]>
Commit | Line | Data |
---|---|---|
7ba38761 | 1 | /* |
9c2a905d | 2 | * Copyright (C) 2006-2008 Tobias Brunner |
d5cc1758 | 3 | * Copyright (C) 2006 Daniel Roethlisberger |
c71d53ba MW |
4 | * Copyright (C) 2005-2006 Martin Willi |
5 | * Copyright (C) 2005 Jan Hutter | |
7ba38761 JH |
6 | * Hochschule fuer Technik Rapperswil |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
552cc11b MW |
17 | * |
18 | * $Id$ | |
19 | */ | |
20 | ||
21 | /** | |
22 | * @defgroup ike_sa ike_sa | |
23 | * @{ @ingroup sa | |
7ba38761 JH |
24 | */ |
25 | ||
26 | #ifndef IKE_SA_H_ | |
27 | #define IKE_SA_H_ | |
28 | ||
3b04350a | 29 | typedef enum ike_extension_t ike_extension_t; |
17d92e97 | 30 | typedef enum ike_condition_t ike_condition_t; |
382b4817 | 31 | typedef enum ike_sa_state_t ike_sa_state_t; |
ee614711 | 32 | typedef enum statistic_t statistic_t; |
382b4817 MW |
33 | typedef struct ike_sa_t ike_sa_t; |
34 | ||
db7ef624 | 35 | #include <library.h> |
4a962238 | 36 | #include <encoding/message.h> |
b9d9f188 | 37 | #include <encoding/payloads/proposal_substructure.h> |
96f79ff1 | 38 | #include <sa/ike_sa_id.h> |
30b5b412 | 39 | #include <sa/child_sa.h> |
c60c7694 | 40 | #include <sa/tasks/task.h> |
68621281 MW |
41 | #include <crypto/prfs/prf.h> |
42 | #include <crypto/crypters/crypter.h> | |
43 | #include <crypto/signers/signer.h> | |
e0fe7651 MW |
44 | #include <config/peer_cfg.h> |
45 | #include <config/ike_cfg.h> | |
552cc11b | 46 | #include <credentials/auth_info.h> |
8323a9c1 | 47 | |
3b138b84 MW |
48 | /** |
49 | * Timeout in milliseconds after that a half open IKE_SA gets deleted. | |
3b138b84 MW |
50 | */ |
51 | #define HALF_OPEN_IKE_SA_TIMEOUT 30000 | |
52 | ||
53 | /** | |
54 | * Interval to send keepalives when NATed, in seconds. | |
3b138b84 MW |
55 | */ |
56 | #define KEEPALIVE_INTERVAL 20 | |
57 | ||
58 | /** | |
59 | * After which time rekeying should be retried if it failed, in seconds. | |
3b138b84 MW |
60 | */ |
61 | #define RETRY_INTERVAL 30 | |
62 | ||
63 | /** | |
64 | * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry. | |
3b138b84 MW |
65 | */ |
66 | #define RETRY_JITTER 20 | |
67 | ||
3b04350a | 68 | /** |
552cc11b | 69 | * Extensions (or optional features) the peer supports |
3b04350a MW |
70 | */ |
71 | enum ike_extension_t { | |
72 | ||
73 | /** | |
74 | * peer supports NAT traversal as specified in RFC4306 | |
75 | */ | |
17d92e97 | 76 | EXT_NATT = (1<<0), |
3b04350a MW |
77 | |
78 | /** | |
79 | * peer supports MOBIKE (RFC4555) | |
80 | */ | |
17d92e97 | 81 | EXT_MOBIKE = (1<<1), |
6439267a TB |
82 | |
83 | /** | |
84 | * peer supports HTTP cert lookups as specified in RFC4306 | |
85 | */ | |
86 | EXT_HASH_AND_URL = (1<<2), | |
17d92e97 MW |
87 | }; |
88 | ||
89 | /** | |
552cc11b | 90 | * Conditions of an IKE_SA, change during its lifetime |
17d92e97 MW |
91 | */ |
92 | enum ike_condition_t { | |
93 | ||
94 | /** | |
9dae1bed | 95 | * Connection is natted (or faked) somewhere |
17d92e97 MW |
96 | */ |
97 | COND_NAT_ANY = (1<<0), | |
98 | ||
99 | /** | |
100 | * we are behind NAT | |
101 | */ | |
102 | COND_NAT_HERE = (1<<1), | |
103 | ||
104 | /** | |
105 | * other is behind NAT | |
106 | */ | |
107 | COND_NAT_THERE = (1<<2), | |
9dae1bed MW |
108 | |
109 | /** | |
110 | * Faking NAT to enforce UDP encapsulation | |
111 | */ | |
112 | COND_NAT_FAKE = (1<<3), | |
17d92e97 MW |
113 | |
114 | /** | |
ee614711 | 115 | * peer has ben authenticated using EAP |
17d92e97 | 116 | */ |
ee614711 | 117 | COND_EAP_AUTHENTICATED = (1<<4), |
552cc11b MW |
118 | |
119 | /** | |
120 | * received a certificate request from the peer | |
121 | */ | |
96926b00 | 122 | COND_CERTREQ_SEEN = (1<<5), |
ee614711 MW |
123 | }; |
124 | ||
125 | /** | |
126 | * Information and statistics to query from an SA | |
127 | */ | |
128 | enum statistic_t { | |
129 | ||
130 | /** | |
131 | * Relative time for scheduled rekeying | |
132 | */ | |
133 | STAT_REKEY_TIME, | |
134 | ||
135 | /** | |
136 | * Relative time for scheduled reauthentication | |
137 | */ | |
138 | STAT_REAUTH_TIME, | |
3b04350a | 139 | }; |
3b138b84 | 140 | |
8323a9c1 | 141 | /** |
