsep_proc *); 884int control_init(struct privsep *, struct control_sock *); 885int control_listen(struct control_sock *); 886 887/* config.c */ 888struct iked_policy * 889 config_new_policy(struct iked *); 890void config_free_kex(struct iked_kex *); 891void config_free_fragments(struct iked_frag *); 892void config_free_sa(struct iked *, struct iked_sa *); 893struct iked_sa * 894 config_new_sa(struct iked *, int); 895struct iked_user * 896 config_new_user(struct iked *, struct iked_user *); 897uint64_t 898 config_getspi(void); 899struct iked_transform * 900 config_findtransform(struct iked_proposals *, uint8_t, unsigned int); 901struct iked_transform * 902 config_findtransform_ext(struct iked_proposals *, uint8_t,int, unsigned int); 903void config_free_policy(struct iked *, struct iked_policy *); 904struct iked_proposal * 905 config_add_proposal(struct iked_proposals *, unsigned int, 906 unsigned int); 907void config_free_proposal(struct iked_proposals *, struct iked_proposal *); 908void config_free_proposals(struct iked_proposals *, unsigned int); 909void config_free_flows(struct iked *, struct iked_flows *); 910void config_free_childsas(struct iked *, struct iked_childsas *, 911 struct iked_spi *, struct iked_spi *); 912int config_add_transform(struct iked_proposal *, 913 unsigned int, unsigned int, unsigned int, unsigned int); 914int config_setcoupled(struct iked *, unsigned int); 915int config_getcoupled(struct iked *, unsigned int); 916int config_setmode(struct iked *, unsigned int); 917int config_getmode(struct iked *, unsigned int); 918int config_setreset(struct iked *, unsigned int, enum privsep_procid); 919int config_getreset(struct iked *, struct imsg *); 920int config_doreset(struct iked *, unsigned int); 921int config_setpolicy(struct iked *, struct iked_policy *, 922 enum privsep_procid); 923int config_getpolicy(struct iked *, struct imsg *); 924int config_setflow(struct iked *, struct iked_policy *, 925 enum privsep_procid); 926int config_getflow(struct iked *, struct imsg *); 927int config_setsocket(struct iked *, struct sockaddr_storage *, in_port_t, 928 enum privsep_procid); 929int config_getsocket(struct iked *env, struct imsg *, 930 void (*cb)(int, short, void *)); 931void config_enablesocket(struct iked *env); 932int config_setpfkey(struct iked *); 933int config_getpfkey(struct iked *, struct imsg *); 934int config_setuser(struct iked *, struct iked_user *, enum privsep_procid); 935int config_getuser(struct iked *, struct imsg *); 936int config_setcompile(struct iked *, enum privsep_procid); 937int config_getcompile(struct iked *); 938int config_setocsp(struct iked *); 939int config_getocsp(struct iked *, struct imsg *); 940int config_setkeys(struct iked *); 941int config_getkey(struct iked *, struct imsg *); 942int config_setstatic(struct iked *); 943int config_getstatic(struct iked *, struct imsg *); 944 945/* policy.c */ 946void policy_init(struct iked *); 947int policy_lookup(struct iked *, struct iked_message *, 948 struct iked_proposals *, struct iked_flows *, int); 949int policy_lookup_sa(struct iked *, struct iked_sa *); 950struct iked_policy * 951 policy_test(struct iked *, struct iked_policy *); 952int policy_generate_ts(struct iked_policy *); 953void policy_calc_skip_steps(struct iked_policies *); 954void policy_ref(struct iked *, struct iked_policy *); 955void policy_unref(struct iked *, struct