1 /* $OpenBSD: sa.h,v 1.49 2006/11/24 13:52:14 reyk Exp $ */
2 /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */
5 * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist. All rights reserved.
6 * Copyright (c) 1999, 2001 Angelos D. Keromytis. All rights reserved.
7 * Copyright (c) 2004 HÃ¥kan Olsson. All rights reserved.
9 * Redistribution and use in source and binary forms, with or without
10 * modification, are permitted provided that the following conditions
12 * 1. Redistributions of source code must retain the above copyright
13 * notice, this list of conditions and the following disclaimer.
14 * 2. Redistributions in binary form must reproduce the above copyright
15 * notice, this list of conditions and the following disclaimer in the
16 * documentation and/or other materials provided with the distribution.
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
31 * This code was written under funding by Ericsson Radio Systems.
37 #include <sys/param.h>
38 #include <sys/types.h>
39 #include <sys/queue.h>
40 #include <sys/socket.h>
44 /* Remove a SA if it has not been fully negotiated in this time. */
45 #define SA_NEGOTIATION_MAX_TIME 120
57 /* A protection suite consists of a set of protocol descriptions like this. */
59 /* Link to the next protocol in the suite. */
60 TAILQ_ENTRY(proto) link;
62 /* The SA we belong to. */
65 /* The protocol number as found in the proposal payload. */
68 /* The protocol this SA is for. */
72 * Security parameter index info. Element 0 - outgoing, 1 -
79 * The chosen transform, only valid while the incoming SA payload that
80 * held it is available for duplicate testing.
82 struct payload *chosen;
84 /* The chosen transform's ID. */
87 /* DOI-specific data. */
90 /* Proposal transforms data, for validating the responders selection. */
91 TAILQ_HEAD(proto_attr_head, proto_attr) xfs;
96 /* Link to next transform. */
97 TAILQ_ENTRY(proto_attr) next;
99 /* Transform attribute data and size, suitable for attribute_map(). */
105 /* Link to SAs with the same hash value. */
109 * When several SA's are being negotiated in one message we connect
110 * them through this link.
112 TAILQ_ENTRY(sa) next;
115 * A name of the major policy deciding offers and acceptable
120 /* The transport this SA got negotiated over. */
121 struct transport *transport;
123 /* Both initiator and responder cookies. */
124 u_int8_t cookies[ISAKMP_HDR_COOKIES_LEN];
126 /* The message ID signifying non-ISAKMP SAs. */
127 u_int8_t message_id[ISAKMP_HDR_MESSAGE_ID_LEN];
129 /* The protection suite chosen. */
130 TAILQ_HEAD(proto_head, proto) protos;
132 /* The exchange type we should use when rekeying. */
135 /* Phase is 1 for ISAKMP SAs, and 2 for application ones. */
138 /* A reference counter for this structure. */
141 /* Various flags, look below for descriptions. */
144 /* The DOI that is to handle DOI-specific issues for this SA. */
148 * Crypto info needed to encrypt/decrypt packets protected by this
151 struct keystate *keystate;
153 /* IDs from Phase 1 */
159 /* Set if we were the initiator of the SA/exchange in Phase 1 */
162 /* Policy session ID, where applicable, copied over from the exchange */
166 * The key used to authenticate phase 1, in printable format, used
172 * Certificates or other information from Phase 1; these are copied
173 * from the exchange, so look at exchange.h for an explanation of
176 int recv_certtype, recv_keytype;
177 /* Certificate received from peer, native format. */
179 /* Key peer used to authenticate, native format. */
183 * Certificates or other information we used to authenticate to the
187 /* Certificate (to be) sent to peer, native format. */
190 /* DOI-specific opaque data. */
197 /* ACQUIRE sequence number */
200 /* The events that will occur when an SA has timed out. */
201 struct event *soft_death;
204 struct event *nat_t_keepalive;
206 /* IKE DPD (RFC3706) message sequence number. */
207 u_int32_t dpd_seq; /* sent */
208 u_int32_t dpd_rseq; /* received */
209 u_int32_t dpd_failcount; /* # of subsequent failures */
210 u_int32_t dpd_rdupcount; /* # of subsequent duplicates */
211 struct event *dpd_event; /* time of next event */
213 /* The add a pf tag to packets matching the established SA. */
217 /* This SA is alive. */
218 #define SA_FLAG_READY 0x01
220 /* Renegotiate the SA at each expiry. */
221 #define SA_FLAG_STAYALIVE 0x02
223 /* Establish the SA when it is needed. */
224 #define SA_FLAG_ONDEMAND 0x04
226 /* This SA has been replaced by another newer one. */
227 #define SA_FLAG_REPLACED 0x08
229 /* This SA has seen a soft timeout and wants to be renegotiated on use. */
230 #define SA_FLAG_FADING 0x10
232 /* This SA should always be actively renegotiated (with us as initiator). */
233 #define SA_FLAG_ACTIVE_ONLY 0x20
235 /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */
236 #define SA_FLAG_IKECFG 0x40
238 /* This SA flag indicates if we should do DPD with the phase 1 SA peer. */
239 #define SA_FLAG_DPD 0x80
241 /* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange. */
242 #define SA_FLAG_NAT_T_ENABLE 0x100
243 #define SA_FLAG_NAT_T_KEEPALIVE 0x200
245 extern void proto_free(struct proto * proto);
246 extern int sa_add_transform(struct sa *, struct payload *, int,
248 extern int sa_create(struct exchange *, struct transport *);
249 extern int sa_enter(struct sa *);
250 extern void sa_delete(struct sa *, int);
251 extern void sa_teardown_all(void);
252 extern struct sa *sa_find(int (*) (struct sa *, void *), void *);
253 extern int sa_flag(char *);
254 extern void sa_free(struct sa *);
255 extern void sa_init(void);
256 extern void sa_reinit(void);
257 extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t);
258 extern void sa_isakmp_upgrade(struct message *);
259 extern struct sa *sa_lookup(u_int8_t *, u_int8_t *);
260 extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t, int);
261 extern struct sa *sa_lookup_by_header(u_int8_t *, int);
262 extern struct sa *sa_lookup_by_name(char *, int);
263 extern struct sa *sa_lookup_from_icookie(u_int8_t *);
264 extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *);
265 extern void sa_mark_replaced(struct sa *);
266 extern void sa_reference(struct sa *);
267 extern void sa_release(struct sa *);
268 extern void sa_remove(struct sa *);
269 extern void sa_report(void);
270 extern void sa_dump(int, int, char *, struct sa *);
271 extern void sa_report_all(FILE *);
272 extern int sa_setup_expirations(struct sa *);
275 * This structure contains most of the data of the in-kernel SA.
276 * Currently only used to collect the tdb_last_used time for DPD.
279 u_int32_t flags; /* /usr/include/netinet/ip_ipsp.h */
281 u_int32_t exp_allocations;
282 u_int32_t soft_allocations;
283 u_int32_t cur_allocations;
286 u_int64_t soft_bytes;
289 u_int64_t exp_timeout;
290 u_int64_t soft_timeout;
293 u_int64_t established;
294 u_int64_t soft_first_use;
295 u_int64_t exp_first_use;
299 struct sockaddr_storage dst;
300 struct sockaddr_storage src;
301 struct sockaddr_storage proxy;
304 u_int16_t udpencap_port;