552cc11b | 142 | * State of an IKE_SA. |
cb5c41cd MW |
143 | * |
144 | * An IKE_SA passes various states in its lifetime. A newly created | |
145 | * SA is in the state CREATED. | |
146 | * @verbatim | |
147 | +----------------+ | |
3183006d | 148 | ¦ SA_CREATED ¦ |
cb5c41cd | 149 | +----------------+ |
3183006d MW |
150 | ¦ |
151 | on initiate()---> ¦ <----- on IKE_SA_INIT received | |
152 | V | |
cb5c41cd | 153 | +----------------+ |
3183006d | 154 | ¦ SA_CONNECTING ¦ |
cb5c41cd | 155 | +----------------+ |
3183006d MW |
156 | ¦ |
157 | ¦ <----- on IKE_AUTH successfully completed | |
158 | V | |
cb5c41cd | 159 | +----------------+ |
3183006d MW |
160 | ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying |
161 | +----------------+ ¦ | |
162 | ¦ V | |
163 | on delete()---> ¦ <----- on IKE_SA +-------------+ | |
164 | ¦ delete request ¦ SA_REKEYING ¦ | |
165 | ¦ received +-------------+ | |
166 | V ¦ | |
167 | +----------------+ ¦ | |
168 | ¦ SA_DELETING ¦<------------------------+ <-- after rekeying | |
cb5c41cd | 169 | +----------------+ |
3183006d MW |
170 | ¦ |
171 | ¦ <----- after delete() acknowledged | |
172 | ¦ | |
173 | \V/ | |
cb5c41cd MW |
174 | X |
175 | / \ | |
176 | @endverbatim | |
8323a9c1 | 177 | */ |
3dd3c5f3 MW |
178 | enum ike_sa_state_t { |
179 | ||
180 | /** | |
181 | * IKE_SA just got created, but is not initiating nor responding yet. | |
182 | */ | |
bcb95ced | 183 | IKE_CREATED, |
3dd3c5f3 MW |
184 | |
185 | /** | |
186 | * IKE_SA gets initiated actively or passively | |
187 | */ | |
bcb95ced | 188 | IKE_CONNECTING, |
3dd3c5f3 MW |
189 | |
190 | /** | |
191 | * IKE_SA is fully established | |
192 | */ | |
bcb95ced | 193 | IKE_ESTABLISHED, |
3dd3c5f3 | 194 | |
3183006d MW |
195 | /** |
196 | * IKE_SA rekeying in progress | |
197 | */ | |
198 | IKE_REKEYING, | |
199 | ||
3dd3c5f3 MW |
200 | /** |
201 | * IKE_SA is in progress of deletion | |
202 | */ | |
bcb95ced | 203 | IKE_DELETING, |
3dd3c5f3 MW |
204 | }; |
205 | ||
206 | /** | |
60356f33 | 207 | * enum names for ike_sa_state_t. |
3dd3c5f3 | 208 | */ |
60356f33 | 209 | extern enum_name_t *ike_sa_state_names; |
7ba38761 JH |
210 | |
211 | /** | |
552cc11b | 212 | * Class ike_sa_t representing an IKE_SA. |
3dd3c5f3 MW |
213 | * |
214 | * An IKE_SA contains crypto information related to a connection | |
215 | * with a peer. It contains multiple IPsec CHILD_SA, for which | |
216 | * it is responsible. All traffic is handled by an IKE_SA, using | |
c60c7694 | 217 | * the task manager and its tasks. |
7ba38761 | 218 | */ |
5796aa16 | 219 | struct ike_sa_t { |
7ba38761 JH |
220 | |
221 | /** | |
552cc11b | 222 | * Get the id of the SA. |
3dd3c5f3 MW |
223 | * |
224 | * Returned ike_sa_id_t object is not getting cloned! | |
c3dc6f1a | 225 | * |
3dd3c5f3 | 226 | * @return ike_sa's ike_sa_id_t |
7ba38761 | 227 | */ |
3dd3c5f3 MW |
228 | ike_sa_id_t* (*get_id) (ike_sa_t *this); |
229 | ||
c60c7694 | 230 | /** |
552cc11b | 231 | * Get the numerical ID uniquely defining this IKE_SA. |
c60c7694 | 232 | * |
c60c7694 MW |
233 | * @return unique ID |
234 | */ | |
235 | u_int32_t (*get_unique_id) (ike_sa_t *this); | |
236 | ||
3dd3c5f3 | 237 | /** |
552cc11b | 238 | * Get the state of the IKE_SA. |
3dd3c5f3 | 239 | * |
3dd3c5f3 MW |
240 | * @return state of the IKE_SA |
241 | */ | |
242 | ike_sa_state_t (*get_state) (ike_sa_t *this); | |
243 | ||
244 | /** | |
552cc11b | 245 | * Set the state of the IKE_SA. |
3dd3c5f3 | 246 | * |
3dd3c5f3 MW |
247 | * @param state state to set for the IKE_SA |
248 | */ | |
249 | void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa); | |
8dfbe71b MW |
250 | |
251 | /** | |
552cc11b | 252 | * Get the name of the connection this IKE_SA uses. |
8dfbe71b | 253 | * |
8dfbe71b MW |
254 | * @return name |
255 | */ | |
256 | char* (*get_name) (ike_sa_t *this); | |
257 | ||
ee614711 | 258 | /** |
552cc11b | 259 | * Get statistic values from the IKE_SA. |
ee614711 | 260 | * |
ee614711 MW |
261 | * @param kind kind of requested value |
262 | * @return value as integer | |
263 | */ | |
264 | u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind); | |
265 | ||
8dfbe71b | 266 | /** |