iked_policy *); 956void sa_state(struct iked *, struct iked_sa *, int); 957void sa_stateflags(struct iked_sa *, unsigned int); 958int sa_stateok(const struct iked_sa *, int); 959struct iked_sa * 960 sa_new(struct iked *, uint64_t, uint64_t, unsigned int, 961 struct iked_policy *); 962void sa_free(struct iked *, struct iked_sa *); 963void sa_free_flows(struct iked *, struct iked_saflows *); 964int sa_configure_iface(struct iked *, struct iked_sa *, int); 965int sa_address(struct iked_sa *, struct iked_addr *, struct sockaddr *); 966void childsa_free(struct iked_childsa *); 967struct iked_childsa * 968 childsa_lookup(struct iked_sa *, uint64_t, uint8_t); 969void flow_free(struct iked_flow *); 970int flow_equal(struct iked_flow *, struct iked_flow *); 971struct iked_sa * 972 sa_lookup(struct iked *, uint64_t, uint64_t, unsigned int); 973struct iked_user * 974 user_lookup(struct iked *, const char *); 975struct iked_sa * 976 sa_dstid_lookup(struct iked *, struct iked_sa *); 977struct iked_sa * 978 sa_dstid_insert(struct iked *, struct iked_sa *); 979void sa_dstid_remove(struct iked *, struct iked_sa *); 980int proposals_negotiate(struct iked_proposals *, struct iked_proposals *, 981 struct iked_proposals *, int, int); 982RB_PROTOTYPE(iked_sas, iked_sa, sa_entry, sa_cmp); 983RB_PROTOTYPE(iked_dstid_sas, iked_sa, sa_dstid_entry, sa_dstid_cmp); 984RB_PROTOTYPE(iked_addrpool, iked_sa, sa_addrpool_entry, sa_addrpool_cmp); 985RB_PROTOTYPE(iked_addrpool6, iked_sa, sa_addrpool6_entry, sa_addrpool6_cmp); 986RB_PROTOTYPE(iked_users, iked_user, user_entry, user_cmp); 987RB_PROTOTYPE(iked_activesas, iked_childsa, csa_node, childsa_cmp); 988RB_PROTOTYPE(iked_flows, iked_flow, flow_node, flow_cmp); 989 990/* crypto.c */ 991struct iked_hash * 992 hash_new(uint8_t, uint16_t); 993struct ibuf * 994 hash_setkey(struct iked_hash *, void *, size_t); 995void hash_free(struct iked_hash *); 996void hash_init(struct iked_hash *); 997void hash_update(struct iked_hash *, void *, size_t); 998void hash_final(struct iked_hash *, void *, size_t *); 999size_t hash_keylength(struct iked_hash *); 1000size_t hash_length(struct iked_hash *); 1001 1002struct iked_cipher * 1003 cipher_new(uint8_t, uint16_t, uint16_t); 1004struct ibuf * 1005 cipher_setkey(struct iked_cipher *, const void *, size_t); 1006struct ibuf * 1007 cipher_setiv(struct iked_cipher *, const void *, size_t); 1008int cipher_settag(struct iked_cipher *, uint8_t *, size_t); 1009int cipher_gettag(struct iked_cipher *, uint8_t *, size_t); 1010void cipher_free(struct iked_cipher *); 1011int cipher_init(struct iked_cipher *, int); 1012int cipher_init_encrypt(struct iked_cipher *); 1013int cipher_init_decrypt(struct iked_cipher *); 1014void cipher_aad(struct iked_cipher *, const void *, size_t, size_t *); 1015int cipher_update(struct iked_cipher *, const void *, size_t, void *, size_t *); 1016int cipher_final(struct iked_cipher *); 1017size_t cipher_length(struct iked_cipher *); 1018size_t cipher_keylength(struct iked_cipher *); 1019size_t cipher_ivlength(struct iked_cipher *); 1020size_t cipher_outlength(struct iked_cipher *, size_t); 1021 1022struct iked_dsa * 1023 dsa_new(uint8_t, struct iked_hash *, int); 1024struct iked_dsa * 1025 dsa_sign_new(uint8_t, struct iked_hash *); 1026struct iked_dsa * 1027 dsa_verify_new(uint8_t, struct iked_hash *); 1028struct ibuf * 1029 dsa_setkey(struct iked_dsa *, void *, size_t, uint8_t); 1030void dsa_free(struct iked_dsa *); 1031int dsa_init(struct iked_dsa *, const void *, size_t); 1032size_t dsa_prefix(struct iked_dsa *); 1033size_t dsa_length(struct iked_dsa *); 1034int dsa_update(struct iked_dsa *, const void *, size_t); 1035ssize_t dsa_sign_final(struct iked_dsa *, void *, size_t); 1036ssize_t dsa_verify_final(struct iked_dsa *, void *, size_t); 1037 1038/* vroute.c */ 1039void vroute_init(struct iked *); 1040int vroute_setaddr(struct iked *, int, struct sockaddr *, int, unsigned int); 1041void vroute_cleanup(struct iked *); 1042int vroute_getaddr(struct iked *, struct imsg *); 1043int vroute_setdns(struct iked *, int, struct sockaddr *, unsigned int); 1044int vroute_getdns(struct iked *, struct imsg *); 1045int vroute_setaddroute(struct iked *, uint8_t, struct sockaddr *, 1046 uint8_t, struct sockaddr *); 1047int vroute_setcloneroute(struct iked *, uint8_t, struct sockaddr *, 1048 uint8_t, struct sockaddr *); 1049int vroute_setdelroute(struct iked *, uint8_t, struct sockaddr *, 1050 uint8_t, struct sockaddr *); 1051int vroute_getroute(struct iked *, struct imsg *); 1052int vroute_getcloneroute(struct iked *, struct imsg *); 1053 1054/* ikev2.c */ 1055void ikev2(struct privsep *, struct privsep_proc *); 1056void ikev2_recv(struct iked *, struct iked_message *); 1057void ikev2_init_ike_sa(struct iked *, void *); 1058int ikev2_policy2id(struct iked_static_id *, struct iked_id *, int); 1059int ikev2_childsa_enable(struct iked *, struct iked_sa *); 1060int ikev2_childsa_delete(struct iked *, struct iked_sa *, 1061 uint8_t, uint64_t, uint64_t *, int); 1062void ikev2_ikesa_recv_delete(struct iked *, struct iked_sa *); 1063void ikev2_ike_sa_timeout(struct iked *env, void *); 1064void ikev2_ike_sa_setreason(struct iked_sa *, char *); 1065void ikev2_reset_alive_timer(struct iked *); 1066int ikev2_ike_sa_delete(struct iked *, struct iked_sa *); 1067 1068struct ibuf * 1069 ikev2_prfplus(struct iked_hash *, struct ibuf *, struct ibuf *, 1070 size_t); 1071ssize_t ikev2_psk(struct iked_sa *, uint8_t *, size_t, uint8_t **); 1072ssize_t ikev2_nat_detection(struct iked *, struct iked_message *, 1073 void *, size_t, unsigned int, int); 1074void ikev2_enable_natt(struct iked *, struct iked_sa *, 1075 struct iked_message *, int); 1076int ikev2_send_informational(struct iked *, struct iked_message *); 1077int ikev2_send_ike_e(struct iked *, struct iked_sa *, struct ibuf *, 1078 uint8_t, uint8_t, int); 1079struct ike_header * 1080 ikev2_add_header(struct ibuf *, struct iked_sa *, 1081 uint32_t, uint8_t, uint8_t, uint8_t); 1082int ikev2_set_header(struct ike_header *, size_t); 1083struct ikev2_payload * 1084 ikev2_add_payload(struct ibuf *); 1085int ikev2_next_payload(struct ikev2_payload *, size_t, 1086 uint8_t); 1087int ikev2_child_sa_acquire(struct iked *, struct iked_flow *); 1088int ikev2_child_sa_drop(struct iked *, struct iked_spi *); 1089int ikev2_child_sa_rekey(struct iked *, struct iked_spi *); 1090void ikev2_disable_rekeying(struct iked *, struct iked_sa *); 1091int ikev2_print_id(struct iked_id *, char *, size_t); 1092int ikev2_print_static_id(struct iked_static_id *, char *, size_t); 1093 1094const char *ikev2_ikesa_info(uint64_t, const char *msg); 1095#define SPI_IH(hdr) ikev2_ikesa_info(betoh64((hdr)->ike_ispi), NULL) 1096#define SPI_SH(sh, f) ikev2_ikesa_info((sh)->sh_ispi, (f)) 