diff options
Diffstat (limited to 'src/pluto/state.h')
| -rw-r--r-- | src/pluto/state.h | 274 |
1 files changed, 0 insertions, 274 deletions
diff --git a/src/pluto/state.h b/src/pluto/state.h deleted file mode 100644 index a307d9f69..000000000 --- a/src/pluto/state.h +++ /dev/null @@ -1,274 +0,0 @@ -/* state and event objects - * Copyright (C) 1997 Angelos D. Keromytis. - * Copyright (C) 1998-2001 D. Hugh Redelmeier. - * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil - * - * This program is free software; you can redistribute it and/or modify it - * under the terms of the GNU General Public License as published by the - * Free Software Foundation; either version 2 of the License, or (at your - * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. - * - * This program is distributed in the hope that it will be useful, but - * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY - * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License - * for more details. - */ - -#ifndef _STATE_H -#define _STATE_H - -#include <sys/types.h> -#include <sys/socket.h> -#include <netinet/in.h> -#include <time.h> - -#include <crypto/diffie_hellman.h> - -#include "defs.h" -#include "connections.h" - -/* Message ID mechanism. - * - * A Message ID is contained in each IKE message header. - * For Phase 1 exchanges (Main and Aggressive), it will be zero. - * For other exchanges, which must be under the protection of an - * ISAKMP SA, the Message ID must be unique within that ISAKMP SA. - * Effectively, this labels the message as belonging to a particular - * exchange. - * - * RFC2408 "ISAKMP" 3.1 "ISAKMP Header Format" (near end) states that - * the Message ID must be unique. We interpret this to be "unique within - * one ISAKMP SA". - * - * BTW, we feel this uniqueness allows rekeying to be somewhat simpler - * than specified by draft-jenkins-ipsec-rekeying-06.txt. - */ - -typedef u_int32_t msgid_t; /* Network order! */ -#define MAINMODE_MSGID ((msgid_t) 0) - -struct state; /* forward declaration of tag */ -extern bool reserve_msgid(struct state *isakmp_sa, msgid_t msgid); -extern msgid_t generate_msgid(struct state *isakmp_sa); - - -/* Oakley (Phase 1 / Main Mode) transform and attributes - * This is a flattened/decoded version of what is represented - * in the Transaction Payload. - * Names are chosen to match corresponding names in state. - */ -struct oakley_trans_attrs { - u_int16_t encrypt; /* Encryption algorithm */ - u_int16_t enckeylen; /* encryption key len (bits) */ - const struct encrypt_desc *encrypter; /* package of encryption routines */ - u_int16_t hash; /* Hash algorithm */ - const struct hash_desc *hasher; /* package of hashing routines */ - u_int16_t auth; /* Authentication method */ - const struct dh_desc *group; /* Diffie-Hellman group */ - time_t life_seconds; /* When this SA expires (seconds) */ - u_int32_t life_kilobytes; /* When this SA is exhausted (kilobytes) */ -#if 0 /* not yet */ - u_int16_t prf; /* Pseudo Random Function */ -#endif -}; - -/* IPsec (Phase 2 / Quick Mode) transform and attributes - * This is a flattened/decoded version of what is represented - * by a Transaction Payload. There may be one for AH, one - * for ESP, and a funny one for IPCOMP. - */ -struct ipsec_trans_attrs { - u_int8_t transid; /* transform id */ - ipsec_spi_t spi; /* his SPI */ - time_t life_seconds; /* When this SA expires */ - u_int32_t life_kilobytes; /* When this SA expires */ - u_int16_t encapsulation; - u_int16_t auth; - u_int16_t key_len; - u_int16_t key_rounds; -#if 0 /* not implemented yet */ - u_int16_t cmprs_dict_sz; - u_int32_t cmprs_alg; -#endif -}; - -/* IPsec per protocol state information */ -struct ipsec_proto_info { - bool present; /* was this transform specified? */ - struct ipsec_trans_attrs attrs; - ipsec_spi_t our_spi; - u_int16_t keymat_len; /* same for both */ - u_char *our_keymat; - u_char *peer_keymat; -}; - -/* state object: record the state of a (possibly nascent) SA - * - * Invariants (violated only during short transitions): - * - each state object will be in statetable exactly once. - * - each state object will always have a pending event. - * This prevents leaks. - */ -struct state -{ - so_serial_t st_serialno; /* serial number (for seniority) */ - so_serial_t st_clonedfrom; /* serial number of parent */ - - struct connection *st_connection; /* connection for this SA */ - - int st_whack_sock; /* fd for our Whack TCP socket. - * Single copy: close when freeing struct. - */ - - struct msg_digest *st_suspended_md; /* suspended state-transition */ - - struct oakley_trans_attrs st_oakley; - - struct ipsec_proto_info st_ah; - struct ipsec_proto_info st_esp; - struct ipsec_proto_info st_ipcomp; - ipsec_spi_t st_tunnel_in_spi; /* KLUDGE */ - ipsec_spi_t st_tunnel_out_spi; /* KLUDGE */ - - const struct dh_desc *st_pfs_group; /* group for Phase 2 PFS */ - - u_int32_t st_doi; /* Domain of Interpretation */ - u_int32_t st_situation; - - lset_t st_policy; /* policy for IPsec SA */ - - msgid_t st_msgid; /* MSG-ID from header. Network Order! */ - - /* only for a state representing an ISAKMP SA */ - struct msgid_list *st_used_msgids; /* used-up msgids */ - -/* symmetric stuff */ - - /* initiator stuff */ - chunk_t st_gi; /* Initiator public value */ - u_int8_t st_icookie[COOKIE_SIZE];/* Initiator Cookie */ - chunk_t st_ni; /* Ni nonce */ - - /* responder stuff */ - chunk_t st_gr; /* Responder public value */ - u_int8_t st_rcookie[COOKIE_SIZE];/* Responder Cookie */ - chunk_t st_nr; /* Nr nonce */ - - - /* my stuff */ - - chunk_t st_tpacket; /* Transmitted packet */ - - /* Phase 2 ID payload info about my user */ - u_int8_t st_myuserprotoid; /* IDcx.protoid */ - u_int16_t st_myuserport; - - /* his stuff */ - - chunk_t st_rpacket; /* Received packet */ - - /* Phase 2 ID payload info about peer's user */ - u_int8_t st_peeruserprotoid; /* IDcx.protoid */ - u_int16_t st_peeruserport; - -/* end of symmetric stuff */ - - diffie_hellman_t *st_dh; /* Our local DH secret value */ - chunk_t st_shared; /* Derived shared secret - * Note: during Quick Mode, - * presence indicates PFS - * selected. - */ - - /* In a Phase 1 state, preserve peer's public key after authentication */ - struct pubkey *st_peer_pubkey; - - enum state_kind st_state; /* State of exchange */ - u_int8_t st_retransmit; /* Number of retransmits */ - unsigned long st_try; /* number of times rekeying attempted */ - /* 0 means the only time */ - time_t st_margin; /* life after EVENT_SA_REPLACE */ - unsigned long st_outbound_count; /* traffic through eroute */ - time_t st_outbound_time; /* time of last change to st_outbound_count */ - chunk_t st_p1isa; /* Phase 1 initiator SA (Payload) for HASH */ - chunk_t st_skeyid; /* Key material */ - chunk_t st_skeyid_d; /* KM for non-ISAKMP key derivation */ - chunk_t st_skeyid_a; /* KM for ISAKMP authentication */ - chunk_t st_skeyid_e; /* KM for ISAKMP encryption */ - u_char st_iv[MAX_DIGEST_LEN]; /* IV for encryption */ - u_char st_new_iv[MAX_DIGEST_LEN]; - u_char st_ph1_iv[MAX_DIGEST_LEN]; /* IV at end if phase 1 */ - unsigned int st_iv_len; - unsigned int st_new_iv_len; - unsigned int st_ph1_iv_len; - - chunk_t st_enc_key; /* Oakley Encryption key */ - - struct event *st_event; /* backpointer for certain events */ - struct state *st_hashchain_next; /* Next in list */ - struct state *st_hashchain_prev; /* Previous in list */ - - struct { - bool vars_set; - bool started; - } st_modecfg; - - struct { - int attempt; - bool started; - bool status; - } st_xauth; - - u_int32_t nat_traversal; - ip_address nat_oa; - - /* RFC 3706 Dead Peer Detection */ - bool st_dpd; /* Peer supports DPD */ - time_t st_last_dpd; /* Time of last DPD transmit */ - u_int32_t st_dpd_seqno; /* Next R_U_THERE to send */ - u_int32_t st_dpd_expectseqno; /* Next R_U_THERE_ACK to receive */ - u_int32_t st_dpd_peerseqno; /* global variables */ - struct event *st_dpd_event; /* backpointer for DPD events */ - - u_int32_t st_seen_vendorid; /* Bit field about recognized Vendor ID */ -}; - -/* global variables */ - -extern u_int16_t pluto_port; /* Pluto's port */ - -extern bool states_use_connection(struct connection *c); - -/* state functions */ - -extern struct state *new_state(void); -extern void init_states(void); -extern void insert_state(struct state *st); -extern void unhash_state(struct state *st); -extern void release_whack(struct state *st); -extern void state_eroute_usage(ip_subnet *ours, ip_subnet *his - , unsigned long count, time_t nw); -extern void delete_state(struct state *st); -extern void delete_states_by_connection(struct connection *c, bool relations); - -extern struct state - *duplicate_state(struct state *st), - *find_state(const u_char *icookie - , const u_char *rcookie - , const ip_address *peer - , msgid_t msgid), - *state_with_serialno(so_serial_t sn), - *find_phase2_state_to_delete(const struct state *p1st, u_int8_t protoid - , ipsec_spi_t spi, bool *bogus), - *find_phase1_state(const struct connection *c, lset_t ok_states), - *find_sender(size_t packet_len, u_char *packet); - -extern void show_states_status(bool all, const char *name); -extern void for_each_state(void *(f)(struct state *, void *data), void *data); -extern ipsec_spi_t uniquify_his_cpi(ipsec_spi_t cpi, struct state *st); -extern void fmt_state(bool all, struct state *st, time_t n - , char *state_buf, size_t state_buf_len - , char *state_buf2, size_t state_buf_len2); -extern void delete_states_by_peer(ip_address *peer); - -#endif /* _STATE_H */ |