// SoftEther VPN Source Code - Stable Edition Repository // Cedar Communication Module // // SoftEther VPN Server, Client and Bridge are free software under the Apache License, Version 2.0. // // Copyright (c) Daiyuu Nobori. // Copyright (c) SoftEther VPN Project, University of Tsukuba, Japan. // Copyright (c) SoftEther Corporation. // Copyright (c) all contributors on SoftEther VPN project in GitHub. // // All Rights Reserved. // // http://www.softether.org/ // // This stable branch is officially managed by Daiyuu Nobori, the owner of SoftEther VPN Project. // Pull requests should be sent to the Developer Edition Master Repository on https://github.com/SoftEtherVPN/SoftEtherVPN // // License: The Apache License, Version 2.0 // https://www.apache.org/licenses/LICENSE-2.0 // // DISCLAIMER // ========== // // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE // SOFTWARE. // // THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER // JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, // DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY // JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, // AGAINST US (SOFTETHER PROJECT, SOFTETHER CORPORATION, DAIYUU NOBORI OR OTHER // SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND // OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, // AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND // CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE // JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE // ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. // PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE // LAW OR COURT RULE. // // USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS YOU HAVE // A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY CRIMINAL LAWS OR CIVIL // RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS SOFTWARE IN OTHER COUNTRIES IS // COMPLETELY AT YOUR OWN RISK. THE SOFTETHER VPN PROJECT HAS DEVELOPED AND // DISTRIBUTED THIS SOFTWARE TO COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING // CIVIL RIGHTS INCLUDING PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER // COUNTRIES' LAWS OR CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. // WE HAVE NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR // INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+ COUNTRIES // AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE WORLD, WITH // DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY COUNTRIES' LAWS, REGULATIONS // AND CIVIL RIGHTS TO MAKE THE SOFTWARE COMPLY WITH ALL COUNTRIES' LAWS BY THE // PROJECT. EVEN IF YOU WILL BE SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A // PUBLIC SERVANT IN YOUR COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE // LIABLE TO RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL // RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT JUST A // STATEMENT FOR WARNING AND DISCLAIMER. // // READ AND UNDERSTAND THE 'WARNING.TXT' FILE BEFORE USING THIS SOFTWARE. // SOME SOFTWARE PROGRAMS FROM THIRD PARTIES ARE INCLUDED ON THIS SOFTWARE WITH // LICENSE CONDITIONS WHICH ARE DESCRIBED ON THE 'THIRD_PARTY.TXT' FILE. // // // SOURCE CODE CONTRIBUTION // ------------------------ // // Your contribution to SoftEther VPN Project is much appreciated. // Please send patches to us through GitHub. // Read the SoftEther VPN Patch Acceptance Policy in advance: // http://www.softether.org/5-download/src/9.patch // // // DEAR SECURITY EXPERTS // --------------------- // // If you find a bug or a security vulnerability please kindly inform us // about the problem immediately so that we can fix the security problem // to protect a lot of users around the world as soon as possible. // // Our e-mail address for security reports is: // softether-vpn-security [at] softether.org // // Please note that the above e-mail address is not a technical support // inquiry address. If you need technical assistance, please visit // http://www.softether.org/ and ask your question on the users forum. // // Thank you for your cooperation. // // // NO MEMORY OR RESOURCE LEAKS // --------------------------- // // The memory-leaks and resource-leaks verification under the stress // test has been passed before release this source code. // IPsec_IKE.h // Header of IPsec_IKE.c #ifndef IPSEC_IKE_H #define IPSEC_IKE_H //// Macro //// Constants // State #define IKE_SA_MAIN_MODE 0 // Main mode #define IKE_SA_AGRESSIVE_MODE 1 // Aggressive mode #define IKE_SA_MM_STATE_1_SA 0 // Main mode state 1 (SA exchange is complete. Wait for key exchange) #define IKE_SA_MM_STATE_2_KEY 1 // Main mode state 2 (Key exchange is complete. Wait for exchange ID) #define IKE_SA_MM_STATE_3_ESTABLISHED 2 // Main mode state 3 (ID exchange is complete. Established) #define IKE_SA_AM_STATE_1_SA 0 // Aggressive mode state 1 (SA exchange is completed. Wait for hash) #define IKE_SA_AM_STATE_2_ESTABLISHED 1 // Aggressive mode state 2 (Hash exchange is completed. Established) #define IKE_SA_RESEND_INTERVAL (2 * 1000) // IKE SA packet retransmission interval #define IKE_SA_RAND_SIZE 16 // Size of the random number // ESP #define IKE_ESP_HASH_SIZE 12 // The hash size for the ESP packet // Type of UDP packet #define IKE_UDP_TYPE_ISAKMP 0 // ISAKMP packet (destination 500) #define IKE_UDP_TYPE_ESP 1 // ESP packet (destination 4500) #define IKE_UDP_KEEPALIVE 2 // KeepAlive packet #define IKE_UDP_SPECIAL 3 // Special packet // String for Vendor ID #define IKE_VENDOR_ID_RFC3947_NAT_T "0x4a131c81070358455c5728f20e95452f" #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_03 "0x7d9419a65310ca6f2c179d9215529d56" #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_02 "0x90cb80913ebb696e086381b5ec427b1f" #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_02_2 "0xcd60464335df21f87cfdb2fc68b6a448" #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_00 "0x4485152d18b6bbcd0be8a8469579ddcc" #define IKE_VENDOR_ID_RFC3706_DPD "0xafcad71368a1f1c96b8696fc77570100" #define IKE_VENDOR_ID_MICROSOFT_L2TP "0x4048b7d56ebce88525e7de7f00d6c2d3" #define IKE_VENDOR_ID_MS_NT5_ISAKMPOAKLEY "0x1e2b516905991c7d7c96fcbfb587e461" #define IKE_VENDOR_ID_MS_VID_INITIALCONTACT "0x26244d38eddb61b3172a36e3d0cfb819" // Quota #define IKE_QUOTA_MAX_NUM_CLIENTS_PER_IP 1000 // The number of IKE_CLIENT per IP address #define IKE_QUOTA_MAX_NUM_CLIENTS 30000 // Limit number of IKE_CLIENT #define IKE_QUOTA_MAX_SA_PER_CLIENT 100 // The limit number of SA for each IKE_CLIENT #define IKE_QUOTA_MAX_INFOMSG_SEND_PER_IP_PER_SEC 20 #define IKE_QUOTA_MAX_INFOMSG_ENTRY_COUNT 100 // Time-out #define IKE_TIMEOUT_FOR_IKE_CLIENT 150000 // IKE_CLIENT non-communication disconnect time #define IKE_TIMEOUT_FOR_IKE_CLIENT_FOR_NOT_ESTABLISHED 10000 // IKE_CLIENT non-communication disconnect time (connection incomplete) #define IKE_INTERVAL_UDP_KEEPALIVE 5000 // UDP KeepAlive transmission interval #define IKE_QUICKMODE_START_INTERVAL 2000 // QuickMode start interval #define IKE_QUICKMODE_FAILED_TIMEOUT 10000 // Maximum time to tolerant that to fail to establish a QuickMode #define IKE_INTERVAL_DPD_KEEPALIVE 10000 // DPD KeepAlive transmission interval // Expiration margin #define IKE_SOFT_EXPIRES_MARGIN 1000 // Expiration margin //// Type // IKE SA transform data struct IKE_SA_TRANSFORM_SETTING { IKE_CRYPTO *Crypto; UINT CryptoKeySize; IKE_HASH *Hash; IKE_DH *Dh; UINT CryptoId; UINT HashId; UINT DhId; UINT LifeKilobytes; UINT LifeSeconds; }; // IPsec SA transforms data struct IPSEC_SA_TRANSFORM_SETTING { IKE_CRYPTO *Crypto; UINT CryptoKeySize; IKE_HASH *Hash; IKE_DH *Dh; UINT CryptoId; UINT HashId; UINT DhId; UINT LifeKilobytes; UINT LifeSeconds; UINT SpiServerToClient; UINT CapsuleMode; bool OnlyCapsuleModeIsInvalid; }; // Function support information struct IKE_CAPS { // Support Information bool NatTraversalRfc3947; // RFC 3947 Negotiation of NAT-Traversal in the IKE bool NatTraversalDraftIetf; // draft-ietf-ipsec-nat-t-ike bool DpdRfc3706; // RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers bool MS_L2TPIPSecVPNClient; // Vendor ID: Microsoft L2TP/IPSec VPN Client bool MS_NT5_ISAKMP_OAKLEY; // Vendor ID: MS NT5 ISAKMPOAKLEY bool MS_Vid_InitialContact; // Vendor ID: Microsoft Vid-Initial-Contact // Use information bool UsingNatTraversalRfc3947; bool UsingNatTraversalDraftIetf; }; // IKE / IPsec client struct IKE_CLIENT { UINT Id; IP ClientIP; UINT ClientPort; IP ServerIP; UINT ServerPort; IKE_SA *CurrentIkeSa; // IKE SA to be used currently IPSECSA *CurrentIpSecSaRecv; // IPsec SA to be used currently (receive direction) IPSECSA *CurrentIpSecSaSend; // IPsec SA to be currently in use (transmit direction) UINT64 FirstCommTick; // Time the first data communication UINT64 LastCommTick; // Time that made the last communication (received data) time bool Deleting; // Deleting UINT64 NextKeepAliveSendTick; // Time to send the next KeepAlive UINT64 NextDpdSendTick; // Time to send the next DPD UINT DpdSeqNo; // DPD sequence number char ClientId[128]; // ID presented by the client char Secret[MAX_SIZE]; // Secret value of the authentication is successful bool IsMicrosoft; // Whether the client is Microsoft's IPSEC_SA_TRANSFORM_SETTING CachedTransformSetting; // Cached transform attribute value UINT64 CurrentExpiresSoftTick_StoC; // The maximum value of the flexible expiration date of the current (server -> client) UINT64 CurrentExpiresSoftTick_CtoS; // The maximum value of the flexible expiration date of the current (client -> server) UINT CurrentNumEstablishedIPsecSA_StoC; // The number of IPsec SA currently active (server -> client) UINT CurrentNumEstablishedIPsecSA_CtoS; // The number of IPsec SA currently active (client -> server) UINT CurrentNumHealtyIPsecSA_CtoS; // The number of currently available IPsec SA which expiration well within (client -> server) UINT CurrentNumHealtyIPsecSA_StoC; // The number of currently available IPsec SA which expiration well within (server -> client) bool SendID1andID2; // Whether to send the ID in QM UCHAR SendID1_Type, SendID2_Type; UCHAR SendID1_Protocol, SendID2_Protocol; USHORT SendID1_Port, SendID2_Port; BUF *SendID1_Buf, *SendID2_Buf; bool SendNatOaDraft1, SendNatOaDraft2, SendNatOaRfc; // Whether to send the NAT-OA in QM bool StartQuickModeAsSoon; // Flag to indicate to the start of the Quick Mode as soon as possible UINT64 LastQuickModeStartTick; // Time which the last QuickMode started UINT64 NeedQmBeginTick; // Time which a start-up of QuickMode is required // L2TP related L2TP_SERVER *L2TP; // L2TP server UINT L2TPClientPort; // Client-side port number of L2TP IP L2TPServerIP, L2TPClientIP; // IP address used by the L2TP processing bool IsL2TPOnIPsecTunnelMode; // Whether the L2TP is working on IPsec tunnel mode // EtherIP related ETHERIP_SERVER *EtherIP; // EtherIP server bool IsEtherIPOnIPsecTunnelMode; // Whether the EtherIP is working on IPsec tunnel mode // Transport mode related IP TransportModeServerIP; IP TransportModeClientIP; bool ShouldCalcChecksumForUDP; // Flag to calculate the checksum for the UDP packet // Tunnel mode related IP TunnelModeServerIP; // Server-side internal IP address IP TunnelModeClientIP; // Client-side internal IP address USHORT TunnelSendIpId; // ID of the transmission IP header }; // IKE SA struct IKE_SA { UINT Id; IKE_CLIENT *IkeClient; // Pointer to the IKE client UINT64 InitiatorCookie, ResponderCookie; // Cookie