552cc11b | 267 | * Get the own host address. |
8dfbe71b | 268 | * |
8dfbe71b MW |
269 | * @return host address |
270 | */ | |
271 | host_t* (*get_my_host) (ike_sa_t *this); | |
272 | ||
fe04e93a | 273 | /** |
552cc11b | 274 | * Set the own host address. |
fe04e93a | 275 | * |
fe04e93a MW |
276 | * @param me host address |
277 | */ | |
278 | void (*set_my_host) (ike_sa_t *this, host_t *me); | |
279 | ||
8dfbe71b | 280 | /** |
552cc11b | 281 | * Get the other peers host address. |
8dfbe71b | 282 | * |
8dfbe71b MW |
283 | * @return host address |
284 | */ | |
285 | host_t* (*get_other_host) (ike_sa_t *this); | |
286 | ||
fe04e93a | 287 | /** |
552cc11b | 288 | * Set the others host address. |
fe04e93a | 289 | * |
fe04e93a MW |
290 | * @param other host address |
291 | */ | |
292 | void (*set_other_host) (ike_sa_t *this, host_t *other); | |
293 | ||
2b3100b5 | 294 | /** |
552cc11b | 295 | * Update the IKE_SAs host. |
2b3100b5 MW |
296 | * |
297 | * Hosts may be NULL to use current host. | |
298 | * | |
2b3100b5 MW |
299 | * @param me new local host address, or NULL |
300 | * @param other new remote host address, or NULL | |
301 | */ | |
302 | void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other); | |
303 | ||
8dfbe71b | 304 | /** |
552cc11b | 305 | * Get the own identification. |
8dfbe71b | 306 | * |
8dfbe71b MW |
307 | * @return identification |
308 | */ | |
309 | identification_t* (*get_my_id) (ike_sa_t *this); | |
310 | ||
311 | /** | |
552cc11b | 312 | * Set the own identification. |
8dfbe71b | 313 | * |
8dfbe71b MW |
314 | * @param me identification |
315 | */ | |
316 | void (*set_my_id) (ike_sa_t *this, identification_t *me); | |
317 | ||
318 | /** | |
552cc11b | 319 | * Get the other peer's identification. |
8dfbe71b | 320 | * |
8dfbe71b MW |
321 | * @return identification |
322 | */ | |
323 | identification_t* (*get_other_id) (ike_sa_t *this); | |
324 | ||
325 | /** | |
552cc11b | 326 | * Set the other peer's identification. |
8dfbe71b | 327 | * |
8dfbe71b MW |
328 | * @param other identification |
329 | */ | |
330 | void (*set_other_id) (ike_sa_t *this, identification_t *other); | |
c60c7694 | 331 | |
82290106 MW |
332 | /** |
333 | * Get the peers EAP identity. | |
334 | * | |
335 | * The EAP identity is exchanged in a EAP-Identity exchange. | |
336 | * | |
337 | * @return identification, NULL if none set | |
338 | */ | |
339 | identification_t* (*get_eap_identity) (ike_sa_t *this); | |
340 | ||
341 | /** | |
342 | * Set the peer's EAP identity. | |
343 | * | |
344 | * @param id identification | |
345 | */ | |
346 | void (*set_eap_identity) (ike_sa_t *this, identification_t *id); | |
347 | ||
7d26a0ee | 348 | /** |
552cc11b | 349 | * Get the config used to setup this IKE_SA. |
7d26a0ee | 350 | * |
e0fe7651 | 351 | * @return ike_config |
c60c7694 | 352 | */ |
e0fe7651 | 353 | ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this); |
c60c7694 MW |
354 | |
355 | /** | |
552cc11b | 356 | * Set the config to setup this IKE_SA. |
c60c7694 | 357 | * |
e0fe7651 | 358 | * @param config ike_config to use |
c60c7694 | 359 | */ |
e0fe7651 | 360 | void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config); |
c60c7694 MW |
361 | |
362 | /** | |
552cc11b | 363 | * Get the peer config used by this IKE_SA. |
c60c7694 | 364 | * |
e0fe7651 | 365 | * @return peer_config |
c60c7694 | 366 | */ |
e0fe7651 | 367 | peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this); |
c60c7694 MW |
368 | |
369 | /** | |
552cc11b | 370 | * Set the peer config to use with this IKE_SA. |
c60c7694 | 371 | * |
e0fe7651 | 372 | * @param config peer_config to use |
c60c7694 | 373 | */ |
e0fe7651 | 374 | void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config); |
3b04350a MW |
375 | |
376 | /** | |
552cc11b MW |
377 | * Get authentication/authorization info for local peer. |
378 | * | |
379 | * @return auth_info for me | |
380 | */ | |
381 | auth_info_t* (*get_my_auth)(ike_sa_t *this); | |
382 | ||
383 | /** | |
384 | * Get authentication/authorization info for remote peer. | |
385 | * | |
386 | * @return auth_info for me | |
387 | */ | |
