--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/vpnengine/ikev1lib/inc/ikev1negotiation.h Thu Dec 17 09:14:51 2009 +0200
@@ -0,0 +1,532 @@
+/*
+* Copyright (c) 2005-2009 Nokia Corporation and/or its subsidiary(-ies).
+* All rights reserved.
+* This component and the accompanying materials are made available
+* under the terms of "Eclipse Public License v1.0"
+* which accompanies this distribution, and is available
+* at the URL "http://www.eclipse.org/legal/epl-v10.html".
+*
+* Initial Contributors:
+* Nokia Corporation - initial contribution.
+*
+* Contributors:
+*
+* Description: IKEv1 negotiation.
+*
+*/
+
+#ifndef C_IKEV1NEGOTIATION_H
+#define C_IKEV1NEGOTIATION_H
+
+#include <e32base.h>
+
+#include "ikev1payloads.h"
+#include "ikev1extra.h"
+#include "ikev1SAdata.h"
+#include "ikepolparser.h"
+#include "ipsecsaspiretriever.h"
+
+#define INITIATOR 0
+#define RESPONDER 1
+
+#define PHASE_I 1 //Used to identify the PHASE number
+#define PHASE_II 2
+
+#define OAKLEY_DEFAULT_NONCE_SIZE 128/8 //128 bits = 16 bytes
+#define ISAKMP_HEADER_SIZE 28
+#define ISAKMP_HASH_SIZE 24 //Size for 3des_cbc return value
+#define MAX_PRF_LENGTH 24 //In bytes corresponds to 3DES_CBC
+#define MAX_RETRANS_TIMER 10 //Isakmp packet retransmission timer
+#define MAX_RETRANS_COUNT 7 //Maximum retransmission count
+
+//Vendor ID type codes values
+#define HASH_VENDOR_ID 0 //Contains only a vendor specific hash
+#define EXPANDED_VENDOR_ID 1 //Contains NAT probing data and a vendor specific hash
+#define IETF_NATT_VENDOR_ID 2 //Vendor ID for draft <draft-ietf-ipsec-nat-t-ike-03>
+#define IETF_RFC_NATT_VENDOR_ID 3
+
+const TInt KMaxDpdRetryCount( 2 );
+
+struct TSPINode
+{
+ TInt iPropNum; //Proposal #
+ TUint32 iSeq; //Sequence # in the GETSPI msg
+ TUint32 iSPI; //Received SPI
+};
+
+class TPfkeyMessage;
+class CIkev1PluginSession;
+class CAuthDialogInfo;
+class CIkev1Timeout;
+class CX509Certificate;
+class CIkeKeys;
+class CIkeV1PkiService;
+class TSAISAKMP;
+class TPayloadISAKMP;
+class TKeyISAKMP;
+class TIdentISAKMP;
+class TCertificateISAKMP;
+class TSignatureISAKMP;
+class THashISAKMP;
+class TNotificationISAKMP;
+class TVendorISAKMP;
+class TINTNETISAKMP;
+class TProposalISAKMP;
+class CIkev1NatDiscovery;
+class CIKECRACKNegotiation;
+class CTransNegotiation;
+class TIkev1IsakmpStream;
+class MIkeDebug;
+class MKmdEventLoggerIf;
+class CPFKeySocketIf;
+
+//
+// Class CIkev1Negotiation: Contains all the info for each negotiation in progress
+//
+NONSHARABLE_CLASS(CIkev1Negotiation) : public CBase,
+ public MIpsecSaSpiRetrieverCallback
+ {
+ friend class CIkev1InfoNegotiation;
+ friend class TIkev1IsakmpStream;
+ friend class CIKECRACKNegotiation;
+ friend class CTransNegotiation;
+ friend class CIkev1Payloads;
+
+public:
+ static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug,
+ const TInetAddr& aRemote,
+ const TCookie& aInitiator,
+ const TCookie& aResponder );
+