UINT Mode; // Mode UINT State; // State BUF *SendBuffer; // Buffer during transmission UINT64 NextSendTick; // Next transmission time UINT64 FirstCommTick; // Time that the first data communication UINT64 EstablishedTick; // Time that the SA has been established UINT64 LastCommTick; // Time that made the last communication (received data) time IKE_SA_TRANSFORM_SETTING TransformSetting; // Transform Configuration IKE_CAPS Caps; // IKE Caps BUF *InitiatorRand, *ResponderRand; // Random number BUF *DhSharedKey; // DH common key BUF *GXi, *GXr; // DH exchange data BUF *SAi_b; // Data needed for authentication BUF *YourIDPayloadForAM; // Copy the ID payload of the client-side UCHAR SKEYID[IKE_MAX_HASH_SIZE]; // Key set UCHAR SKEYID_d[IKE_MAX_HASH_SIZE]; UCHAR SKEYID_a[IKE_MAX_HASH_SIZE]; UCHAR SKEYID_e[IKE_MAX_HASH_SIZE]; UCHAR InitiatorHashForAM[IKE_MAX_HASH_SIZE]; IKE_CRYPTO_KEY *CryptoKey; // Common encryption key UINT HashSize; // Hash size UINT KeySize; // Key size UINT BlockSize; // Block size UCHAR Iv[IKE_MAX_BLOCK_SIZE]; // IV bool IsIvExisting; // Whether an IV exists bool Established; // Established flag bool Deleting; // Deleting UINT NumResends; // The number of retransmissions char Secret[MAX_SIZE]; // Secret value of the authentication is successful }; // IPsec SA struct IPSECSA { UINT Id; IKE_CLIENT *IkeClient; // Pointer to the IKE client IKE_SA *IkeSa; // Pointer to IKE_SA to use for transmission UCHAR Iv[IKE_MAX_BLOCK_SIZE]; // IV used in the Quick Mode exchange bool IsIvExisting; // Whether the IV exists UINT MessageId; // Message ID used in Quick Mode exchange UINT Spi; // SPI UINT CurrentSeqNo; // Send sequence number BUF *SendBuffer; // Buffer during transmission UINT NumResends; // The number of retransmissions UINT64 NextSendTick; // Next transmission date and time UINT64 FirstCommTick; // Time the last data sent UINT64 EstablishedTick; // Time that the SA has been established UINT64 LastCommTick; // Time that made the last communication (received data) time UINT64 ExpiresHardTick; // Exact expiration time UINT64 ExpiresSoftTick; // Flexible expiration time UINT64 TotalSize; // Size sent to and received IPSEC_SA_TRANSFORM_SETTING TransformSetting; // Transform Configuration bool ServerToClient; // Whether is upload direction IPSECSA *PairIPsecSa; // IPsec SA that are paired bool Established; // Established flag BUF *InitiatorRand, *ResponderRand; // Random number BUF *SharedKey; // PFS shared key UCHAR Hash3[IKE_MAX_HASH_SIZE]; // Hash 3 UCHAR KeyMat[IKE_MAX_KEY_SIZE + IKE_MAX_HASH_SIZE]; // Encryption key UCHAR HashKey[IKE_MAX_HASH_SIZE]; // Hash key IKE_CRYPTO_KEY *CryptoKey; // Key data bool Deleting; // Deleting UCHAR EspIv[IKE_MAX_BLOCK_SIZE]; // IV for ESP communication bool Initiated; // The server-side is initiator DH_CTX *Dh; // DH (only if the server-side is initiator) bool StartQM_FlagSet; // Whether the flag to indicate to do the QM is set to the IKE_CLIENT UCHAR SKEYID_d[IKE_MAX_HASH_SIZE]; UCHAR SKEYID_a[IKE_MAX_HASH_SIZE]; IKE_HASH *SKEYID_Hash; }; struct IKE_INFOMSG_QUOTA_ENTRY { IP ClientIp; UINT Count; }; // IKE server struct IKE_SERVER { CEDAR *Cedar; IPSEC_SERVER *IPsec; UINT64 Now; // Current time LIST *SendPacketList; // Transmission packet INTERRUPT_MANAGER *Interrupts; // Interrupt manager SOCK_EVENT *SockEvent; // SockEvent IKE_ENGINE *Engine; // Encryption engine LIST *ClientList; // Client list LIST *IkeSaList; // SA list LIST *IPsecSaList; // IPsec SA list LIST *ThreadList; // L2TP thread list LIST *InfoMsgQuotaList; // Information Message Quota List UINT64 NextInfoMsgQuotaClearTick; bool StateHasChanged; // Flag whether the state has changed UINT CurrentIkeSaId, CurrentIPsecSaId, CurrentIkeClientId, CurrentEtherId; // Serial number ID // Setting data char