diff options
| -rw-r--r-- | sbin/isakmpd/dpd.c | 354 | ||||
| -rw-r--r-- | sbin/isakmpd/dpd.h | 42 | ||||
| -rw-r--r-- | sbin/isakmpd/exchange.c | 19 | ||||
| -rw-r--r-- | sbin/isakmpd/features/dpd | 27 | ||||
| -rw-r--r-- | sbin/isakmpd/isakmp_num.cst | 20 | ||||
| -rw-r--r-- | sbin/isakmpd/sa.h | 12 |
6 files changed, 461 insertions, 13 deletions
diff --git a/sbin/isakmpd/dpd.c b/sbin/isakmpd/dpd.c new file mode 100644 index 00000000000..6cc52ac17e7 --- /dev/null +++ b/sbin/isakmpd/dpd.c @@ -0,0 +1,354 @@ +/* $OpenBSD: dpd.c,v 1.1 2004/06/20 15:20:06 ho Exp $ */ + +/* + * Copyright (c) 2004 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#include <sys/types.h> +#include <stdlib.h> + +#include "sysdep.h" + +#include "dpd.h" +#include "exchange.h" +#include "ipsec.h" +#include "isakmp_fld.h" +#include "log.h" +#include "message.h" +#include "sa.h" +#include "timer.h" +#include "util.h" + +/* From RFC 3706. */ +#define DPD_MAJOR 0x01 +#define DPD_MINOR 0x00 +#define DPD_SEQNO_SZ 4 + +static const char dpd_vendor_id[] = { + 0xAF, 0xCA, 0xD7, 0x13, 0x68, 0xA1, 0xF1, /* RFC 3706 */ + 0xC9, 0x6B, 0x86, 0x96, 0xFC, 0x77, 0x57, + DPD_MAJOR, + DPD_MINOR +}; + +int16_t script_dpd[] = { + ISAKMP_PAYLOAD_NOTIFY, /* Initiator -> responder. */ + ISAKMP_PAYLOAD_HASH, + EXCHANGE_SCRIPT_SWITCH, + ISAKMP_PAYLOAD_NOTIFY, /* Responder -> initiator. */ + ISAKMP_PAYLOAD_HASH, + EXCHANGE_SCRIPT_END +}; + +static int dpd_initiator_send_notify(struct message *); +static int dpd_initiator_recv_ack(struct message *); +static int dpd_responder_recv_notify(struct message *); +static int dpd_responder_send_ack(struct message *); +static void dpd_event(void *); + +int (*isakmp_dpd_initiator[])(struct message *) = { + dpd_initiator_send_notify, + dpd_initiator_recv_ack +}; + +int (*isakmp_dpd_responder[])(struct message *) = { + dpd_responder_recv_notify, + dpd_responder_send_ack +}; + +/* Add the DPD VENDOR ID payload. */ +int +dpd_add_vendor_payload(struct message *msg) +{ + u_int8_t *buf; + size_t buflen = sizeof dpd_vendor_id + ISAKMP_GEN_SZ; + + buf = malloc(buflen); + if (!buf) { + log_error("dpd_add_vendor_payload: malloc(%lu) failed", + (unsigned long)buflen); + return -1; + } + + SET_ISAKMP_GEN_LENGTH(buf, buflen); + memcpy(buf + ISAKMP_VENDOR_ID_OFF, dpd_vendor_id, + sizeof dpd_vendor_id); + if (message_add_payload(msg, ISAKMP_PAYLOAD_VENDOR, buf, buflen, 1)) { + free(buf); + return -1; + } + + return 0; +} + +/* + * Check an incoming message for DPD capability markers. + */ +void +dpd_check_vendor_payload(struct message *msg, struct payload *p) +{ + u_int8_t *pbuf = p->p; + size_t vlen; + + /* Already checked? */ + if (msg->exchange->flags & EXCHANGE_FLAG_DPD_CAP_PEER) { + /* Just mark it as handled and return. */ + p->flags |= PL_MARK; + return; + } + + vlen = GET_ISAKMP_GEN_LENGTH(pbuf) - ISAKMP_GEN_SZ; + if (vlen != sizeof dpd_vendor_id) { + LOG_DBG((LOG_EXCHANGE, 90, + "dpd_check_vendor_payload: bad size %d != %d", vlen, + sizeof dpd_vendor_id)); + return; + } + + if (memcmp(dpd_vendor_id, pbuf + ISAKMP_GEN_SZ, vlen) == 0) { + /* This peer is DPD capable. */ + msg->exchange->flags |= EXCHANGE_FLAG_DPD_CAP_PEER; + LOG_DBG((LOG_EXCHANGE, 10, "dpd_check_vendor_payload: " + "DPD capable peer