1 // SoftEther VPN Source Code - Stable Edition Repository 2 // Cedar Communication Module 3 // 4 // SoftEther VPN Server, Client and Bridge are free software under the Apache License, Version 2.0. 5 // 6 // Copyright (c) Daiyuu Nobori. 7 // Copyright (c) SoftEther VPN Project, University of Tsukuba, Japan. 8 // Copyright (c) SoftEther Corporation. 9 // Copyright (c) all contributors on SoftEther VPN project in GitHub. 10 // 11 // All Rights Reserved. 12 // 13 // http://www.softether.org/ 14 // 15 // This stable branch is officially managed by Daiyuu Nobori, the owner of SoftEther VPN Project. 16 // Pull requests should be sent to the Developer Edition Master Repository on https://github.com/SoftEtherVPN/SoftEtherVPN 17 // 18 // License: The Apache License, Version 2.0 19 // https://www.apache.org/licenses/LICENSE-2.0 20 // 21 // DISCLAIMER 22 // ========== 23 // 24 // THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR 25 // IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, 26 // FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE 27 // AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER 28 // LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, 29 // OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE 30 // SOFTWARE. 31 // 32 // THIS SOFTWARE IS DEVELOPED IN JAPAN, AND DISTRIBUTED FROM JAPAN, UNDER 33 // JAPANESE LAWS. YOU MUST AGREE IN ADVANCE TO USE, COPY, MODIFY, MERGE, PUBLISH, 34 // DISTRIBUTE, SUBLICENSE, AND/OR SELL COPIES OF THIS SOFTWARE, THAT ANY 35 // JURIDICAL DISPUTES WHICH ARE CONCERNED TO THIS SOFTWARE OR ITS CONTENTS, 36 // AGAINST US (SOFTETHER PROJECT, SOFTETHER CORPORATION, DAIYUU NOBORI OR OTHER 37 // SUPPLIERS), OR ANY JURIDICAL DISPUTES AGAINST US WHICH ARE CAUSED BY ANY KIND 38 // OF USING, COPYING, MODIFYING, MERGING, PUBLISHING, DISTRIBUTING, SUBLICENSING, 39 // AND/OR SELLING COPIES OF THIS SOFTWARE SHALL BE REGARDED AS BE CONSTRUED AND 40 // CONTROLLED BY JAPANESE LAWS, AND YOU MUST FURTHER CONSENT TO EXCLUSIVE 41 // JURISDICTION AND VENUE IN THE COURTS SITTING IN TOKYO, JAPAN. YOU MUST WAIVE 42 // ALL DEFENSES OF LACK OF PERSONAL JURISDICTION AND FORUM NON CONVENIENS. 43 // PROCESS MAY BE SERVED ON EITHER PARTY IN THE MANNER AUTHORIZED BY APPLICABLE 44 // LAW OR COURT RULE. 45 // 46 // USE ONLY IN JAPAN. DO NOT USE THIS SOFTWARE IN ANOTHER COUNTRY UNLESS YOU HAVE 47 // A CONFIRMATION THAT THIS SOFTWARE DOES NOT VIOLATE ANY CRIMINAL LAWS OR CIVIL 48 // RIGHTS IN THAT PARTICULAR COUNTRY. USING THIS SOFTWARE IN OTHER COUNTRIES IS 49 // COMPLETELY AT YOUR OWN RISK. THE SOFTETHER VPN PROJECT HAS DEVELOPED AND 50 // DISTRIBUTED THIS SOFTWARE TO COMPLY ONLY WITH THE JAPANESE LAWS AND EXISTING 51 // CIVIL RIGHTS INCLUDING PATENTS WHICH ARE SUBJECTS APPLY IN JAPAN. OTHER 52 // COUNTRIES' LAWS OR CIVIL RIGHTS ARE NONE OF OUR CONCERNS NOR RESPONSIBILITIES. 