+ static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug,
+ const TInetAddr& aRemote,
+ const TCookie& aInitiator,
+ TBool aAutoLogin );
+
+ static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug,
+ TIkev1SAData* aIkev1SAdata,
+ TUint aRole,
+ const TPfkeyMessage *aReq = NULL );
+
+ static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug,
+ const TInetAddr& aRemote,
+ TBool aAutoLogin );
+
+ static CIkev1Negotiation* NewL( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug,
+ const TInetAddr& aRemote,
+ const TPfkeyMessage& aReq );
+
+ ~CIkev1Negotiation();
+
+ TBool ExecuteL( const ThdrISAKMP& aHdr,
+ const TInetAddr& aRemote,
+ TInt aLocalPort );
+ TBool ExecutePhase2L( const ThdrISAKMP& aHdr,
+ const TInetAddr& aRemote,
+ TInt aLocalPort );
+ TBool ExecuteTransactionL( const ThdrISAKMP &aHdr,
+ const TInetAddr& aRemote,
+ TInt aLocalPort );
+ void InitNegotiationL();
+ void InitPhase2L();
+ //used by the timer
+ void ReSendL();
+
+ inline TUint32 AcqSeq() {return iAcquireSeq;}
+ inline TInt GetNotifyStatus() {return iReceivedNotify;}
+ inline void SetNotifyStatus(TInt aStatus) {if (iReceivedNotify == KErrNone) iReceivedNotify = aStatus;}
+ inline TBool Autologin() {return iAutoLogin;}
+ inline TBool Finished() {return iFinished;}
+ inline void SetFinished() {iFinished = ETrue;}
+ inline void SetRekeyInfo(CSARekeyInfo* aSARekeyInfo) { iSARekeyInfo = aSARekeyInfo;}
+ inline TUint32 SAId() {return iSAId;}
+ TIkev1IsakmpStream* SaveIkeMsgBfr(TIkev1IsakmpStream* aMsg);
+ void AuthDialogCompletedL(CAuthDialogInfo *aUserInfo);
+ TInt32 RandomMessageId();
+ void SendDeleteL(TUint8 aProtocol, TUint32 aIpsecSPI = 0); //Send a Delete payload for the negotiation
+ void SendKeepAliveMsgL(TIkev1SAData* aSa);
+
+ TBool IsRekeyingIkeSa();
+ void PreparePhase2L(const TPfkeyMessage &aReq);
+
+ MKmdEventLoggerIf& EventLogger();
+
+// from base class MIpsecSaSpiRetrieverCallback
+
+ /**
+ * Notification about completion of IPsec SPI SA retrieve.
+ *
+ * @param aSpiRequestId Id of the SPI retrieve request.
+ * @param aStatus Completion status
+ * @param aSpi SPI value
+ */
+ void IpsecSaSpiRetrieved(TUint32 aSpiRequestId,
+ TInt aStatus,
+ TUint32 aSpi);
+
+private:
+
+ CIkev1Negotiation( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug );
+ CIkev1Negotiation( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug,
+ const TInetAddr& aRemote,
+ const TCookie& aInitiator );
+ CIkev1Negotiation( CIkev1PluginSession* aPluginSession,
+ CPFKeySocketIf& aPFKeySocketIf,
+ MIkeDebug& aDebug,
+ const TInetAddr& aRemote );
+
+ void ConstructL( TBool aAutoLogin );
+ //When receiving an acquire
+ void ConstructL( const TPfkeyMessage& aReq );
+ // To create a negotiation form an existing ISAKMP SA either as negotiator or responder
+ void ConstructL( TIkev1SAData* aIkev1SAdata,
+ TUint aRole,
+ const TPfkeyMessage *aReq = NULL );
+
+ void GetAcquireDataL(const TPfkeyMessage &aReq);