detected")); + p->flags |= PL_MARK; + return; + } + + return; +} + +static int +dpd_add_notify(struct message *msg, u_int16_t type, u_int32_t seqno) +{ + struct sa *isakmp_sa = msg->isakmp_sa; + char *buf; + u_int32_t buflen; + + if (!isakmp_sa) { + log_print("dpd_add_notify: no isakmp_sa"); + return -1; + } + + buflen = ISAKMP_NOTIFY_SZ + ISAKMP_HDR_COOKIES_LEN + DPD_SEQNO_SZ; + buf = malloc(buflen); + if (!buf) { + log_error("dpd_add_notify: malloc(%d) failed", + ISAKMP_NOTIFY_SZ + DPD_SEQNO_SZ); + return -1; + } + + SET_ISAKMP_NOTIFY_DOI(buf, IPSEC_DOI_IPSEC); + SET_ISAKMP_NOTIFY_PROTO(buf, ISAKMP_PROTO_ISAKMP); + SET_ISAKMP_NOTIFY_SPI_SZ(buf, ISAKMP_HDR_COOKIES_LEN); + SET_ISAKMP_NOTIFY_MSG_TYPE(buf, type); + memcpy(buf + ISAKMP_NOTIFY_SPI_OFF, isakmp_sa->cookies, + ISAKMP_HDR_COOKIES_LEN); + + memcpy(buf + ISAKMP_NOTIFY_SPI_OFF + ISAKMP_HDR_COOKIES_LEN, &seqno, + sizeof (u_int32_t)); + + if (message_add_payload(msg, ISAKMP_PAYLOAD_NOTIFY, buf, buflen, 1)) { + free(buf); + return -1; + } + + return 0; +} + +static int +dpd_initiator_send_notify(struct message *msg) +{ + if (!msg->isakmp_sa) { + log_print("dpd_initiator_send_notify: no isakmp_sa"); + return -1; + } + + if (msg->isakmp_sa->dpd_seq == 0) { + /* RFC 3706: first seq# should be random, with MSB zero. */ + getrandom((u_int8_t *)&msg->isakmp_sa->seq, + sizeof msg->isakmp_sa->seq); + msg->isakmp_sa->dpd_seq &= 0x7FFF; + } else + msg->isakmp_sa->dpd_seq++; + + return dpd_add_notify(msg, ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE, + msg->isakmp_sa->dpd_seq); +} + +static int +dpd_initiator_recv_ack(struct message *msg) +{ + struct payload *p = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); + struct sa *isakmp_sa = msg->isakmp_sa; + struct timeval tv; + u_int32_t rseq; + + if (msg->exchange->phase != 2) { + message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, + 0); + return -1; + } + + if (GET_ISAKMP_NOTIFY_MSG_TYPE(p->p) + != ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK) { + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + /* Presumably, we've been through message_validate_notify(). */ + + /* Validate the SPI. Perhaps move to message_validate_notify(). */ + if (memcmp(p->p + ISAKMP_NOTIFY_SPI_OFF, isakmp_sa->cookies, + ISAKMP_HDR_COOKIES_LEN) != 0) { + log_print("dpd_initiator_recv_ack: bad cookies"); + message_drop(msg, ISAKMP_NOTIFY_INVALID_SPI, 0, 1, 0); + return -1; + } + + /* Check the seqno. */ + memcpy(p->p + ISAKMP_NOTIFY_SPI_OFF + ISAKMP_HDR_COOKIES_LEN, &rseq, + sizeof rseq); + rseq = ntohl(rseq); + + if (isakmp_sa->seq != rseq) { + log_print("dpd_initiator_recv_ack: bad seqno %u, expected %u", + rseq, isakmp_sa->seq); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + /* Peer is alive. Reset timer. */ + gettimeofday(&tv, 0); + tv.tv_sec += DPD_DEFAULT_WORRY_METRIC; /* XXX Configurable */ + + isakmp_sa->dpd_nextev = timer_add_event("dpd_event", dpd_event, + isakmp_sa, &tv); + if (!isakmp_sa->dpd_nextev) + log_print("dpd_initiator_recv_ack: timer_add_event " + "failed"); + else + sa_reference(isakmp_sa); + + /* Mark handled. */ + p->flags |= PL_MARK; + + return 0; +} + +static int +dpd_responder_recv_notify(struct message *msg) +{ + struct payload *p = + TAILQ_FIRST(&msg->payload[ISAKMP_PAYLOAD_NOTIFY]); + struct sa *isakmp_sa = msg->isakmp_sa; + struct timeval tv; + u_int32_t rseq; + + if (msg->exchange->phase != 2) { + message_drop(msg, ISAKMP_NOTIFY_INVALID_EXCHANGE_TYPE, 0, 1, + 0); + return -1; + } + + if (GET_ISAKMP_NOTIFY_MSG_TYPE(p->p) != + ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE) { + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + + /* Presumably, we've gone through message_validate_notify(). */ + /* XXX */ + + /* Validate the SPI. Perhaps move to message_validate_notify(). */ + if (memcmp(p->p + ISAKMP_NOTIFY_SPI_OFF, isakmp_sa->cookies, + ISAKMP_HDR_COOKIES_LEN) != 0) { + log_print("dpd_initiator_recv_notify: bad cookies"); + message_drop(msg, ISAKMP_NOTIFY_INVALID_SPI, 0, 1, 0); + return -1; + } + + /* Get the seqno. */ + memcpy(p->p + ISAKMP_NOTIFY_SPI_OFF + ISAKMP_HDR_COOKIES_LEN, &rseq, + sizeof rseq); + rseq = ntohl(rseq); + + /* Check increasing seqno. */ + if (rseq <= isakmp_sa->dpd_rseq) { + log_print("dpd_initiator_recv_notify: bad seqno (%u <= %u)", + rseq, isakmp_sa->dpd_rseq); + message_drop(msg, ISAKMP_NOTIFY_PAYLOAD_MALFORMED, 0, 1, 0); + return -1; + } + isakmp_sa->dpd_rseq = rseq; + + /* + * Ok, now we know the peer is alive, in case we're wondering. + * If so, reset timers, etc... here. + */ + if (isakmp_sa->dpd_nextev) { + timer_remove_event(isakmp_sa->dpd_nextev); + sa_release(isakmp_sa); + + gettimeofday(&tv, 0); + tv.tv_sec += DPD_DEFAULT_WORRY_METRIC; /* XXX Configurable */ + + isakmp_sa->dpd_nextev = timer_add_event("dpd_event", dpd_event, + isakmp_sa, &tv); + if (!isakmp_sa->dpd_nextev) + log_print("dpd_responder_recv_notify: timer_add_event " + "failed"); + else + sa_reference(isakmp_sa); + } + + /* Mark handled. */ + p->flags |= PL_MARK; + + return 0; +} + +static int +dpd_responder_send_ack(struct message *msg) +{ + if (!msg->isakmp_sa) + return -1; + + return dpd_add_notify(msg, ISAKMP_NOTIFY_STATUS_DPD_R_U_THERE_ACK, + msg->isakmp_sa->dpd_rseq); +} + +static void +dpd_event(void *v_sa) +{ + struct sa *sa = v_sa; + + sa->dpd_nextev = 0; + sa_release(sa); + + if ((sa->flags & SA_FLAG_DPD) == 0) + return; + + /* Create a new DPD exchange. XXX */ +} + diff --git a/sbin/isakmpd/dpd.h b/sbin/isakmpd/dpd.h new file mode 100644 index 00000000000..6b6f1210deb --- /dev/null +++ b/sbin/isakmpd/dpd.h @@ -0,0 +1,42 @@ +/* $OpenBSD: dpd.h,v 1.1 2004/06/20 15:20:06 ho Exp $ */ + +/* + * Copyright (c) 2004 Håkan Olsson. All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR + * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES + * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. + * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, + * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT + * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, + * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY + * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT + * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF + * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. + */ + +#ifndef _DPD_H_ +#define _DPD_H_ + +#define DPD_DEFAULT_WORRY_METRIC 300 /* seconds */ + +struct message; +struct payload; + +int dpd_add_vendor_payload(struct message *); +void dpd_check_vendor_payload(struct