1097#define SPI_SA(sa, f) SPI_SH(&(sa)->sa_hdr, (f)) 1098 1099/* ikev2_msg.c */ 1100void ikev2_msg_cb(int, short, void *); 1101struct ibuf * 1102 ikev2_msg_init(struct iked *, struct iked_message *, 1103 struct sockaddr_storage *, socklen_t, 1104 struct sockaddr_storage *, socklen_t, int); 1105struct iked_message * 1106 ikev2_msg_copy(struct iked *, struct iked_message *); 1107void ikev2_msg_cleanup(struct iked *, struct iked_message *); 1108uint32_t 1109 ikev2_msg_id(struct iked *, struct iked_sa *); 1110struct ibuf 1111 *ikev2_msg_auth(struct iked *, struct iked_sa *, int); 1112int ikev2_msg_authsign(struct iked *, struct iked_sa *, 1113 struct iked_auth *, struct ibuf *); 1114int ikev2_msg_authverify(struct iked *, struct iked_sa *, 1115 struct iked_auth *, uint8_t *, size_t, struct ibuf *); 1116int ikev2_msg_valid_ike_sa(struct iked *, struct ike_header *, 1117 struct iked_message *); 1118int ikev2_msg_send(struct iked *, struct iked_message *); 1119int ikev2_msg_send_encrypt(struct iked *, struct iked_sa *, 1120 struct ibuf **, uint8_t, uint8_t, int); 1121struct ibuf 1122 *ikev2_msg_encrypt(struct iked *, struct iked_sa *, struct ibuf *, 1123 struct ibuf *); 1124struct ibuf * 1125 ikev2_msg_decrypt(struct iked *, struct iked_sa *, 1126 struct ibuf *, struct ibuf *); 1127int ikev2_msg_integr(struct iked *, struct iked_sa *, struct ibuf *); 1128int ikev2_msg_frompeer(struct iked_message *); 1129struct iked_socket * 1130 ikev2_msg_getsocket(struct iked *, int, int); 1131int ikev2_msg_enqueue(struct iked *, struct iked_msgqueue *, 1132 struct iked_message *, int); 1133int ikev2_msg_retransmit_response(struct iked *, struct iked_sa *, 1134 struct iked_message *, struct ike_header *); 1135void ikev2_msg_prevail(struct iked *, struct iked_msgqueue *, 1136 struct iked_message *); 1137void ikev2_msg_dispose(struct iked *, struct iked_msgqueue *, 1138 struct iked_msg_retransmit *); 1139void ikev2_msg_flushqueue(struct iked *, struct iked_msgqueue *); 1140struct iked_msg_retransmit * 1141 ikev2_msg_lookup(struct iked *, struct iked_msgqueue *, 1142 struct iked_message *, uint8_t); 1143 1144/* ikev2_pld.c */ 1145int ikev2_pld_parse(struct iked *, struct ike_header *, 1146 struct iked_message *, size_t); 1147int ikev2_pld_parse_quick(struct iked *, struct ike_header *, 1148 struct iked_message *, size_t); 1149 1150/* eap.c */ 1151int eap_parse(struct iked *, const struct iked_sa *, struct iked_message*, 1152 void *, int); 1153int eap_success(struct iked *, struct iked_sa *, int); 1154int eap_identity_request(struct iked *, struct iked_sa *); 1155int eap_mschap_challenge(struct iked *, struct iked_sa *, int, int, 1156 uint8_t *, size_t); 1157int eap_mschap_success(struct iked *, struct iked_sa *, int); 1158int eap_challenge_request(struct iked *, struct iked_sa *, int); 1159 1160/* pfkey.c */ 1161int pfkey_couple(struct iked *, struct iked_sas *, int); 1162int pfkey_flow_add(struct iked *, struct iked_flow *); 1163int pfkey_flow_delete(struct iked *, struct iked_flow *); 1164int pfkey_sa_init(struct iked *, struct iked_childsa *, uint32_t *); 1165int pfkey_sa_add(struct iked *, struct iked_childsa *, struct iked_childsa *); 1166int pfkey_sa_update_addresses(struct iked *, struct iked_childsa *); 1167int pfkey_sa_delete(struct iked *, struct iked_childsa *); 1168int pfkey_sa_last_used(struct iked *, struct iked_childsa *, uint64_t *); 