+ void CommonConstructL();
+ TBool BuildProposals1L();
+ TInt BuildProposals2L();
+ //Packet processing functions
+ TBool ProcessHeaderL(const ThdrISAKMP &aHdr);
+ //received packet processing depending on the stage
+ TBool ProcessStage1L(const ThdrISAKMP &aHdr); //Checks SA from INITIATOR
+ TBool ProcessStage2L(const ThdrISAKMP &aHdr); //Checks SA from RESPONDER
+ TBool ProcessStage3MainL(const ThdrISAKMP &aHdr); //Checks KE,NONCE from INITIATOR
+ TBool ProcessStage3AggrL(const ThdrISAKMP &aHdr);//Checks ID,AUTH from RESPONDER
+ TBool ProcessStage4L(const ThdrISAKMP &aHdr); //Checks KE,NONCE from RESPONDER
+ TBool ProcessStage5L(const ThdrISAKMP &aHdr); //Checks ID,AUTH from INITIATOR
+ TBool ProcessStage6L(const ThdrISAKMP &aHdr); //Checks ID,AUTH from RESPONDER
+ TBool ProcessStage7L(const ThdrISAKMP &aHdr); //CRACK authentication going
+ TBool ProcessStage1Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(1),SA,KE,NONCE,ID from INITIATOR
+ TBool ProcessStage2Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(2),SA from RESPONDER
+ TBool ProcessStage3Phase2L(const ThdrISAKMP &aHdr);//Checks HASH(3) from INITIATOR/RESPONDER
+ TBool ProcessCONNECTEDL(const ThdrISAKMP &aHdr);//Checks HASH(INF, NOTIF) from RESPONDER
+ TBool ProcessSAL(const TSAISAKMP *aPayload, TUint8 *aRecvProposals);
+ TBool ProcessProposalsL(const TPayloadISAKMP *aPayload,TUint32 aLengthLeft, TUint8 *aRecvProposals);
+ TInt ProcessTransformsL(const TPayloadISAKMP *aPayload,TUint32 aLengthLeft);
+ TInt ProcessTransforms2L(const TPayloadISAKMP *aPayload,CProposal_II *aProp,TUint32 aLengthLeft);
+ TInt ProcessAttributesL(const TPayloadISAKMP *aPayload,TAttrib *aAttrib); //checks and return the SA attributes
+ TInt ProcessAttributes2L(const TPayloadISAKMP *aPayload,TAttrib_II *aAttrib,TUint8 aProtocol); //checks and return the SA attributes
+ TBool ProcessKeyL(const TKeyISAKMP *aKey); //check payload and stores public key value
+ TBool ProcessNonceL(const TPayloadISAKMP *aPayload);
+ TBool ProcessStage1_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload, CProposal_IIList *aRecv_proposals);
+ TBool ProcessStage2_II_IDsL(const TIdentISAKMP *aInit_ID_payload,const TIdentISAKMP *aResp_ID_payload);//, CProposal_IIList *aRecv_proposals);
+ TBool CheckIdentL(const TPayloadISAKMP *aPayload);
+ TBool ProcessCertificateReqL(const TCertificateReqISAKMP *aCertReq);
+ TBool ProcessCertificateReqArrayL(const CArrayFixFlat<const TCertificateReqISAKMP *> *aCRPayloadArray);
+ TBool ProcessCertificateArrayL(CArrayFixFlat<const TCertificateISAKMP *> *aCertArray);
+ TBool ProcessSignatureL(const TSignatureISAKMP *aPayload);
+ TBool ProcessHashL(const THashISAKMP *aHashPayload);
+ TBool ProcessHash2L(const ThdrISAKMP &aHdr, const THashISAKMP *aHashPayload, TUint aPadding);
+ TBool ProcessNotificationL(const TNotificationISAKMP *aNotifPayload);
+ TBool ProcessResponderLifetimeL(const TNotificationISAKMP *aNotifPayload);