53 // WE HAVE NEVER INVESTIGATED ANY CRIMINAL REGULATIONS, CIVIL LAWS OR 54 // INTELLECTUAL PROPERTY RIGHTS INCLUDING PATENTS IN ANY OF OTHER 200+ COUNTRIES 55 // AND TERRITORIES. BY NATURE, THERE ARE 200+ REGIONS IN THE WORLD, WITH 56 // DIFFERENT LAWS. IT IS IMPOSSIBLE TO VERIFY EVERY COUNTRIES' LAWS, REGULATIONS 57 // AND CIVIL RIGHTS TO MAKE THE SOFTWARE COMPLY WITH ALL COUNTRIES' LAWS BY THE 58 // PROJECT. EVEN IF YOU WILL BE SUED BY A PRIVATE ENTITY OR BE DAMAGED BY A 59 // PUBLIC SERVANT IN YOUR COUNTRY, THE DEVELOPERS OF THIS SOFTWARE WILL NEVER BE 60 // LIABLE TO RECOVER OR COMPENSATE SUCH DAMAGES, CRIMINAL OR CIVIL 61 // RESPONSIBILITIES. NOTE THAT THIS LINE IS NOT LICENSE RESTRICTION BUT JUST A 62 // STATEMENT FOR WARNING AND DISCLAIMER. 63 // 64 // READ AND UNDERSTAND THE 'WARNING.TXT' FILE BEFORE USING THIS SOFTWARE. 65 // SOME SOFTWARE PROGRAMS FROM THIRD PARTIES ARE INCLUDED ON THIS SOFTWARE WITH 66 // LICENSE CONDITIONS WHICH ARE DESCRIBED ON THE 'THIRD_PARTY.TXT' FILE. 67 // 68 // 69 // SOURCE CODE CONTRIBUTION 70 // ------------------------ 71 // 72 // Your contribution to SoftEther VPN Project is much appreciated. 73 // Please send patches to us through GitHub. 74 // Read the SoftEther VPN Patch Acceptance Policy in advance: 75 // http://www.softether.org/5-download/src/9.patch 76 // 77 // 78 // DEAR SECURITY EXPERTS 79 // --------------------- 80 // 81 // If you find a bug or a security vulnerability please kindly inform us 82 // about the problem immediately so that we can fix the security problem 83 // to protect a lot of users around the world as soon as possible. 84 // 85 // Our e-mail address for security reports is: 86 // softether-vpn-security [at] softether.org 87 // 88 // Please note that the above e-mail address is not a technical support 89 // inquiry address. If you need technical assistance, please visit 90 // http://www.softether.org/ and ask your question on the users forum. 91 // 92 // Thank you for your cooperation. 93 // 94 // 95 // NO MEMORY OR RESOURCE LEAKS 96 // --------------------------- 97 // 98 // The memory-leaks and resource-leaks verification under the stress 99 // test has been passed before release this source code. 100 101 102 // IPsec_IKE.h 103 // Header of IPsec_IKE.c 104 105 #ifndef IPSEC_IKE_H 106 #define IPSEC_IKE_H 107 108 //// Macro 109 110 //// Constants 111 112 // State 113 #define IKE_SA_MAIN_MODE 0 // Main mode 114 #define IKE_SA_AGRESSIVE_MODE 1 // Aggressive mode 115 116 #define IKE_SA_MM_STATE_1_SA 0 // Main mode state 1 (SA exchange is complete. Wait for key exchange) 117 #define IKE_SA_MM_STATE_2_KEY 1 // Main mode state 2 (Key exchange is complete. Wait for exchange ID) 118 #define IKE_SA_MM_STATE_3_ESTABLISHED 2 // Main mode state 3 (ID exchange is complete. Established) 119 120 #define IKE_SA_AM_STATE_1_SA 0 // Aggressive mode state 1 (SA exchange is completed. Wait for hash) 121 #define IKE_SA_AM_STATE_2_ESTABLISHED 1 // Aggressive mode state 2 (Hash exchange is completed. Established) 122 123 #define IKE_SA_RESEND_INTERVAL (2 * 1000) // IKE SA packet retransmission interval 124 #define IKE_SA_RAND_SIZE 16 // Size of the random number 125 126 // ESP 127 #define IKE_ESP_HASH_SIZE 12 // The hash size for the ESP packet 128 129 // Type of UDP packet 130 #define IKE_UDP_TYPE_ISAKMP 0 // ISAKMP packet (destination 500) 131 #define IKE_UDP_TYPE_ESP 1 // ESP packet (destination 4500) 132 #define