388 | auth_info_t* (*get_other_auth)(ike_sa_t *this); | |
389 | ||
390 | /** | |
391 | * Add an additional address for the peer. | |
17d92e97 MW |
392 | * |
393 | * In MOBIKE, a peer may transmit additional addresses where it is | |
394 | * reachable. These are stored in the IKE_SA. | |
395 | * The own list of addresses is not stored, they are queried from | |
396 | * the kernel when required. | |
3b04350a | 397 | * |
17d92e97 | 398 | * @param host host to add to list |
3b04350a | 399 | */ |
17d92e97 MW |
400 | void (*add_additional_address)(ike_sa_t *this, host_t *host); |
401 | ||
402 | /** | |
552cc11b | 403 | * Create an iterator over all additional addresses of the peer. |
17d92e97 | 404 | * |
17d92e97 MW |
405 | * @return iterator over addresses |
406 | */ | |
407 | iterator_t* (*create_additional_address_iterator)(ike_sa_t *this); | |
3b04350a MW |
408 | |
409 | /** | |
552cc11b | 410 | * Enable an extension the peer supports. |
3b04350a MW |
411 | * |
412 | * If support for an IKE extension is detected, this method is called | |
413 | * to enable that extension and behave accordingly. | |
414 | * | |
3b04350a MW |
415 | * @param extension extension to enable |
416 | */ | |
417 | void (*enable_extension)(ike_sa_t *this, ike_extension_t extension); | |
418 | ||
17d92e97 | 419 | /** |
552cc11b | 420 | * Check if the peer supports an extension. |
17d92e97 | 421 | * |
17d92e97 MW |
422 | * @param extension extension to check for support |
423 | * @return TRUE if peer supports it, FALSE otherwise | |
424 | */ | |
425 | bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension); | |
426 | ||
427 | /** | |
552cc11b | 428 | * Enable/disable a condition flag for this IKE_SA. |
17d92e97 | 429 | * |
17d92e97 MW |
430 | * @param condition condition to enable/disable |
431 | * @param enable TRUE to enable condition, FALSE to disable | |
432 | */ | |
433 | void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable); | |
434 | ||
435 | /** | |
552cc11b | 436 | * Check if a condition flag is set. |
17d92e97 | 437 | * |
17d92e97 MW |
438 | * @param condition condition to check |
439 | * @return TRUE if condition flag set, FALSE otherwise | |
440 | */ | |
441 | bool (*has_condition) (ike_sa_t *this, ike_condition_t condition); | |
442 | ||
3bc62fe7 | 443 | /** |
552cc11b | 444 | * Get the number of queued MOBIKE address updates. |
3bc62fe7 | 445 | * |
3bc62fe7 MW |
446 | * @return number of pending updates |
447 | */ | |
448 | u_int32_t (*get_pending_updates)(ike_sa_t *this); | |
449 | ||
450 | /** | |
552cc11b | 451 | * Set the number of queued MOBIKE address updates. |
3bc62fe7 | 452 | * |
3bc62fe7 MW |
453 | * @param updates number of pending updates |
454 | */ | |
455 | void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates); | |
4a035181 TB |
456 | |
457 | /** | |
458 | * Check if we are the original initiator of this IKE_SA (rekeying does not | |
459 | * change this flag). | |
460 | */ | |
461 | bool (*is_ike_initiator)(ike_sa_t *this); | |
462 | ||
d5cc1758 | 463 | |
dc04b7c7 | 464 | #ifdef ME |
22452f70 TB |
465 | /** |
466 | * Activate mediation server functionality for this IKE_SA. | |
467 | */ | |
468 | void (*act_as_mediation_server) (ike_sa_t *this); | |
469 | ||
d5cc1758 | 470 | /** |
552cc11b | 471 | * Get the server reflexive host. |
d5cc1758 | 472 | * |
d5cc1758 TB |
473 | * @return server reflexive host |
474 | */ | |
475 | host_t* (*get_server_reflexive_host) (ike_sa_t *this); | |
476 | ||
477 | /** | |
552cc11b | 478 | * Set the server reflexive host. |
d5cc1758 | 479 | * |
d5cc1758 TB |
480 | * @param host server reflexive host |
481 | */ | |
482 | void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host); | |
483 | ||
9c2a905d TB |
484 | /** |
485 | * Get the connect ID. | |
486 | * | |
487 | * @return connect ID | |
488 | */ | |
489 | chunk_t (*get_connect_id) (ike_sa_t *this); | |
490 | ||
d5cc1758 | 491 | /** |
552cc11b | 492 | * Initiate the mediation of a mediated connection (i.e. initiate a |
dc04b7c7 | 493 | * ME_CONNECT exchange). |
d5cc1758 | 494 | * |
d5cc1758 TB |
495 | * @param mediated_cfg peer_cfg of the mediated connection |