+ TBool ProcessReplayStatus(const TNotificationISAKMP *aNotifPayload);
+ TBool ProcessInitialContactL(const TNotificationISAKMP *notif_payload);
+ void ProcessVendorL(CArrayFixFlat<const TVendorISAKMP*>* aVids);
+ void ProcessIntAddrL(const TINTNETISAKMP *aIntnetPayload);
+
+ TBool Phase_IExchangeL(const ThdrISAKMP &aHdr);
+ TBool Phase_IIExchangeL(const ThdrISAKMP &aHdr);
+ void QuickModeReplyL();
+ void MainModeReplyL();
+ void AggressiveReplyL();
+
+ //Certificate reading functions
+ TBool ReadCAsL(CArrayFixFlat<TCertInfo*> *aCAList);
+ TBool ReadOwnCertL();
+
+ TCookie CreateCookieL() const;
+ TBool CheckCookies(const TCookie& aInit, const TCookie& aResp);
+ TBool CheckPayloadCode(TUint8 aPayload);
+ TBool CheckVersionL(TUint8 aVersion);
+ TBool CheckExchangeTypeL(TUint8 aType);
+ TBool CheckFlagsL(TUint8 aFlags);
+ TBool CheckMessageIdL(TUint32 aId);
+ TBool CheckDOI(TUint32 aDOI);
+ TBool CheckSituationL(TUint32 aSIT);
+ TBool CheckGenericPayloadL(const TPayloadISAKMP *aPayload);
+ TBool CheckProtocolL(TUint8 aProtocol); //checks if protocol supported
+ TBool CheckSPIL(const TProposalISAKMP *aProposal); //checks if the SPI is valid
+ TBool CheckTransformID(TUint8 aProtocol,TUint8 aID);
+
+ //SA Attributes checking functions
+ TBool CheckEncrAlg(TUint16 aValue);
+ TBool CheckHashAlg(TUint16 aValue);
+ TBool CheckAuthMethod(TUint16 aValue);
+ TBool CheckGroupDesc(TUint16 aValue);
+ TBool CheckGroupType(TUint16 aValue);
+ TBool CheckGroupPrime(const TUint8* aValue, TUint16 length);
+ TBool CheckGroupGen(const TUint8* aValue, TUint16 length);
+ TBool CheckGroupCurve(const TUint8* aValue, TUint16 length);
+ TBool CheckLifeType(TUint16 aValue);
+ TBool CheckLifeDuration(const TUint8* aValue, TUint16 length);
+ TBool CheckPRF(TUint16 aValue);
+ TBool CheckKeyLength(TUint16 aValue,TUint8 aID,TUint8 aProtocol);
+ TBool CheckFieldSize(TUint16 aValue);
+ TBool CheckGroupOrder(const TUint8* aValue, TUint16 length);
+ TBool CheckEncMode(TUint16 aValue);
+ TBool CheckAuthAlg(TUint16 aValue);
+
+ //Certificate payload checks
+ TBool CertifyRemoteIdentityL(const TIdentISAKMP *aIdPayload);
+ TInt CheckEncodingL(TUint8 aEncoding);
+
+
+ //Signatures
+ TBool VerifySignatureL(CX509Certificate *aCert,TUint8 *iHash, TInt aLength,TUint8 *aSig,TUint aSigLength);
+
+
+ //Diffie-Hellman Exchange Routines
+ TBool ComputeDHPublicValueL();
+ void ComputeNonceL();
+
+ //Hash and Signature computation
+ void ComputeHashrL(TDes8 &aHash);
+ void ComputeHash1L(TDes8 &aHash);
+ void ComputeHash2L(TDes8& aHash,TInt aStage,const TUint8 *aHashMsg=NULL,TInt aHashMsgLen=0);
+ TBool VerifyHash2L(const THashISAKMP *iHash,const TUint8 *aHashMsg=NULL,TInt aHashMsgLen=0);
+ TBool VerifyInformationalHashL(const THashISAKMP *aHash,const TPayloadISAKMP *aPayload, TUint32 iMessageId);
+ void ComputeHashInfL(TDes8& aHash,const TUint8 *aHashMsg,TInt aHashMsgLen);
+
+ //Send a Notification packet informing of an error.