IKE_UDP_KEEPALIVE 2 // KeepAlive packet 133 #define IKE_UDP_SPECIAL 3 // Special packet 134 135 // String for Vendor ID 136 #define IKE_VENDOR_ID_RFC3947_NAT_T "0x4a131c81070358455c5728f20e95452f" 137 #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_03 "0x7d9419a65310ca6f2c179d9215529d56" 138 #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_02 "0x90cb80913ebb696e086381b5ec427b1f" 139 #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_02_2 "0xcd60464335df21f87cfdb2fc68b6a448" 140 #define IKE_VENDOR_ID_IPSEC_NAT_T_IKE_00 "0x4485152d18b6bbcd0be8a8469579ddcc" 141 #define IKE_VENDOR_ID_RFC3706_DPD "0xafcad71368a1f1c96b8696fc77570100" 142 #define IKE_VENDOR_ID_MICROSOFT_L2TP "0x4048b7d56ebce88525e7de7f00d6c2d3" 143 #define IKE_VENDOR_ID_MS_NT5_ISAKMPOAKLEY "0x1e2b516905991c7d7c96fcbfb587e461" 144 #define IKE_VENDOR_ID_MS_VID_INITIALCONTACT "0x26244d38eddb61b3172a36e3d0cfb819" 145 146 // Quota 147 #define IKE_QUOTA_MAX_NUM_CLIENTS_PER_IP 1000 // The number of IKE_CLIENT per IP address 148 #define IKE_QUOTA_MAX_NUM_CLIENTS 30000 // Limit number of IKE_CLIENT 149 #define IKE_QUOTA_MAX_SA_PER_CLIENT 100 // The limit number of SA for each IKE_CLIENT 150 151 #define IKE_QUOTA_MAX_INFOMSG_SEND_PER_IP_PER_SEC 20 152 #define IKE_QUOTA_MAX_INFOMSG_ENTRY_COUNT 100 153 154 // Time-out 155 #define IKE_TIMEOUT_FOR_IKE_CLIENT 150000 // IKE_CLIENT non-communication disconnect time 156 #define IKE_TIMEOUT_FOR_IKE_CLIENT_FOR_NOT_ESTABLISHED 10000 // IKE_CLIENT non-communication disconnect time (connection incomplete) 157 #define IKE_INTERVAL_UDP_KEEPALIVE 5000 // UDP KeepAlive transmission interval 158 #define IKE_QUICKMODE_START_INTERVAL 2000 // QuickMode start interval 159 #define IKE_QUICKMODE_FAILED_TIMEOUT 10000 // Maximum time to tolerant that to fail to establish a QuickMode 160 #define IKE_INTERVAL_DPD_KEEPALIVE 10000 // DPD KeepAlive transmission interval 161 162 // Expiration margin 163 #define IKE_SOFT_EXPIRES_MARGIN 1000 // Expiration margin 164 165 166 //// Type 167 168 // IKE SA transform data 169 struct IKE_SA_TRANSFORM_SETTING 170 { 171 IKE_CRYPTO *Crypto; 172 UINT CryptoKeySize; 173 IKE_HASH *Hash; 174 IKE_DH *Dh; 175 UINT CryptoId; 176 UINT HashId; 177 UINT DhId; 178 UINT LifeKilobytes; 179 UINT LifeSeconds; 180 }; 181 182 // IPsec SA transforms data 183 struct IPSEC_SA_TRANSFORM_SETTING 184 { 185 IKE_CRYPTO *Crypto; 186 UINT CryptoKeySize; 187 IKE_HASH *Hash; 188 IKE_DH *Dh; 189 UINT CryptoId; 190 UINT HashId; 191 UINT DhId; 192 UINT LifeKilobytes; 193 UINT LifeSeconds; 194 UINT SpiServerToClient; 195 UINT CapsuleMode; 196 bool OnlyCapsuleModeIsInvalid; 197 }; 198 199 // Function support information 200 struct IKE_CAPS 201 { 202 // Support Information 203 bool NatTraversalRfc3947; // RFC 3947 Negotiation of NAT-Traversal in the IKE 204 bool NatTraversalDraftIetf; // draft-ietf-ipsec-nat-t-ike 205 bool DpdRfc3706; // RFC 3706 A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers 206 bool MS_L2TPIPSecVPNClient; // Vendor ID: Microsoft L2TP/IPSec VPN Client 207 bool MS_NT5_ISAKMP_OAKLEY; // Vendor ID: MS NT5 ISAKMPOAKLEY 208 bool MS_Vid_InitialContact; // Vendor ID: Microsoft