496 | * @return | |
552cc11b MW |
497 | * - SUCCESS if initialization started |
498 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
499 | */ |
500 | status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg); | |
501 | ||
502 | /** | |
552cc11b | 503 | * Initiate the mediated connection |
d5cc1758 | 504 | * |
d5cc1758 TB |
505 | * @param me local endpoint (gets cloned) |
506 | * @param other remote endpoint (gets cloned) | |
9c2a905d | 507 | * @param connect_id connect ID (gets cloned) |
d5cc1758 | 508 | * @return |
552cc11b MW |
509 | * - SUCCESS if initialization started |
510 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
511 | */ |
512 | status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other, | |
4a6474c2 | 513 | chunk_t connect_id); |
d5cc1758 TB |
514 | |
515 | /** | |
552cc11b | 516 | * Relay data from one peer to another (i.e. initiate a |
dc04b7c7 | 517 | * ME_CONNECT exchange). |
d5cc1758 TB |
518 | * |
519 | * Data is cloned. | |
520 | * | |
d5cc1758 | 521 | * @param requester ID of the requesting peer |
dc04b7c7 TB |
522 | * @param connect_id data of the ME_CONNECTID payload |
523 | * @param connect_key data of the ME_CONNECTKEY payload | |
d5cc1758 TB |
524 | * @param endpoints endpoints |
525 | * @param response TRUE if this is a response | |
526 | * @return | |
552cc11b MW |
527 | * - SUCCESS if relay started |
528 | * - DESTROY_ME if relay failed | |
d5cc1758 | 529 | */ |
dc04b7c7 TB |
530 | status_t (*relay) (ike_sa_t *this, identification_t *requester, chunk_t connect_id, |
531 | chunk_t connect_key, linked_list_t *endpoints, bool response); | |
d5cc1758 TB |
532 | |
533 | /** | |
552cc11b | 534 | * Send a callback to a peer. |
d5cc1758 TB |
535 | * |
536 | * Data is cloned. | |
537 | * | |
d5cc1758 TB |
538 | * @param peer_id ID of the other peer |
539 | * @return | |
552cc11b MW |
540 | * - SUCCESS if response started |
541 | * - DESTROY_ME if response failed | |
d5cc1758 TB |
542 | */ |
543 | status_t (*callback) (ike_sa_t *this, identification_t *peer_id); | |
544 | ||
545 | /** | |
dc04b7c7 | 546 | * Respond to a ME_CONNECT request. |
d5cc1758 TB |
547 | * |
548 | * Data is cloned. | |
549 | * | |
d5cc1758 | 550 | * @param peer_id ID of the other peer |
dc04b7c7 | 551 | * @param connect_id the connect ID supplied by the initiator |
d5cc1758 | 552 | * @return |
552cc11b MW |
553 | * - SUCCESS if response started |
554 | * - DESTROY_ME if response failed | |
d5cc1758 | 555 | */ |
dc04b7c7 TB |
556 | status_t (*respond) (ike_sa_t *this, identification_t *peer_id, chunk_t connect_id); |
557 | #endif /* ME */ | |
3bc62fe7 | 558 | |
2c220249 | 559 | /** |
552cc11b | 560 | * Initiate a new connection. |
3dd3c5f3 | 561 | * |
e0fe7651 | 562 | * The configs are owned by the IKE_SA after the call. |
2c220249 | 563 | * |
e0fe7651 | 564 | * @param child_cfg child config to create CHILD from |
8dfbe71b MW |
565 | * @return |
566 | * - SUCCESS if initialization started | |
e0fe7651 | 567 | * - DESTROY_ME if initialization failed |
8dfbe71b | 568 | */ |
e0fe7651 | 569 | status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg); |
8dfbe71b MW |
570 | |
571 | /** | |
552cc11b | 572 | * Route a policy in the kernel. |
8dfbe71b MW |
573 | * |
574 | * Installs the policies in the kernel. If traffic matches, | |
575 | * the kernel requests connection setup from the IKE_SA via acquire(). | |
8dfbe71b | 576 | * |
e0fe7651 | 577 | * @param child_cfg child config to route |
8dfbe71b | 578 | * @return |
45f76a7d MW |
579 | * - SUCCESS if routed successfully |
580 | * - FAILED if routing failed | |
8dfbe71b | 581 | */ |
e0fe7651 | 582 | status_t (*route) (ike_sa_t *this, child_cfg_t *child_cfg); |
45f76a7d MW |
583 | |
584 | /** | |
552cc11b | 585 | * Unroute a policy in the kernel previously routed. |
45f76a7d | 586 | * |
ce27ac80 | 587 | * @param reqid reqid of CHILD_SA to unroute |
45f76a7d MW |
588 | * @return |
589 | * - SUCCESS if route removed | |
ce27ac80 | 590 | * - NOT_FOUND if CHILD_SA not found |
e0fe7651 | 591 | * - DESTROY_ME if last CHILD_SA was unrouted |
45f76a7d | 592 | */ |
ce27ac80 | 593 | status_t (*unroute) (ike_sa_t *this, u_int32_t reqid); |
