1 files changed, 318 insertions, 0 deletions
diff --git a/keyexchange/isakmpd-20041012/sa.h b/keyexchange/isakmpd-20041012/sa.h
new file mode 100644
index 0000000..4f6100f
--- /dev/null
+++ b/keyexchange/isakmpd-20041012/sa.h
@@ -0,0 +1,318 @@
+/* $OpenBSD: sa.h,v 1.41 2004/08/10 15:59:10 ho Exp $	 */
+/* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $	 */
+
+/*
+ * Copyright (c) 1998, 1999, 2001 Niklas Hallqvist.  All rights reserved.
+ * Copyright (c) 1999, 2001 Angelos D. Keromytis.  All rights reserved.
+ * Copyright (c) 2004 Håkan Olsson.  All rights reserved.
+ *
+ * Redistribution and use in source and binary forms, with or without
+ * modification, are permitted provided that the following conditions
+ * are met:
+ * 1. Redistributions of source code must retain the above copyright
+ *    notice, this list of conditions and the following disclaimer.
+ * 2. Redistributions in binary form must reproduce the above copyright
+ *    notice, this list of conditions and the following disclaimer in the
+ *    documentation and/or other materials provided with the distribution.
+ *
+ * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
+ * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
+ * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
+ * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
+ * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
+ * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
+ * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
+ * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
+ * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+ */
+
+/*
+ * This code was written under funding by Ericsson Radio Systems.
+ */
+
+#ifndef _SA_H_
+#define _SA_H_
+
+#include <sys/param.h>
+#include <sys/types.h>
+#include <sys/queue.h>
+#include <sys/socket.h>
+
+#include "isakmp.h"
+
+/* Remove a SA if it has not been fully negotiated in this time.  */
+#define SA_NEGOTIATION_MAX_TIME 120
+
+struct crypto_xf;
+struct doi;
+struct event;
+struct exchange;
+struct keystate;
+struct message;
+struct payload;
+struct proto_attr;
+struct sa;
+struct transport;
+
+/* A protection suite consists of a set of protocol descriptions like this.  */
+struct proto {
+	/* Link to the next protocol in the suite.  */
+	TAILQ_ENTRY(proto) link;
+
+	/* The SA we belong to.  */
+	struct sa      *sa;
+
+	/* The protocol number as found in the proposal payload.  */
+	u_int8_t        no;
+
+	/* The protocol this SA is for.  */
+	u_int8_t        proto;
+
+	/*
+	 * Security parameter index info.  Element 0 - outgoing, 1 -
+	 * incoming.
+	 */
+	u_int8_t        spi_sz[2];
+	u_int8_t       *spi[2];
+
+	/*
+	 * The chosen transform, only valid while the incoming SA payload that
+	 * held it is available for duplicate testing.
+         */
+	struct payload *chosen;
+
+	/* The chosen transform's ID.  */
+	u_int8_t        id;
+
+	/* DOI-specific data.  */
+	void           *data;
+
+	/* Proposal transforms data, for validating the responders selection. */
+	                TAILQ_HEAD(proto_attr_head, proto_attr) xfs;
+	size_t          xf_cnt;
+};
+
+struct proto_attr {
+	/* Link to next transform.  */
+	TAILQ_ENTRY(proto_attr) next;
+
+	/* Transform attribute data and size, suitable for attribute_map().  */
+	u_int8_t       *attrs;
+	size_t          len;
+};
+
+struct sa {
+	/* Link to SAs with the same hash value.  */
+	LIST_ENTRY(sa) link;
+
+	/*
+	 * When several SA's are being negotiated in one message we connect
+	 * them through this link.
+         */
+	TAILQ_ENTRY(sa) next;
+
+	/*
+	 * A name of the major policy deciding offers and acceptable
+	 * proposals.
+	 */
+	char           *name;
+
+	/* The transport this SA got negotiated over.  */
+	struct transport *transport;
+
+	/* Both initiator and responder cookies.  */
+	u_int8_t        cookies[ISAKMP_HDR_COOKIES_LEN];
+
+	/* The message ID signifying non-ISAKMP SAs.  */
+	u_int8_t        message_id[ISAKMP_HDR_MESSAGE_ID_LEN];
+
+	/* The protection suite chosen.  */
+	TAILQ_HEAD(proto_head, proto) protos;
+
+	/* The exchange type we should use when rekeying.  */
+	u_int8_t        exch_type;
+
+	/* Phase is 1 for ISAKMP SAs, and 2 for application ones.  */
+	u_int8_t        phase;
+
+	/* A reference counter for this structure.  */
+	u_int16_t       refcnt;
+
+	/* Various flags, look below for descriptions.  */
+	u_int32_t       flags;
+
+	/* The DOI that is to handle DOI-specific issues for this SA.  */
+	struct doi     *doi;
+
+	/*
+	 * Crypto info needed to encrypt/decrypt packets protected by this
+	 * SA.
+	 */
+	struct crypto_xf *crypto;
+	int             key_length;
+	struct keystate *keystate;
+
+	/* IDs from Phase 1 */
+	u_int8_t       *id_i;
+	size_t          id_i_len;
+	u_int8_t       *id_r;
+	size_t          id_r_len;
+
+	/* Set if we were the initiator of the SA/exchange in Phase 1 */
+	int             initiator;
+
+	/* Policy session ID, where applicable, copied over from the exchange */
+	int             policy_id;
+
+	/*
+	 * The key used to authenticate phase 1, in printable format, used
+	 * only by KeyNote.
+         */
+	char           *keynote_key;
+
+	/*
+	 * Certificates or other information from Phase 1; these are copied
+	 * from the exchange, so look at exchange.h for an explanation of
+	 * their use.