1169int pfkey_flush(struct iked *); 1170int pfkey_socket(struct iked *); 1171void pfkey_init(struct iked *, int fd); 1172 1173/* ca.c */ 1174void caproc(struct privsep *, struct privsep_proc *); 1175int ca_setreq(struct iked *, struct iked_sa *, struct iked_static_id *, 1176 uint8_t, uint8_t, uint8_t *, size_t, enum privsep_procid); 1177int ca_setcert(struct iked *, struct iked_sahdr *, struct iked_id *, 1178 uint8_t, uint8_t *, size_t, enum privsep_procid); 1179int ca_setauth(struct iked *, struct iked_sa *, 1180 struct ibuf *, enum privsep_procid); 1181void ca_getkey(struct privsep *, struct iked_id *, enum imsg_type); 1182int ca_certbundle_add(struct ibuf *, struct iked_id *); 1183int ca_privkey_serialize(EVP_PKEY *, struct iked_id *); 1184int ca_pubkey_serialize(EVP_PKEY *, struct iked_id *); 1185void ca_sslerror(const char *); 1186char *ca_asn1_name(uint8_t *, size_t); 1187void *ca_x509_name_parse(char *); 1188void ca_cert_info(const char *, X509 *); 1189 1190/* timer.c */ 1191void timer_set(struct iked *, struct iked_timer *, 1192 void (*)(struct iked *, void *), void *); 1193void timer_add(struct iked *, struct iked_timer *, int); 1194void timer_del(struct iked *, struct iked_timer *); 1195 1196/* proc.c */ 1197void proc_init(struct privsep *, struct privsep_proc *, unsigned int, int, 1198 int, char **, enum privsep_procid); 1199void proc_kill(struct privsep *); 1200void proc_connect(struct privsep *, void (*)(struct privsep *)); 1201void proc_dispatch(int, short event, void *); 1202void proc_run(struct privsep *, struct privsep_proc *, 1203 struct privsep_proc *, unsigned int, 1204 void (*)(struct privsep *, struct privsep_proc *, void *), void *); 1205void imsg_event_add(struct imsgev *); 1206int imsg_compose_event(struct imsgev *, uint16_t, uint32_t, 1207 pid_t, int, void *, uint16_t); 1208int imsg_composev_event(struct imsgev *, uint16_t, uint32_t, 1209 pid_t, int, const struct iovec *, int); 1210int proc_compose_imsg(struct privsep *, enum privsep_procid, int, 1211 uint16_t, uint32_t, int, void *, uint16_t); 1212int proc_compose(struct privsep *, enum privsep_procid, 1213 uint16_t, void *, uint16_t); 1214int proc_composev_imsg(struct privsep *, enum privsep_procid, int, 1215 uint16_t, uint32_t, int, const struct iovec *, int); 1216int proc_composev(struct privsep *, enum privsep_procid, 1217 uint16_t, const struct iovec *, int); 1218int proc_forward_imsg(struct privsep *, struct imsg *, 1219 enum privsep_procid, int); 1220struct imsgbuf * 1221 proc_ibuf(struct privsep *, enum privsep_procid, int); 1222struct imsgev * 1223 proc_iev(struct privsep *, enum privsep_procid, int); 1224enum privsep_procid 1225 proc_getid(struct privsep_proc *, unsigned int, const char *); 1226int proc_flush_imsg(struct privsep *, enum privsep_procid, int); 1227 1228/* util.c */ 1229int socket_af(struct sockaddr *, in_port_t); 1230in_port_t 1231 socket_getport(struct sockaddr *); 1232int socket_setport(struct sockaddr *, in_port_t); 1233int socket_getaddr(int, struct sockaddr_storage *); 1234int socket_bypass(int, struct sockaddr *); 1235int udp_bind(struct sockaddr *, in_port_t); 1236ssize_t sendtofrom(int, void *, size_t, int, struct sockaddr *, 1237 socklen_t, struct sockaddr *, socklen_t); 1238ssize_t recvfromto(int, void *, size_t, int, struct sockaddr *, 1239 socklen_t *, struct sockaddr *, socklen_t *); 1240const char * 1241 