Vid-Initial-Contact 209 210 // Use information 211 bool UsingNatTraversalRfc3947; 212 bool UsingNatTraversalDraftIetf; 213 }; 214 215 // IKE / IPsec client 216 struct IKE_CLIENT 217 { 218 UINT Id; 219 IP ClientIP; 220 UINT ClientPort; 221 IP ServerIP; 222 UINT ServerPort; 223 IKE_SA *CurrentIkeSa; // IKE SA to be used currently 224 IPSECSA *CurrentIpSecSaRecv; // IPsec SA to be used currently (receive direction) 225 IPSECSA *CurrentIpSecSaSend; // IPsec SA to be currently in use (transmit direction) 226 UINT64 FirstCommTick; // Time the first data communication 227 UINT64 LastCommTick; // Time that made the last communication (received data) time 228 bool Deleting; // Deleting 229 UINT64 NextKeepAliveSendTick; // Time to send the next KeepAlive 230 UINT64 NextDpdSendTick; // Time to send the next DPD 231 UINT DpdSeqNo; // DPD sequence number 232 char ClientId[128]; // ID presented by the client 233 char Secret[MAX_SIZE]; // Secret value of the authentication is successful 234 235 bool IsMicrosoft; // Whether the client is Microsoft's 236 237 IPSEC_SA_TRANSFORM_SETTING CachedTransformSetting; // Cached transform attribute value 238 UINT64 CurrentExpiresSoftTick_StoC; // The maximum value of the flexible expiration date of the current (server -> client) 239 UINT64 CurrentExpiresSoftTick_CtoS; // The maximum value of the flexible expiration date of the current (client -> server) 240 UINT CurrentNumEstablishedIPsecSA_StoC; // The number of IPsec SA currently active (server -> client) 241 UINT CurrentNumEstablishedIPsecSA_CtoS; // The number of IPsec SA currently active (client -> server) 242 UINT CurrentNumHealtyIPsecSA_CtoS; // The number of currently available IPsec SA which expiration well within (client -> server) 243 UINT CurrentNumHealtyIPsecSA_StoC; // The number of currently available IPsec SA which expiration well within (server -> client) 244 bool SendID1andID2; // Whether to send the ID in QM 245 UCHAR SendID1_Type, SendID2_Type; 246 UCHAR SendID1_Protocol, SendID2_Protocol; 247 USHORT SendID1_Port, SendID2_Port; 248 BUF *SendID1_Buf, *SendID2_Buf; 249 bool SendNatOaDraft1, SendNatOaDraft2, SendNatOaRfc; // Whether to send the NAT-OA in QM 250 bool StartQuickModeAsSoon; // Flag to indicate to the start of the Quick Mode as soon as possible 251 UINT64 LastQuickModeStartTick; // Time which the last QuickMode started 252 UINT64 NeedQmBeginTick; // Time which a start-up of QuickMode is required 253 254 // L2TP related 255 L2TP_SERVER *L2TP; // L2TP server 256 UINT L2TPClientPort; // Client-side port number of L2TP 257 IP L2TPServerIP, L2TPClientIP; // IP address used by the L2TP processing 258 bool IsL2TPOnIPsecTunnelMode; // Whether the L2TP is working on IPsec tunnel mode 259 260 // EtherIP related 261 ETHERIP_SERVER *EtherIP; // EtherIP server 262 bool IsEtherIPOnIPsecTunnelMode; // Whether the EtherIP is working on IPsec tunnel mode 263 264 // Transport mode related 265 IP TransportModeServerIP; 266 IP TransportModeClientIP; 267 bool ShouldCalcChecksumForUDP; // Flag to calculate the checksum for the UDP packet 268 269 // Tunnel mode related 270 IP TunnelModeServerIP; // Server-side