+         */
+	int             recv_certtype, recv_keytype;
+	/* Certificate received from peer, native format.  */
+	void           *recv_cert;
+	/* Key peer used to authenticate, native format.  */
+	void           *recv_key;
+
+	/*
+	 * Certificates or other information we used to authenticate to the
+	 * peer, Phase 1.
+         */
+	int             sent_certtype;
+	/* Certificate (to be) sent to peer, native format.  */
+	void           *sent_cert;
+
+	/* DOI-specific opaque data.  */
+	void           *data;
+
+	/* Lifetime data.  */
+	u_int64_t       seconds;
+	u_int64_t       kilobytes;
+
+	/* ACQUIRE sequence number */
+	u_int32_t       seq;
+
+	/* The events that will occur when an SA has timed out.  */
+	struct event   *soft_death;
+	struct event   *death;
+
+#if defined (USE_NAT_TRAVERSAL)
+	struct event   *nat_t_keepalive;
+#endif
+
+#if defined (USE_DPD)
+	/* IKE DPD (RFC3706) message sequence number.  */
+	u_int32_t	dpd_seq;	/* sent */
+	u_int32_t	dpd_rseq;	/* recieved */
+	u_int32_t	dpd_failcount;	/* # of subsequent failures */
+	struct event   *dpd_event;	/* time of next event */
+#endif
+};
+
+/* This SA is alive.  */
+#define SA_FLAG_READY		0x01
+
+/* Renegotiate the SA at each expiry.  */
+#define SA_FLAG_STAYALIVE	0x02
+
+/* Establish the SA when it is needed.  */
+#define SA_FLAG_ONDEMAND	0x04
+
+/* This SA has been replaced by another newer one.  */
+#define SA_FLAG_REPLACED	0x08
+
+/* This SA has seen a soft timeout and wants to be renegotiated on use.  */
+#define SA_FLAG_FADING		0x10
+
+/* This SA should always be actively renegotiated (with us as initiator).  */
+#define SA_FLAG_ACTIVE_ONLY	0x20
+
+/* This SA flag is a placeholder for a TRANSACTION exchange "SA flag".  */
+#define SA_FLAG_IKECFG		0x40
+
+/* This SA flag indicates if we should do DPD with the phase 1 SA peer.  */
+#define SA_FLAG_DPD		0x80
+
+/* NAT-T encapsulation state. Kept in isakmp_sa for the new p2 exchange.  */
+#define SA_FLAG_NAT_T_ENABLE	0x100
+#define SA_FLAG_NAT_T_KEEPALIVE	0x200
+
+extern void     proto_free(struct proto * proto);
+extern int	sa_add_transform(struct sa *, struct payload *, int,
+		    struct proto **);
+extern int      sa_create(struct exchange *, struct transport *);
+extern int      sa_enter(struct sa *);
+extern void     sa_delete(struct sa *, int);
+extern void     sa_teardown_all(void);
+extern struct sa *sa_find(int (*) (struct sa *, void *), void *);
+extern int      sa_flag(char *);
+extern void     sa_free(struct sa *);
+extern void     sa_init(void);
+extern void     sa_reinit(void);
+extern struct sa *sa_isakmp_lookup_by_peer(struct sockaddr *, socklen_t);
+extern void     sa_isakmp_upgrade(struct message *);
+extern struct sa *sa_lookup(u_int8_t *, u_int8_t *);
+extern struct sa *sa_lookup_by_peer(struct sockaddr *, socklen_t);
+extern struct sa *sa_lookup_by_header(u_int8_t *, int);
+extern struct sa *sa_lookup_by_name(char *, int);
+extern struct sa *sa_lookup_from_icookie(u_int8_t *);
+extern struct sa *sa_lookup_isakmp_sa(struct sockaddr *, u_int8_t *);
+extern void     sa_mark_replaced(struct sa *);
+extern void     sa_reference(struct sa *);
+extern void     sa_release(struct sa *);
+extern void     sa_remove(struct sa *);
+extern void     sa_report(void);
+extern void     sa_dump(int, int, char *, struct sa *);
+extern void     sa_report_all(FILE *);
+extern int      sa_setup_expirations(struct sa *);
+
+/*
+ * This structure contains most of the data of the in-kernel SA.
+ * Currently only used to collect the tdb_last_used time for DPD.
+ */
+struct sa_kinfo {
+	u_int32_t	flags;		/* /usr/include/netinet/ip_ipsp.h */
+
+	u_int32_t	exp_allocations;
+	u_int32_t	soft_allocations;
+	u_int32_t	cur_allocations;
+
+	u_int64_t	exp_bytes;
+	u_int64_t	soft_bytes;
+	u_int64_t	cur_bytes;
+
+	u_int64_t	exp_timeout;
+	u_int64_t	soft_timeout;
+	
+	u_int64_t	first_use;
+	u_int64_t	established;
+	u_int64_t	soft_first_use;
+	u_int64_t	exp_first_use;
+
+	u_int64_t	last_used;
+	u_int64_t	last_marked;
+
+	struct sockaddr_storage	dst;
+	struct sockaddr_storage	src;
+	struct sockaddr_storage	proxy;
+
+	u_int32_t	spi;
+	u_int32_t	rpl;
+	u_int16_t	udpencap_port;
+	u_int16_t	amxkeylen;
+	u_int16_t	emxkeylen;
+	u_int16_t	ivlen;
+	u_int8_t	sproto;
+	u_int8_t	wnd;
+	u_int8_t	satype;
+};
+
+#endif				/* _SA_H_ */