+ void SendNotifyL(TUint16 aError);
+
+ void CheckSendResponderLifetime(TIkev1IsakmpStream &aMsg);
+ static TPtrC ExchangeType(TUint8 aExchange);
+ static void TextPayload(TDes &aBuf, TUint8 aPayload);
+ static TPtrC TextNotifyType(TUint16 aNotif);
+
+ //PFKEY related functions
+ void AcquireSAErrorResponse(TInt aError);
+ void GetSPIL();
+ void ReceiveSPIL(TUint32 aSPI, TUint32 aSeq);
+
+ void UpdateSADatabaseL();
+
+ void ComputeLifetimes_II(const TDesC8 &aLifetime, const TDesC8 &aLifesize, TInt64 &aTime, TInt64 &aBytes);
+
+ //CRACK related functions
+ TBool StartCRACKAuthL();
+
+ TBool IsakmpPhase1CompletedL();
+
+ //Socket
+ void SendL(TIkev1IsakmpStream &aMsg);
+
+ inline TUint Role() {return iRole;}
+ inline CIkev1PluginSession* PluginSession() {return iPluginSession;}
+ TInt HashLength(); //Output size for PRF algorithm
+
+ TUint32 ISAKMPEncrKeyLength(TUint8 aAlgId) const; //in bytes
+ TUint32 HMAC_KeyLength(TUint8 aId) const;
+
+ //builds the correct key using the values in iNegotiation
+ TBool ComputeKeysL();
+ void ComputeKeys2L(const CProposal_II *aProp, TInt aKeyLen, TSPINode &aInboundSpiNode, TDes8& aOutboundKey_II, TDes8& aInboundKey_II);
+ void ComputePRFL(TDes8 &prf_output, const TDesC8 &prf_key, const TDesC8 &prf_data);
+ TBool InitIVL(); //Initial IV value
+ TBool ComputeIVL(TDes8 &aIV, TInt32 aMessageId); //subsequent IV computations
+ //Encryption routines
+ void AppendAttributeError(TInt aErr, TDes &aBuf) const;
+ void SaveISAKMPSAL();
+ void CreateChosenProposalL(CProposal_IIList* aPropList, TInt aPropNum, CTransModifierList *aTransArray);
+ TBool ExamineRemoteIdentity(const TDesC8& aRemoteIdInPolicy);
+ TBool ProcessIdentityData(const TDesC8& aIdentity, TUint8* aToIdType, TInetAddr* aToIpAddr1, TInetAddr* aToIpAddr2);
+
+ void DpdNotifyMessageReceivedL(TIkev1SAData* aSa, TUint16 aMsgType, TUint32 aSequence);
+ TUint32 GetNextSequence(TUint32 aSequence);
+ void SendDpdNotifyMessageL(TUint16 aMsgType, TUint32 aSequence);
+
+ TInt ErrorStatus();
+ void SetErrorStatus(TInt aStatus);
+
+ void SendAndSaveIkeMsgL( const TDesC8& aIkeMsg,
+ TInetAddr& aDestAddr,
+ TBool aUseNatPort );
+
+ TBool IsRetransmit(TLastIKEMsg& aRef);
+ void SaveRetransmitInfo(TLastIKEMsg& aRef);
+ void SaveLastMsgL();
+
+public:
+ TCookie iCookie_I; // Initiator Cookie (Used with responder to create KEYID)
+ TCookie iCookie_R; // Responder Cookie
+ TUint32 iSAId;
+ TUint32 iMessageId; // Message Id. o during Phase I
+ CIkev1Negotiation *iNext; // A link field to maintain negotiations.