internal IP address 271 IP TunnelModeClientIP; // Client-side internal IP address 272 USHORT TunnelSendIpId; // ID of the transmission IP header 273 }; 274 275 // IKE SA 276 struct IKE_SA 277 { 278 UINT Id; 279 IKE_CLIENT *IkeClient; // Pointer to the IKE client 280 UINT64 InitiatorCookie, ResponderCookie; // Cookie 281 UINT Mode; // Mode 282 UINT State; // State 283 BUF *SendBuffer; // Buffer during transmission 284 UINT64 NextSendTick; // Next transmission time 285 UINT64 FirstCommTick; // Time that the first data communication 286 UINT64 EstablishedTick; // Time that the SA has been established 287 UINT64 LastCommTick; // Time that made the last communication (received data) time 288 IKE_SA_TRANSFORM_SETTING TransformSetting; // Transform Configuration 289 IKE_CAPS Caps; // IKE Caps 290 BUF *InitiatorRand, *ResponderRand; // Random number 291 BUF *DhSharedKey; // DH common key 292 BUF *GXi, *GXr; // DH exchange data 293 BUF *SAi_b; // Data needed for authentication 294 BUF *YourIDPayloadForAM; // Copy the ID payload of the client-side 295 UCHAR SKEYID[IKE_MAX_HASH_SIZE]; // Key set 296 UCHAR SKEYID_d[IKE_MAX_HASH_SIZE]; 297 UCHAR SKEYID_a[IKE_MAX_HASH_SIZE]; 298 UCHAR SKEYID_e[IKE_MAX_HASH_SIZE]; 299 UCHAR InitiatorHashForAM[IKE_MAX_HASH_SIZE]; 300 IKE_CRYPTO_KEY *CryptoKey; // Common encryption key 301 UINT HashSize; // Hash size 302 UINT KeySize; // Key size 303 UINT BlockSize; // Block size 304 UCHAR Iv[IKE_MAX_BLOCK_SIZE]; // IV 305 bool IsIvExisting; // Whether an IV exists 306 bool Established; // Established flag 307 bool Deleting; // Deleting 308 UINT NumResends; // The number of retransmissions 309 char Secret[MAX_SIZE]; // Secret value of the authentication is successful 310 }; 311 312 // IPsec SA 313 struct IPSECSA 314 { 315 UINT Id; 316 IKE_CLIENT *IkeClient; // Pointer to the IKE client 317 IKE_SA *IkeSa; // Pointer to IKE_SA to use for transmission 318 UCHAR Iv[IKE_MAX_BLOCK_SIZE]; // IV used in the Quick Mode exchange 319 bool IsIvExisting; // Whether the IV exists 320 UINT MessageId; // Message ID used in Quick Mode exchange 321 UINT Spi; // SPI 322 UINT CurrentSeqNo; // Send sequence number 323 BUF *SendBuffer; // Buffer during transmission 324 UINT NumResends; // The number of retransmissions 325 UINT64 NextSendTick; // Next transmission date and time 326 UINT64 FirstCommTick; // Time the last data sent 327 UINT64 EstablishedTick; // Time that the SA has been established 328 UINT64 LastCommTick; // Time that made the last communication (received data) time 329 UINT64 ExpiresHardTick; // Exact expiration time 330 UINT64 ExpiresSoftTick; // Flexible expiration time 331 UINT64 TotalSize; // Size sent to and received 332 IPSEC_SA_TRANSFORM_SETTING TransformSetting; // Transform Configuration 333 bool ServerToClient; // Whether is upload direction 334 IPSECSA *PairIPsecSa; // IPsec SA that are paired 335 bool Established; // Established flag 336 BUF *InitiatorRand, *ResponderRand; // Random number 337 BUF *SharedKey; // PFS shared key 338 UCHAR Hash3[IKE_MAX_HASH_SIZE]; // Hash 3 339 UCHAR KeyMat[IKE_MAX_KEY_SIZE + IKE_MAX_HASH_SIZE]; // Encryption key 340 