+struct GNUNET_CORE_MonitorHandle;
+
+
+/**
+ * State machine for our P2P encryption handshake. Everyone starts in
+ * #GNUNET_CORE_KX_STATE_DOWN, if we receive the other peer's key
+ * (other peer initiated) we start in state
+ * #GNUNET_CORE_KX_STATE_KEY_RECEIVED (since we will immediately send
+ * our own); otherwise we start in #GNUNET_CORE_KX_STATE_KEY_SENT. If
+ * we get back a PONG from within either state, we move up to
+ * #GNUNET_CORE_KX_STATE_UP (the PONG will always be sent back
+ * encrypted with the key we sent to the other peer). Eventually,
+ * we will try to rekey, for this we will enter
+ * #GNUNET_CORE_KX_STATE_REKEY_SENT until the rekey operation is
+ * confirmed by a PONG from the other peer.
+ */
+enum GNUNET_CORE_KxState
+{
+ /**
+ * No handshake yet.
+ */
+ GNUNET_CORE_KX_STATE_DOWN = 0,
+
+ /**
+ * We've sent our session key.
+ */
+ GNUNET_CORE_KX_STATE_KEY_SENT,
+
+ /**
+ * We've received the other peers session key.
+ */
+ GNUNET_CORE_KX_STATE_KEY_RECEIVED,
+
+ /**
+ * The other peer has confirmed our session key + PING with a PONG
+ * message encrypted with their session key (which we got). Key
+ * exchange is done.
+ */
+ GNUNET_CORE_KX_STATE_UP,
+
+ /**
+ * We're rekeying (or had a timeout), so we have sent the other peer
+ * our new ephemeral key, but we did not get a matching PONG yet.
+ * This is equivalent to being #GNUNET_CORE_KX_STATE_KEY_RECEIVED,
+ * except that the session is marked as 'up' with sessions (as we
+ * don't want to drop and re-establish P2P connections simply due to
+ * rekeying).
+ */
+ GNUNET_CORE_KX_STATE_REKEY_SENT,
+
+ /**
+ * Last state of a KX (when it is being terminated). Set
+ * just before CORE frees the internal state for this peer.
+ */
+ GNUNET_CORE_KX_PEER_DISCONNECT,
+
+ /**
+ * This is not a state in a peer's state machine, but a special
+ * value used with the #GNUNET_CORE_MonitorCallback to indicate
+ * that we finished the initial iteration over the peers.
+ */
+ GNUNET_CORE_KX_ITERATION_FINISHED,
+
+ /**
+ * This is not a state in a peer's state machine, but a special
+ * value used with the #GNUNET_CORE_MonitorCallback to indicate
+ * that we lost the connection to the CORE service (and will try
+ * to reconnect). If this happens, most likely the CORE service
+ * crashed and thus all connection state should be assumed lost.
+ */
+ GNUNET_CORE_KX_CORE_DISCONNECT
+
+};