Secret[MAX_SIZE]; // Pre-shared key }; //// Function prototype IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec); void FreeIKEServer(IKE_SERVER *ike); void SetIKEServerSockEvent(IKE_SERVER *ike, SOCK_EVENT *e); void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p); void StopIKEServer(IKE_SERVER *ike); void ProcessIKEInterrupts(IKE_SERVER *ike); IKE_PACKET *ParseIKEPacketHeader(UDPPACKET *p); void ProcIkeMainModePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); void ProcIkeQuickModePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); void ProcIkeAggressiveModePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); void ProcIkeInformationalExchangePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); void FreeIkeSa(IKE_SA *sa); void FreeIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); UINT64 GenerateNewResponserCookie(IKE_SERVER *ike); bool GetBestTransformSettingForIkeSa(IKE_SERVER *ike, IKE_PACKET *pr, IKE_SA_TRANSFORM_SETTING *setting); bool TransformPayloadToTransformSettingForIkeSa(IKE_SERVER *ike, IKE_PACKET_TRANSFORM_PAYLOAD *transform, IKE_SA_TRANSFORM_SETTING *setting); IKE_CLIENT *SearchIkeClientForIkePacket(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, IKE_PACKET *pr); IKE_CLIENT *SearchOrCreateNewIkeClientForIkePacket(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, IKE_PACKET *pr); UINT GetNumberOfIkeClientsFromIP(IKE_SERVER *ike, IP *client_ip); UINT GetNumberOfIPsecSaOfIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); UINT GetNumberOfIkeSaOfIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); int CmpIkeClient(void *p1, void *p2); int CmpIkeSa(void *p1, void *p2); int CmpIPsecSa(void *p1, void *p2); IKE_SA *FindIkeSaByEndPointAndInitiatorCookie(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, UINT64 init_cookie, UINT mode); IKE_SA *FindIkeSaByResponderCookie(IKE_SERVER *ike, UINT64 responder_cookie); IKE_SA *FindIkeSaByResponderCookieAndClient(IKE_SERVER *ike, UINT64 responder_cookie, IKE_CLIENT *c); IKE_CLIENT *NewIkeClient(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port); IKE_CLIENT *SetIkeClientEndpoint(IKE_SERVER *ike, IKE_CLIENT *c, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port); IKE_SA *NewIkeSa(IKE_SERVER *ike, IKE_CLIENT *c, UINT64 init_cookie, UINT mode, IKE_SA_TRANSFORM_SETTING *setting); IKE_PACKET_PAYLOAD *TransformSettingToTransformPayloadForIke(IKE_SERVER *ike, IKE_SA_TRANSFORM_SETTING *setting); void IkeSaSendPacket(IKE_SERVER *ike, IKE_SA *sa, IKE_PACKET *p); IKE_PACKET *IkeSaRecvPacket(IKE_SERVER *ike, IKE_SA *sa, void *data, UINT size); void IkeSendUdpPacket(IKE_SERVER *ike, UINT type, IP *server_ip, UINT server_port, IP *client_ip, UINT client_port, void *data, UINT size); void IkeAddVendorIdPayloads(IKE_PACKET *p); BUF *IkeStrToVendorId(char *str); void IkeAddVendorId(IKE_PACKET *p, char *str); bool IkeIsVendorIdExists(IKE_PACKET *p, char *str); void IkeCheckCaps(IKE_CAPS *caps, IKE_PACKET *p); BUF *IkeCalcNatDetectHash(IKE_SERVER *ike, IKE_HASH *hash, UINT64 initiator_cookie, UINT64 responder_cookie, IP *ip, UINT port); void IkeCalcSaKeySet(IKE_SERVER *ike, IKE_SA *sa, char *secret); IKE_CRYPTO_KEY *IkeNewCryptoKeyFromK(IKE_SERVER *ike, void *k, UINT k_size, IKE_HASH *h, IKE_CRYPTO *c, UINT crypto_key_size); BUF *IkeExpandKeySize(IKE_HASH *h, void *k, UINT k_size, UINT target_size); void IkeSaUpdateIv(IKE_SA *sa, void *iv, UINT iv_size); IPSECSA *NewIPsecSa(IKE_SERVER *ike, IKE_CLIENT *c, IKE_SA *ike_sa, bool initiate, UINT message_id, bool server_to_client, void *iv, UINT spi, void *init_rand_data, UINT init_rand_size, void *res_rand_data, UINT res_rand_size, IPSEC_SA_TRANSFORM_SETTING *setting, void *shared_key_data, UINT shared_key_size); void IkeCalcPhase2InitialIv(void *iv, IKE_SA *sa, UINT