8dfbe71b MW |
594 | |
595 | /** | |
552cc11b | 596 | * Acquire connection setup for an installed kernel policy. |
8dfbe71b MW |
597 | * |
598 | * If an installed policy raises an acquire, the kernel calls | |
3183006d | 599 | * this function to establish the CHILD_SA (and maybe the IKE_SA). |
8dfbe71b | 600 | * |
8dfbe71b | 601 | * @param reqid reqid of the CHILD_SA the policy belongs to. |
79b8aa19 MW |
602 | * @return |
603 | * - SUCCESS if initialization started | |
e0fe7651 | 604 | * - DESTROY_ME if initialization failed |
2c220249 | 605 | */ |
8dfbe71b | 606 | status_t (*acquire) (ike_sa_t *this, u_int32_t reqid); |
5534ee84 | 607 | |
1396815a | 608 | /** |
552cc11b | 609 | * Initiates the deletion of an IKE_SA. |
3dd3c5f3 MW |
610 | * |
611 | * Sends a delete message to the remote peer and waits for | |
612 | * its response. If the response comes in, or a timeout occurs, | |
613 | * the IKE SA gets deleted. | |
1396815a | 614 | * |
1396815a | 615 | * @return |
3dd3c5f3 MW |
616 | * - SUCCESS if deletion is initialized |
617 | * - INVALID_STATE, if the IKE_SA is not in | |
618 | * an established state and can not be | |
619 | * delete (but destroyed). | |
1396815a | 620 | */ |
3dd3c5f3 MW |
621 | status_t (*delete) (ike_sa_t *this); |
622 | ||
17d92e97 | 623 | /** |
552cc11b | 624 | * Update IKE_SAs after network interfaces have changed. |
17d92e97 MW |
625 | * |
626 | * Whenever the network interface configuration changes, the kernel | |
627 | * interface calls roam() on each IKE_SA. The IKE_SA then checks if | |
628 | * the new network config requires changes, and handles appropriate. | |
629 | * If MOBIKE is supported, addresses are updated; If not, the tunnel is | |
630 | * restarted. | |
631 | * | |
3bc62fe7 MW |
632 | * @param address TRUE if address list changed, FALSE otherwise |
633 | * @return SUCCESS, FAILED, DESTROY_ME | |
17d92e97 | 634 | */ |
3bc62fe7 | 635 | status_t (*roam)(ike_sa_t *this, bool address); |
17d92e97 | 636 | |
13e4a62f | 637 | /** |
552cc11b | 638 | * Processes a incoming IKEv2-Message. |
13e4a62f | 639 | * |
3dd3c5f3 MW |
640 | * Message processing may fail. If a critical failure occurs, |
641 | * process_message() return DESTROY_ME. Then the caller must | |
642 | * destroy the IKE_SA immediatly, as it is unusable. | |
e168ee17 | 643 | * |
552cc11b | 644 | * @param message message to process |
3dd3c5f3 MW |
645 | * @return |
646 | * - SUCCESS | |
647 | * - FAILED | |
648 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
e168ee17 | 649 | */ |
698d7749 | 650 | status_t (*process_message) (ike_sa_t *this, message_t *message); |
e314700c | 651 | |
bcb95ced | 652 | /** |
552cc11b | 653 | * Generate a IKE message to send it to the peer. |
c60c7694 MW |
654 | * |
655 | * This method generates all payloads in the message and encrypts/signs | |
656 | * the packet. | |
657 | * | |
c60c7694 MW |
658 | * @param message message to generate |
659 | * @param packet generated output packet | |
660 | * @return | |
661 | * - SUCCESS | |
662 | * - FAILED | |
663 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
bcb95ced | 664 | */ |
c60c7694 MW |
665 | status_t (*generate_message) (ike_sa_t *this, message_t *message, |
666 | packet_t **packet); | |
bcb95ced | 667 | |
1396815a | 668 | /** |
552cc11b | 669 | * Retransmits a request. |
397f3448 | 670 | * |
c60c7694 MW |
671 | * @param message_id ID of the request to retransmit |
672 | * @return | |
673 | * - SUCCESS | |
674 | * - NOT_FOUND if request doesn't have to be retransmited | |
397f3448 | 675 | */ |
c60c7694 MW |
676 | status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id); |
677 | ||
1396815a | 678 | /** |
552cc11b | 679 | * Sends a DPD request to the peer. |
1396815a | 680 | * |
3dd3c5f3 MW |
681 | * To check if a peer is still alive, periodic |
682 | * empty INFORMATIONAL messages are sent if no | |
683 | * other traffic was received. | |
684 | * | |
3dd3c5f3 MW |
685 | * @return |
686 | * - SUCCESS | |
687 | * - DESTROY_ME, if peer did not respond | |
2f89902d | 688 | */ |
3dd3c5f3 MW |
689 | status_t (*send_dpd) (ike_sa_t *this); |