message *, struct payload *); + +extern int (*isakmp_dpd_initiator[])(struct message *); +extern int (*isakmp_dpd_responder[])(struct message *); +extern int16_t script_dpd[]; + +#endif /* _DPD_H_ */ diff --git a/sbin/isakmpd/exchange.c b/sbin/isakmpd/exchange.c index 12f5080de82..3e37e670f73 100644 --- a/sbin/isakmpd/exchange.c +++ b/sbin/isakmpd/exchange.c @@ -1,4 +1,4 @@ -/* $OpenBSD: exchange.c,v 1.96 2004/06/14 09:55:41 ho Exp $ */ +/* $OpenBSD: exchange.c,v 1.97 2004/06/20 15:20:06 ho Exp $ */ /* $EOM: exchange.c,v 1.143 2000/12/04 00:02:25 angelos Exp $ */ /* @@ -47,6 +47,9 @@ #include "cookie.h" #include "crypto.h" #include "doi.h" +#ifdef USE_DPD +#include "dpd.h" +#endif #include "exchange.h" #include "ipsec_num.h" #include "isakmp.h" @@ -187,6 +190,10 @@ exchange_script(struct exchange *exchange) case ISAKMP_EXCH_TRANSACTION: return script_transaction; #endif +#ifdef USE_DPD + case ISAKMP_EXCH_DPD: + return script_dpd; +#endif default: if (exchange->type >= ISAKMP_EXCH_DOI_MIN && exchange->type <= ISAKMP_EXCH_DOI_MAX) @@ -847,9 +854,10 @@ exchange_establish_p1(struct transport *t, u_int8_t type, u_int32_t doi, } msg->exchange = exchange; - /* Do not create SA for an information or transaction exchange. */ + /* Do not create SA for an information, transaction or DPD exchange. */ if (exchange->type != ISAKMP_EXCH_INFO - && exchange->type != ISAKMP_EXCH_TRANSACTION) { + && exchange->type != ISAKMP_EXCH_TRANSACTION + && exchange->type != ISAKMP_EXCH_DPD) { /* * Don't install a transport into this SA as it will be an * INADDR_ANY address in the local end, which is not good at @@ -955,8 +963,9 @@ exchange_establish_p2(struct sa *isakmp_sa, u_int8_t type, char *name, * Do not create SA's for informational exchanges. * XXX How to handle new group mode? */ - if (exchange->type != ISAKMP_EXCH_INFO - && exchange->type != ISAKMP_EXCH_TRANSACTION) { + if (exchange->type != ISAKMP_EXCH_INFO && + exchange->type != ISAKMP_EXCH_TRANSACTION && + exchange->type != ISAKMP_EXCH_DPD) { /* XXX Number of SAs should come from the args structure. */ for (i = 0; i < 1; i++) if (sa_create(exchange, isakmp_sa->transport)) { diff --git a/sbin/isakmpd/features/dpd b/sbin/isakmpd/features/dpd new file mode 100644 index 00000000000..155ce682407 --- /dev/null +++ b/sbin/isakmpd/features/dpd @@ -0,0 +1,27 @@ +# $OpenBSD: dpd,v 1.1 2004/06/20 15:20:07 ho Exp $ + +# +# Copyright (c) 2004 Håkan Olsson. All rights reserved. +# +# Redistribution and use in source and binary forms, with or without +# modification, are permitted provided that the following conditions +# are met: +# 1. Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# 2. Redistributions in binary form must reproduce the above copyright +# notice, this list of conditions and the following disclaimer in the +# documentation and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR +# IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES +# OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT +# NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, +# DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY +# THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT +# (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF +# THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# + +DPD= dpd.c diff --git a/sbin/isakmpd/isakmp_num.cst b/sbin/isakmpd/isakmp_num.cst index 5f759a08a1f..24d994abbfa 100644 --- a/sbin/isakmpd/isakmp_num.cst +++ b/sbin/isakmpd/isakmp_num.cst @@ -1,4 +1,4 @@ -# $OpenBSD: isakmp_num.cst,v 1.8 2004/04/28 14:40:00 ho Exp $ +# $OpenBSD: isakmp_num.cst,v 1.9 2004/06/20 15:20:07 ho Exp $ # $EOM: isakmp_num.cst,v 1.3 2000/05/17 03:09:50 angelos Exp $ # @@ -31,8 +31,8 @@ # XXX Please fill in references to the drafts, chapter & verse for each # constant group below. -# Also think about ranges, can they be specified diferently? Can we use -# these constants for vlidity checks? +# Also think about ranges, can they be specified differently? Can we use +# these constants for validity checks? # ISAKMP payload type. ISAKMP_PAYLOAD @@ -50,16 +50,19 @@ ISAKMP_PAYLOAD NOTIFY 11 DELETE 12 VENDOR 13 -# XXX the following is not quite legitimate according to the IETF process +# XXX the following are not quite legitimate according to the IETF process ATTRIBUTE 14 # IKE Mode-Config attribute - RESERVED_MIN 15 # XXX For now SAK 15 # RFC 3547, SA KEK Payload SAT 16 # RFC 3547, SA TEK Payload KD 17 # RFC 3547, Key Download SEQ 18 # RFC 3547, Sequence Number POP 19 # RFC 3547, Proof of possession + RESERVED_MIN 20 RESERVED_MAX 127 PRIVATE_MIN 128 +# XXX values from draft-ietf-ipsec-nat-t-ike-01,02,03. Later drafts specify +# XXX NAT_D as payload 15 and NAT_OA as 16, but these are allocated by RFC +# XXX 3547 as seen above. NAT_D 130 # NAT Discovery payload NAT_OA 131 # NAT Original Address payload PRIVATE_MAX 255 @@ -73,9 +76,10 @@ ISAKMP_EXCH AUTH_ONLY 3 AGGRESSIVE 4 INFO 5 -# XXX the following is not quite legitimate according to the IETF process +# XXX the following are not quite legitimate according to the IETF process TRANSACTION 6 - FUTURE_MIN 7 + DPD 7 + FUTURE_MIN 8 FUTURE_MAX 31 DOI_MIN 32 DOI_MAX 255 @@ -150,6 +154,8 @@ ISAKMP_NOTIFY STATUS_DOI_MIN 24576 STATUS_DOI_MAX 32767 STATUS_PRIVATE_MIN 32768 + STATUS_DPD_R_U_THERE 36136 + STATUS_DPD_R_U_THERE_ACK 36137 STATUS_PRIVATE_MAX 40959 STATUS_RESERVED2_MIN 40960 STATUS_RESERVED2_MAX 65535 diff --git a/sbin/isakmpd/sa.h b/sbin/isakmpd/sa.h index fdf2323c644..ee3efd00559 100644 --- a/sbin/isakmpd/sa.h +++ b/sbin/isakmpd/sa.h @@ -1,4 +1,4 @@ -/* $OpenBSD: sa.h,v 1.37 2004/05/23 18:17:56 hshoexer Exp $ */ +/* $OpenBSD: sa.h,v 1.38 2004/06/20 15:20:07 ho Exp $ */ /* $EOM: sa.h,v 1.58 2000/10/10 12:39:01 provos Exp $ */ /* @@ -203,6 +203,13 @@ struct sa { /* The events that will occur when an SA has timed out. */ struct event *soft_death; struct event *death; + +#if defined (USE_DPD) + /* IKE DPD (RFC3706) message sequence number. */ + u_int32_t dpd_seq; /* sent */ + u_int32_t dpd_rseq; /* recieved */ + struct event *dpd_nextev; /* time of next event */ +#endif }; /* This SA is alive. */ @@ -226,6 +233,9 @@ struct sa { /* This SA flag is a placeholder for a TRANSACTION exchange "SA flag". */ #define SA_FLAG_IKECFG 0x40 +/* This SA flag indicates if we should do DPD with the phase 1 SA peer. */ +#define SA_FLAG_DPD 0x80 + extern void proto_free(struct proto * proto); extern int sa_add_transform(struct sa *, struct payload *, int, struct proto **); |