print_spi(uint64_t, int); 1242const char * 1243 print_map(unsigned int, struct iked_constmap *); 1244void lc_idtype(char *); 1245void print_hex(const uint8_t *, off_t, size_t); 1246void print_hexval(const uint8_t *, off_t, size_t); 1247void print_hexbuf(struct ibuf *); 1248const char * 1249 print_bits(unsigned short, unsigned char *); 1250int sockaddr_cmp(struct sockaddr *, struct sockaddr *, int); 1251uint8_t mask2prefixlen(struct sockaddr *); 1252uint8_t mask2prefixlen6(struct sockaddr *); 1253struct in6_addr * 1254 prefixlen2mask6(uint8_t, uint32_t *); 1255uint32_t 1256 prefixlen2mask(uint8_t); 1257const char * 1258 print_addr(void *); 1259char *get_string(uint8_t *, size_t); 1260const char * 1261 print_proto(uint8_t); 1262int expand_string(char *, size_t, const char *, const char *); 1263uint8_t *string2unicode(const char *, size_t *); 1264void print_debug(const char *, ...) 1265 __attribute__((format(printf, 1, 2))); 1266void print_verbose(const char *, ...) 1267 __attribute__((format(printf, 1, 2))); 1268 1269/* imsg_util.c */ 1270struct ibuf * 1271 ibuf_new(const void *, size_t); 1272struct ibuf * 1273 ibuf_static(void); 1274size_t ibuf_length(struct ibuf *); 1275int ibuf_setsize(struct ibuf *, size_t); 1276struct ibuf * 1277 ibuf_getdata(struct ibuf *, size_t); 1278struct ibuf * 1279 ibuf_dup(struct ibuf *); 1280struct ibuf * 1281 ibuf_random(size_t); 1282 1283/* log.c */ 1284void log_init(int, int); 1285void log_procinit(const char *); 1286void log_setverbose(int); 1287int log_getverbose(void); 1288void log_warn(const char *, ...) 1289 __attribute__((__format__ (printf, 1, 2))); 1290void log_warnx(const char *, ...) 1291 __attribute__((__format__ (printf, 1, 2))); 1292void log_info(const char *, ...) 1293 __attribute__((__format__ (printf, 1, 2))); 1294void log_debug(const char *, ...) 1295 __attribute__((__format__ (printf, 1, 2))); 1296void logit(int, const char *, ...) 1297 __attribute__((__format__ (printf, 2, 3))); 1298void vlog(int, const char *, va_list) 1299 __attribute__((__format__ (printf, 2, 0))); 1300__dead void fatal(const char *, ...) 1301 __attribute__((__format__ (printf, 1, 2))); 1302__dead void fatalx(const char *, ...) 1303 __attribute__((__format__ (printf, 1, 2))); 1304 1305/* ocsp.c */ 1306int ocsp_connect(struct iked *, struct imsg *); 1307int ocsp_receive_fd(struct iked *, struct imsg *); 1308int ocsp_validate_cert(struct iked *, void *, size_t, struct iked_sahdr, 1309 uint8_t, X509 *); 1310 1311/* parse.y */ 1312int parse_config(const char *, struct iked *); 1313int cmdline_symset(char *); 1314extern const struct ipsec_xf authxfs[]; 1315extern const struct ipsec_xf prfxfs[]; 1316extern const struct ipsec_xf *encxfs; 1317extern const struct ipsec_xf ikeencxfs[]; 1318extern const struct ipsec_xf ipsecencxfs[]; 1319extern const struct ipsec_xf groupxfs[]; 1320extern const struct ipsec_xf esnxfs[]; 1321extern const struct ipsec_xf methodxfs[]; 1322extern const struct ipsec_xf saxfs[]; 1323extern const struct ipsec_xf cpxfs[]; 1324size_t keylength_xf(unsigned int, unsigned int, unsigned int); 1325size_t noncelength_xf(unsigned int, unsigned int); 1326int encxf_noauth(unsigned int); 1327 1328/* print.c */ 1329void print_user(struct iked_user *); 1330void print_policy(struct iked_policy *); 1331const char *print_xf(unsigned int, unsigned int, const struct ipsec_xf *); 1332 1333#endif /* IKED_H */ 1334