UCHAR HashKey[IKE_MAX_HASH_SIZE]; // Hash key 341 IKE_CRYPTO_KEY *CryptoKey; // Key data 342 bool Deleting; // Deleting 343 UCHAR EspIv[IKE_MAX_BLOCK_SIZE]; // IV for ESP communication 344 bool Initiated; // The server-side is initiator 345 DH_CTX *Dh; // DH (only if the server-side is initiator) 346 bool StartQM_FlagSet; // Whether the flag to indicate to do the QM is set to the IKE_CLIENT 347 UCHAR SKEYID_d[IKE_MAX_HASH_SIZE]; 348 UCHAR SKEYID_a[IKE_MAX_HASH_SIZE]; 349 IKE_HASH *SKEYID_Hash; 350 }; 351 352 struct IKE_INFOMSG_QUOTA_ENTRY 353 { 354 IP ClientIp; 355 UINT Count; 356 }; 357 358 // IKE server 359 struct IKE_SERVER 360 { 361 CEDAR *Cedar; 362 IPSEC_SERVER *IPsec; 363 UINT64 Now; // Current time 364 LIST *SendPacketList; // Transmission packet 365 INTERRUPT_MANAGER *Interrupts; // Interrupt manager 366 SOCK_EVENT *SockEvent; // SockEvent 367 IKE_ENGINE *Engine; // Encryption engine 368 LIST *ClientList; // Client list 369 LIST *IkeSaList; // SA list 370 LIST *IPsecSaList; // IPsec SA list 371 LIST *ThreadList; // L2TP thread list 372 LIST *InfoMsgQuotaList; // Information Message Quota List 373 UINT64 NextInfoMsgQuotaClearTick; 374 bool StateHasChanged; // Flag whether the state has changed 375 UINT CurrentIkeSaId, CurrentIPsecSaId, CurrentIkeClientId, CurrentEtherId; // Serial number ID 376 377 // Setting data 378 char Secret[MAX_SIZE]; // Pre-shared key 379 }; 380 381 382 //// Function prototype 383 IKE_SERVER *NewIKEServer(CEDAR *cedar, IPSEC_SERVER *ipsec); 384 void FreeIKEServer(IKE_SERVER *ike); 385 void SetIKEServerSockEvent(IKE_SERVER *ike, SOCK_EVENT *e); 386 void ProcIKEPacketRecv(IKE_SERVER *ike, UDPPACKET *p); 387 void StopIKEServer(IKE_SERVER *ike); 388 void ProcessIKEInterrupts(IKE_SERVER *ike); 389 IKE_PACKET *ParseIKEPacketHeader(UDPPACKET *p); 390 void ProcIkeMainModePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); 391 void ProcIkeQuickModePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); 392 void ProcIkeAggressiveModePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); 393 void ProcIkeInformationalExchangePacketRecv(IKE_SERVER *ike, UDPPACKET *p, IKE_PACKET *header); 394 void FreeIkeSa(IKE_SA *sa); 395 void FreeIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); 396 UINT64 GenerateNewResponserCookie(IKE_SERVER *ike); 397 bool GetBestTransformSettingForIkeSa(IKE_SERVER *ike, IKE_PACKET *pr, IKE_SA_TRANSFORM_SETTING *setting); 398 bool TransformPayloadToTransformSettingForIkeSa(IKE_SERVER *ike, IKE_PACKET_TRANSFORM_PAYLOAD *transform, IKE_SA_TRANSFORM_SETTING *setting); 399 IKE_CLIENT *SearchIkeClientForIkePacket(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, IKE_PACKET *pr); 400 IKE_CLIENT *SearchOrCreateNewIkeClientForIkePacket(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, IKE_PACKET *pr); 401 UINT GetNumberOfIkeClientsFromIP(IKE_SERVER *ike, IP *client_ip); 402 UINT GetNumberOfIPsecSaOfIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); 403 UINT GetNumberOfIkeSaOfIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); 404 int CmpIkeClient(void *p1, void *p2); 405 int CmpIkeSa(void *p1, void *p2); 406 int