message_id); bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA_TRANSFORM_SETTING *setting, IP *server_ip); bool TransformPayloadToTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET_TRANSFORM_PAYLOAD *transform, IPSEC_SA_TRANSFORM_SETTING *setting, IP *server_ip); IKE_PACKET_PAYLOAD *TransformSettingToTransformPayloadForIPsec(IKE_SERVER *ike, IPSEC_SA_TRANSFORM_SETTING *setting); UINT GenerateNewIPsecSaSpi(IKE_SERVER *ike, UINT counterpart_spi); IPSECSA *SearchClientToServerIPsecSaBySpi(IKE_SERVER *ike, UINT spi); IPSECSA *SearchIPsecSaBySpi(IKE_SERVER *ike, IKE_CLIENT *c, UINT spi); IPSECSA *SearchIPsecSaByMessageId(IKE_SERVER *ike, IKE_CLIENT *c, UINT message_id); void IPsecSaSendPacket(IKE_SERVER *ike, IPSECSA *sa, IKE_PACKET *p); IKE_PACKET *IPsecSaRecvPacket(IKE_SERVER *ike, IPSECSA *sa, void *data, UINT size); void IPsecSaUpdateIv(IPSECSA *sa, void *iv, UINT iv_size); void ProcDeletePayload(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKET_DELETE_PAYLOAD *d); void MarkIPsecSaAsDeleted(IKE_SERVER *ike, IPSECSA *sa); void MarkIkeSaAsDeleted(IKE_SERVER *ike, IKE_SA *sa); void PurgeDeletingSAsAndClients(IKE_SERVER *ike); void PurgeIPsecSa(IKE_SERVER *ike, IPSECSA *sa); void PurgeIkeSa(IKE_SERVER *ike, IKE_SA *sa); void PurgeIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); void FreeIPsecSa(IPSECSA *sa); void MarkIkeClientAsDeleted(IKE_SERVER *ike, IKE_CLIENT *c); IKE_SA *GetOtherLatestIkeSa(IKE_SERVER *ike, IKE_SA *sa); IPSECSA *GetOtherLatestIPsecSa(IKE_SERVER *ike, IPSECSA *sa); void SendInformationalExchangePacket(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKET_PAYLOAD *payload); void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKET_PAYLOAD *payload, bool force_plain, UINT64 init_cookie, UINT64 resp_cookie); void SendDeleteIkeSaPacket(IKE_SERVER *ike, IKE_CLIENT *c, UINT64 init_cookie, UINT64 resp_cookie); void SendDeleteIPsecSaPacket(IKE_SERVER *ike, IKE_CLIENT *c, UINT spi); void IPsecCalcKeymat(IKE_SERVER *ike, IKE_HASH *h, void *dst, UINT dst_size, void *skeyid_d_data, UINT skeyid_d_size, UCHAR protocol, UINT spi, void *rand_init_data, UINT rand_init_size, void *rand_resp_data, UINT rand_resp_size, void *df_key_data, UINT df_key_size); void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p); void ProcIPsecUdpPacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size); void IPsecSendPacketByIPsecSa(IKE_SERVER *ike, IPSECSA *sa, UCHAR *data, UINT data_size, UCHAR protocol_id); void IPsecSendPacketByIPsecSaInner(IKE_SERVER *ike, IPSECSA *sa, UCHAR *data, UINT data_size, UCHAR protocol_id); void IPsecSendPacketByIkeClient(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size, UCHAR protocol_id); void IPsecSendUdpPacket(IKE_SERVER *ike, IKE_CLIENT *c, UINT src_port, UINT dst_port, UCHAR *data, UINT data_size); void IPsecIkeClientManageL2TPServer(IKE_SERVER *ike, IKE_CLIENT *c); void IPsecIkeClientSendL2TPPackets(IKE_SERVER *ike, IKE_CLIENT *c, L2TP_SERVER *l2tp); void IPsecIkeSendUdpForDebug(UINT dst_port, UINT dst_ip, void *data, UINT size); void StartQuickMode(IKE_SERVER *ike, IKE_CLIENT *c); UINT GenerateNewMessageId(IKE_SERVER *ike); void IPsecIkeClientManageEtherIPServer(IKE_SERVER *ike, IKE_CLIENT *c); void IPsecIkeClientSendEtherIPPackets(IKE_SERVER *ike, IKE_CLIENT *c, ETHERIP_SERVER *s); void ProcIPsecEtherIPPacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size, bool is_tunnel_mode); bool IsIPsecSaTunnelMode(IPSECSA *sa); void ProcL2TPv3PacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size, bool is_tunnel_mode); IKE_SA *SearchIkeSaByCookie(IKE_SERVER *ike, UINT64 init_cookie, UINT64 resp_cookie); IKE_INFOMSG_QUOTA_ENTRY *IkeInfoMsgQuotaGetEntry(IKE_SERVER *ike, IP *client_ip); void IkeInfoMsgQuotaDeleteAll(IKE_SERVER *ike); #endif // IPSEC_IKE_H