+
+private:
+ //Data relevant to the host
+ CIkeData *iHostData;
+
+ //Internal Data
+ TInetAddr iLocalAddr;
+ TInetAddr iRemoteAddr; // Remote Address (Gateway or end host)
+
+
+ TUint iRole; // If we are PHASE I Initiator or Responder
+ TUint iPhase; // Phase I or II
+ TUint iStage; // Negotiation Stage
+
+ //Header Data
+ TUint8 iExchange; // IKE mode in use (Main, agressive,...)
+ TUint8 iPrevExchange; // Used to process the last msg of Phase I
+
+ TUint8 iFlags; // Own flags to use when sending a msg header
+ TUint8 iRecvFlags; // Received flags in the last msg header
+ TBool iCommitBitSet; // If true the Commit bit has been set by this host
+ TUint32 iNotifyMessageId; // Message Id. for Informational Exchanges
+ TLastIKEMsg iLastIKEMsgInfo;// Information of the last received IKE message
+
+ //SA Data
+ TUint8 *iSAPayload; // Initiator SA payload (used in the hash computation). Generic payload NOT included
+ TInt iSAPayloadSize;
+ TUint32 iDOI; // Must be IPSEC = 1
+
+ //Proposal/transform list Phase I and II
+ TProposal iProposal_I; // Contains proposed SA attrib for Phase I with it's attr list
+ TProposal iChosenProposal_I;
+ CProposal_IIList *iProposal_IIList; //Contains the Phase_II Proposal List (PROPOSED)
+ CProposal_IIList *iChosenProp_IIList; //Contains the Phase_II Proposal List (Received from the remote peer)
+
+
+ TInt iProposalNum; //Accepted proposed proposal. Needed to know which are the valid SPIs in the next list
+ CArrayFixFlat<TSPINode> *iInboundSPIList;
+
+ //Keys (DH Generated public value when own)
+ CIkeKeys *iOwnKeys; //Contains own public and private keys
+ HBufC8 *iOwnPublicKey;
+ TPtrC8 iOwnPublicKey_ptr;
+ TBuf8<MAX_PRIME_SIZE> iPeerPublicKey; //(gxr)
+ TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID; //KEY used for encryption/decryption of messages
+ TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID_d; //KEY used to derive keys for non-ISAKMP SAs
+ TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID_a; //KEY used for authentication of ISAKMP messages
+ TBuf8<IKEV1_KEY_MATERIAL_SIZE> iSKEYID_e; //KEY used for encryption/decryption of ISAKMP messages
+
+ //IV used by des_cbc and des3_cbc is 8 and for AES 16
+ TBuf8<IKEV1_MAX_IV_SIZE> iIV; //normal IV
+ TBuf8<IKEV1_MAX_IV_SIZE> iLastIV; //Saves the last IV of PHASE_I to compute iNotifIV everytime and the first IV in Quick mode
+ TInt iIVSize; //Current IV/cipher block size
+
+ //Perfect Forward Secrecy
+ TBool iPFS;
+
+ //Replay Window Length
+ //TInt8 iReplayWindowLength;
+
+ //Nonces
+ TBuf8<MAX_PRIME_SIZE> iNONCE_I;
+ TBuf8<MAX_PRIME_SIZE> iNONCE_R;
+
+ //IDENTITY info
+ TUint8 *iPeerIdentPayload; //Full Peer ID payload for HASH_I/R computation.Generic payload NOT included
+ TInt iPeerIdentPayloadSize;
+ TUint8 *iOwnIdentPayload; //Full own ID payload for HASH_I/R computation.Generic payload NOT included
+ TInt iOwnIdentPayloadSize;
+ //TUint8 iIDType;
+ TUint16 iIDLocalPort;
+ TUint16 iIDRemotePort;
+ TUint8 iIDProtocol;
+ TBool iIDReceived;
+
+ TBool iSwapRemoteIdType;
+ TBool iDefaultRemoteID; //To avoid updating the Remote ID if a default is being used
+ TInetAddr iRemoteAddr1_ID_II;// Remote proxy Address, subnet or initial range