CmpIPsecSa(void *p1, void *p2); 407 IKE_SA *FindIkeSaByEndPointAndInitiatorCookie(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port, UINT64 init_cookie, UINT mode); 408 IKE_SA *FindIkeSaByResponderCookie(IKE_SERVER *ike, UINT64 responder_cookie); 409 IKE_SA *FindIkeSaByResponderCookieAndClient(IKE_SERVER *ike, UINT64 responder_cookie, IKE_CLIENT *c); 410 IKE_CLIENT *NewIkeClient(IKE_SERVER *ike, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port); 411 IKE_CLIENT *SetIkeClientEndpoint(IKE_SERVER *ike, IKE_CLIENT *c, IP *client_ip, UINT client_port, IP *server_ip, UINT server_port); 412 IKE_SA *NewIkeSa(IKE_SERVER *ike, IKE_CLIENT *c, UINT64 init_cookie, UINT mode, IKE_SA_TRANSFORM_SETTING *setting); 413 IKE_PACKET_PAYLOAD *TransformSettingToTransformPayloadForIke(IKE_SERVER *ike, IKE_SA_TRANSFORM_SETTING *setting); 414 void IkeSaSendPacket(IKE_SERVER *ike, IKE_SA *sa, IKE_PACKET *p); 415 IKE_PACKET *IkeSaRecvPacket(IKE_SERVER *ike, IKE_SA *sa, void *data, UINT size); 416 void IkeSendUdpPacket(IKE_SERVER *ike, UINT type, IP *server_ip, UINT server_port, IP *client_ip, UINT client_port, void *data, UINT size); 417 void IkeAddVendorIdPayloads(IKE_PACKET *p); 418 BUF *IkeStrToVendorId(char *str); 419 void IkeAddVendorId(IKE_PACKET *p, char *str); 420 bool IkeIsVendorIdExists(IKE_PACKET *p, char *str); 421 void IkeCheckCaps(IKE_CAPS *caps, IKE_PACKET *p); 422 BUF *IkeCalcNatDetectHash(IKE_SERVER *ike, IKE_HASH *hash, UINT64 initiator_cookie, UINT64 responder_cookie, IP *ip, UINT port); 423 void IkeCalcSaKeySet(IKE_SERVER *ike, IKE_SA *sa, char *secret); 424 IKE_CRYPTO_KEY *IkeNewCryptoKeyFromK(IKE_SERVER *ike, void *k, UINT k_size, IKE_HASH *h, IKE_CRYPTO *c, UINT crypto_key_size); 425 BUF *IkeExpandKeySize(IKE_HASH *h, void *k, UINT k_size, UINT target_size); 426 void IkeSaUpdateIv(IKE_SA *sa, void *iv, UINT iv_size); 427 IPSECSA *NewIPsecSa(IKE_SERVER *ike, IKE_CLIENT *c, IKE_SA *ike_sa, bool initiate, UINT message_id, bool server_to_client, void *iv, UINT spi, void *init_rand_data, UINT init_rand_size, void *res_rand_data, UINT res_rand_size, IPSEC_SA_TRANSFORM_SETTING *setting, void *shared_key_data, UINT shared_key_size); 428 void IkeCalcPhase2InitialIv(void *iv, IKE_SA *sa, UINT message_id); 429 bool GetBestTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET *pr, IPSEC_SA_TRANSFORM_SETTING *setting, IP *server_ip); 430 bool TransformPayloadToTransformSettingForIPsecSa(IKE_SERVER *ike, IKE_PACKET_TRANSFORM_PAYLOAD *transform, IPSEC_SA_TRANSFORM_SETTING *setting, IP *server_ip); 431 IKE_PACKET_PAYLOAD *TransformSettingToTransformPayloadForIPsec(IKE_SERVER *ike, IPSEC_SA_TRANSFORM_SETTING *setting); 432 UINT GenerateNewIPsecSaSpi(IKE_SERVER *ike, UINT counterpart_spi); 433 IPSECSA *SearchClientToServerIPsecSaBySpi(IKE_SERVER *ike, UINT spi); 434 IPSECSA *SearchIPsecSaBySpi(IKE_SERVER *ike, IKE_CLIENT *c, UINT spi); 435 IPSECSA *SearchIPsecSaByMessageId(IKE_SERVER *ike, IKE_CLIENT *c, UINT message_id); 436 void IPsecSaSendPacket(IKE_SERVER *ike, IPSECSA *sa, IKE_PACKET *p); 437 IKE_PACKET *IPsecSaRecvPacket(IKE_SERVER *ike, IPSECSA *sa, void *data, UINT size); 438 void