690 | ||
2f89902d | 691 | /** |
552cc11b | 692 | * Sends a keep alive packet. |
2f89902d | 693 | * |
3dd3c5f3 MW |
694 | * To refresh NAT tables in a NAT router |
695 | * between the peers, periodic empty | |
696 | * UDP packets are sent if no other traffic | |
697 | * was sent. | |
1396815a | 698 | */ |
3dd3c5f3 | 699 | void (*send_keepalive) (ike_sa_t *this); |
3dd3c5f3 | 700 | |
2c220249 | 701 | /** |
552cc11b | 702 | * Derive all keys and create the transforms for IKE communication. |
fe04e93a | 703 | * |
ce461bbd | 704 | * Keys are derived using the diffie hellman secret, nonces and internal |
3dd3c5f3 | 705 | * stored SPIs. |
fe04e93a MW |
706 | * Key derivation differs when an IKE_SA is set up to replace an |
707 | * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA | |
708 | * is included in the derivation process. | |
709 | * | |
3dd3c5f3 | 710 | * @param proposal proposal which contains algorithms to use |
c60c7694 | 711 | * @param secret secret derived from DH exchange, gets freed |
3dd3c5f3 MW |
712 | * @param nonce_i initiators nonce |
713 | * @param nonce_r responders nonce | |
fe04e93a | 714 | * @param initiator TRUE if initiator, FALSE otherwise |
3183006d MW |
715 | * @param child_prf PRF with SK_d key when rekeying, NULL otherwise |
716 | * @param old_prf general purpose PRF of old SA when rekeying | |
3dd3c5f3 | 717 | */ |
c60c7694 | 718 | status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal, chunk_t secret, |
fe04e93a | 719 | chunk_t nonce_i, chunk_t nonce_r, |
3183006d | 720 | bool initiator, prf_t *child_prf, prf_t *old_prf); |
0fdc3c7f | 721 | |
bc997f65 AS |
722 | /** |
723 | * Get the selected IKE proposal string | |
724 | * | |
725 | * @return string describing the selected IKE proposal | |
726 | */ | |
727 | char* (*get_proposal)(ike_sa_t *this); | |
728 | ||
729 | /** | |
730 | * Set the selected IKE proposal string for status information purposes | |
731 | * (the "%P" printf format handler is used) | |
732 | * | |
733 | * @param proposal string describing the selected IKE proposal | |
734 | */ | |
735 | void (*set_proposal)(ike_sa_t *this, char *proposal); | |
736 | ||
0fdc3c7f | 737 | /** |
552cc11b | 738 | * Get a multi purpose prf for the negotiated PRF function. |
0fdc3c7f | 739 | * |
3dd3c5f3 | 740 | * @return pointer to prf_t object |
0fdc3c7f | 741 | */ |
3dd3c5f3 | 742 | prf_t *(*get_prf) (ike_sa_t *this); |
0fdc3c7f | 743 | |
5b97779f | 744 | /** |
552cc11b | 745 | * Get the prf-object, which is used to derive keys for child SAs. |
5b97779f | 746 | * |
3dd3c5f3 | 747 | * @return pointer to prf_t object |
5b97779f | 748 | */ |
3dd3c5f3 | 749 | prf_t *(*get_child_prf) (ike_sa_t *this); |
5b97779f | 750 | |
ce461bbd | 751 | /** |
552cc11b | 752 | * Get the key to build outgoing authentication data. |
ce461bbd | 753 | * |
3dd3c5f3 | 754 | * @return pointer to prf_t object |
ce461bbd | 755 | */ |
0706c39c | 756 | chunk_t (*get_skp_build) (ike_sa_t *this); |
ce461bbd MW |
757 | |
758 | /** | |
552cc11b | 759 | * Get the key to verify incoming authentication data. |
ce461bbd | 760 | * |
3dd3c5f3 | 761 | * @return pointer to prf_t object |
695723d4 | 762 | */ |
0706c39c | 763 | chunk_t (*get_skp_verify) (ike_sa_t *this); |
695723d4 MW |
764 | |
765 | /** | |
552cc11b | 766 | * Associates a child SA to this IKE SA |
695723d4 | 767 | * |
698d7749 | 768 | * @param child_sa child_sa to add |
695723d4 | 769 | */ |
698d7749 MW |
770 | void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa); |
771 | ||
971218c3 | 772 | /** |
552cc11b | 773 | * Get a CHILD_SA identified by protocol and SPI. |
ae3012a0 | 774 | * |
698d7749 MW |
775 | * @param protocol protocol of the SA |
776 | * @param spi SPI of the CHILD_SA | |
777 | * @param inbound TRUE if SPI is inbound, FALSE if outbound | |
778 | * @return child_sa, or NULL if none found | |
3dd3c5f3 | 779 | */ |
698d7749 MW |
780 | child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, |
781 | u_int32_t spi, bool inbound); | |
1396815a | 782 | |
3183006d | 783 | /** |
552cc11b | 784 | * Create an iterator over all CHILD_SAs. |
3183006d | 785 | * |
3183006d MW |