+ TInetAddr iRemoteAddr2_ID_II;// Remote proxy mask or end range
+ TUint8 iRemoteIDType_II;
+ TBool iDefaultLocalID; //To avoid updating the Local ID if a default is being used
+ TInetAddr iLocalAddr1_ID_II; // Local proxy Address, subnet or initial range
+ TInetAddr iLocalAddr2_ID_II; // Local proxy mask or end range if implemented
+ TUint8 iLocalIDType_II;
+
+ //
+ //IETF NAT Traversal information
+ //
+ CIkev1NatDiscovery *iNatDiscovery; // IETF NAT traversal control object pointer
+ TUint32 iNAT_D_Flags; // If not zero, there is NAT between sites
+ TInetAddr iLastRemoteAddr; // Last detected remote address
+ TInetAddr iRemoteOriginalAddr; // Private address of the remote end
+
+ //
+ //NAT Traversal information
+ //
+ TBool iFamiliarPeer; // Nokia VPN implementation detected in peer
+ TBool iNAT_T_Required; // True when NAT detected between local end and peer
+
+ //
+ // Dead peer detection support
+ //
+ TBool iDPDSupported; // Both ends support DPD
+
+ //
+ //Internal address information received from Nokia VPN gateway
+ //
+ CInternalAddress *iInternalAddr; //Internal address and possible DNS addresses
+
+ //
+ // Certificates
+ //
+ TUint8 iEncoding;
+ CX509Certificate *iPeerX509Cert; //Received X509 certificate (or read in RSA encryption if already stored).
+
+ //
+ // Trusted CA certificates list
+ //
+ HBufC8* iPeerTrustedCA; //Trusted CA (of peer)
+ HBufC8* iICA1; //Level 1 Intermediate certificate
+ HBufC8* iICA2; //Level 2 Intermediate certificate
+ HBufC8* iCA;
+ HBufC8* iOwnCert; //Certificate in use
+
+ TBool iSendCert; //Tells if is Required to send our cert in next stage (Told in a Cert Req.)
+ TBool iCertRequested; //Tells whether we've requested a CERT through a CR
+
+ //PFKEY related data
+ TBool iAcquirePending; //Informs if Acquire is pending
+ TUint32 iAcquireSeq; //Seq num received in the acquire msg. will be used for UPDATE
+ TUint32 iSeq; //Current Seq. num will be used in GETSPI
+ TUint32 iPfkeyAcquirePID; //PID in the acquire msg. will be used in GETSPI
+ TUint8 iPendingSPI; // Used for GetSPI and Receive in case there are many SPI to request
+
+ //Miscellanious data
+ HBufC8* iLastMsg; // Last message sent (Used for retransmissions).
+ CIkev1Timeout *iTimer; // Timer to retry sending a message
+ TInt iRetryNum; // Number of retry in the current message
+ TBool iFinished; //Tells if the negotiation is finished to destroy it
+ TBool iAutoLogin; //If ETrue, Negotiation started by policy activation
+ TInt iReceivedNotify; //Status value of (the first) received Notify payload
+ TUint32 iLengthLeft; //Use to check the size of a payload is not bigger than the data left to process
+
+ //References to objects
+ CIkev1PluginSession* iPluginSession; // IKEv1 plugin session
+ CIkeV1PkiService* iPkiService;
+ CIKECRACKNegotiation* iCRACKneg;
+ CTransNegotiation* iTransactionNeg;
+ CSARekeyInfo* iSARekeyInfo;
+ TIkev1IsakmpStream* iSavedIkeMsgBfr;
+ TBool iVendorIDRfc;
+
+ TBool iPhaseIIAfterIkeSaRekey; // Start PhaseII after IKE SA rekeying
+ TInt64 iHardLifetime;
+
+ CIpsecSaSpiRetriever* iIpsecSaSpiRetriever;
+ CPFKeySocketIf& iPFKeySocketIf;
+ MIkeDebug& iDebug;
+ };
+
+#endif // C_IKEV1NEGOTIATION_H