IPsecSaUpdateIv(IPSECSA *sa, void *iv, UINT iv_size); 439 void ProcDeletePayload(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKET_DELETE_PAYLOAD *d); 440 void MarkIPsecSaAsDeleted(IKE_SERVER *ike, IPSECSA *sa); 441 void MarkIkeSaAsDeleted(IKE_SERVER *ike, IKE_SA *sa); 442 void PurgeDeletingSAsAndClients(IKE_SERVER *ike); 443 void PurgeIPsecSa(IKE_SERVER *ike, IPSECSA *sa); 444 void PurgeIkeSa(IKE_SERVER *ike, IKE_SA *sa); 445 void PurgeIkeClient(IKE_SERVER *ike, IKE_CLIENT *c); 446 void FreeIPsecSa(IPSECSA *sa); 447 void MarkIkeClientAsDeleted(IKE_SERVER *ike, IKE_CLIENT *c); 448 IKE_SA *GetOtherLatestIkeSa(IKE_SERVER *ike, IKE_SA *sa); 449 IPSECSA *GetOtherLatestIPsecSa(IKE_SERVER *ike, IPSECSA *sa); 450 void SendInformationalExchangePacket(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKET_PAYLOAD *payload); 451 void SendInformationalExchangePacketEx(IKE_SERVER *ike, IKE_CLIENT *c, IKE_PACKET_PAYLOAD *payload, bool force_plain, UINT64 init_cookie, UINT64 resp_cookie); 452 void SendDeleteIkeSaPacket(IKE_SERVER *ike, IKE_CLIENT *c, UINT64 init_cookie, UINT64 resp_cookie); 453 void SendDeleteIPsecSaPacket(IKE_SERVER *ike, IKE_CLIENT *c, UINT spi); 454 void IPsecCalcKeymat(IKE_SERVER *ike, IKE_HASH *h, void *dst, UINT dst_size, void *skeyid_d_data, UINT skeyid_d_size, UCHAR protocol, UINT spi, void *rand_init_data, UINT rand_init_size, 455 void *rand_resp_data, UINT rand_resp_size, void *df_key_data, UINT df_key_size); 456 457 void ProcIPsecEspPacketRecv(IKE_SERVER *ike, UDPPACKET *p); 458 void ProcIPsecUdpPacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size); 459 void IPsecSendPacketByIPsecSa(IKE_SERVER *ike, IPSECSA *sa, UCHAR *data, UINT data_size, UCHAR protocol_id); 460 void IPsecSendPacketByIPsecSaInner(IKE_SERVER *ike, IPSECSA *sa, UCHAR *data, UINT data_size, UCHAR protocol_id); 461 void IPsecSendPacketByIkeClient(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size, UCHAR protocol_id); 462 void IPsecSendUdpPacket(IKE_SERVER *ike, IKE_CLIENT *c, UINT src_port, UINT dst_port, UCHAR *data, UINT data_size); 463 void IPsecIkeClientManageL2TPServer(IKE_SERVER *ike, IKE_CLIENT *c); 464 void IPsecIkeClientSendL2TPPackets(IKE_SERVER *ike, IKE_CLIENT *c, L2TP_SERVER *l2tp); 465 void IPsecIkeSendUdpForDebug(UINT dst_port, UINT dst_ip, void *data, UINT size); 466 void StartQuickMode(IKE_SERVER *ike, IKE_CLIENT *c); 467 UINT GenerateNewMessageId(IKE_SERVER *ike); 468 469 void IPsecIkeClientManageEtherIPServer(IKE_SERVER *ike, IKE_CLIENT *c); 470 void IPsecIkeClientSendEtherIPPackets(IKE_SERVER *ike, IKE_CLIENT *c, ETHERIP_SERVER *s); 471 void ProcIPsecEtherIPPacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size, bool is_tunnel_mode); 472 bool IsIPsecSaTunnelMode(IPSECSA *sa); 473 void ProcL2TPv3PacketRecv(IKE_SERVER *ike, IKE_CLIENT *c, UCHAR *data, UINT data_size, bool is_tunnel_mode); 474 475 IKE_SA *SearchIkeSaByCookie(IKE_SERVER *ike, UINT64 init_cookie, UINT64 resp_cookie); 476 477 IKE_INFOMSG_QUOTA_ENTRY *IkeInfoMsgQuotaGetEntry(IKE_SERVER *ike, IP *client_ip); 478 void IkeInfoMsgQuotaDeleteAll(IKE_SERVER *ike); 479 480 #endif // IPSEC_IKE_H 481 482