786 | * @return iterator |
787 | */ | |
788 | iterator_t* (*create_child_sa_iterator) (ike_sa_t *this); | |
789 | ||
1396815a | 790 | /** |
552cc11b | 791 | * Rekey the CHILD SA with the specified reqid. |
1396815a | 792 | * |
3dd3c5f3 | 793 | * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing. |
1396815a | 794 | * |
698d7749 MW |
795 | * @param protocol protocol of the SA |
796 | * @param spi inbound SPI of the CHILD_SA | |
3dd3c5f3 MW |
797 | * @return |
798 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
799 | * - SUCCESS, if rekeying initiated | |
1396815a | 800 | */ |
698d7749 MW |
801 | status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
802 | ||
1396815a | 803 | /** |
552cc11b | 804 | * Close the CHILD SA with the specified protocol/SPI. |
698d7749 MW |
805 | * |
806 | * Looks for a CHILD SA owned by this IKE_SA, deletes it and | |
807 | * notify's the remote peer about the delete. The associated | |
808 | * states and policies in the kernel get deleted, if they exist. | |
809 | * | |
698d7749 MW |
810 | * @param protocol protocol of the SA |
811 | * @param spi inbound SPI of the CHILD_SA | |
812 | * @return | |
813 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
814 | * - SUCCESS, if delete message sent | |
1396815a | 815 | */ |
698d7749 MW |
816 | status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
817 | ||
1396815a | 818 | /** |
552cc11b | 819 | * Destroy a CHILD SA with the specified protocol/SPI. |
698d7749 MW |
820 | * |
821 | * Looks for a CHILD SA owned by this IKE_SA and destroys it. | |
822 | * | |
698d7749 MW |
823 | * @param protocol protocol of the SA |
824 | * @param spi inbound SPI of the CHILD_SA | |
825 | * @return | |
826 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
827 | * - SUCCESS | |
1396815a | 828 | */ |
698d7749 | 829 | status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
fe04e93a | 830 | |
fe04e93a | 831 | /** |
552cc11b | 832 | * Rekey the IKE_SA. |
fe04e93a MW |
833 | * |
834 | * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA. | |
835 | * | |
fe04e93a MW |
836 | * @return - SUCCESS, if IKE_SA rekeying initiated |
837 | */ | |
838 | status_t (*rekey) (ike_sa_t *this); | |
839 | ||
6fe03b0a | 840 | /** |
96926b00 | 841 | * Reauthenticate the IKE_SA. |
6fe03b0a MW |
842 | * |
843 | * Create a completely new IKE_SA with authentication, recreates all children | |
26424f03 | 844 | * within the IKE_SA, closes this IKE_SA. |
6fe03b0a | 845 | * |
26424f03 | 846 | * @return DESTROY_ME to destroy the IKE_SA |
6fe03b0a | 847 | */ |
96926b00 MW |
848 | status_t (*reauth) (ike_sa_t *this); |
849 | ||
850 | /** | |
851 | * Restablish the IKE_SA. | |
852 | * | |
853 | * Reestablish an IKE_SA after it has been closed. | |
854 | * | |
855 | * @return DESTROY_ME to destroy the IKE_SA | |
856 | */ | |
26424f03 | 857 | status_t (*reestablish) (ike_sa_t *this); |
c60c7694 | 858 | |
ee614711 | 859 | /** |
552cc11b | 860 | * Set the lifetime limit received from a AUTH_LIFETIME notify. |
ee614711 | 861 | * |
ee614711 MW |
862 | * @param lifetime lifetime in seconds |
863 | */ | |
864 | void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime); | |
865 | ||
3183006d | 866 | /** |
552cc11b | 867 | * Set the virtual IP to use for this IKE_SA and its children. |
c60c7694 MW |
868 | * |
869 | * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same | |
870 | * lifetime as the IKE_SA. | |
3183006d | 871 | * |
552cc11b MW |
872 | * @param local TRUE to set local address, FALSE for remote |
873 | * @param ip IP to set as virtual IP | |
3183006d | 874 | */ |
c60c7694 MW |
875 | void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip); |
876 | ||
3183006d | 877 | /** |
552cc11b | 878 | * Get the virtual IP configured. |
3183006d | 879 | * |
c60c7694 | 880 | * @param local TRUE to get local virtual IP, FALSE for remote |
552cc11b | 881 | * @return host_t *virtual IP |
3183006d | 882 | */ |
c60c7694 MW |
883 | host_t* (*get_virtual_ip) (ike_sa_t *this, bool local); |
884 | ||
885 | /** | |
552cc11b | 886 | * Add a DNS server to the system. |
c60c7694 MW |
887 | * |
888 | * An IRAS may send a DNS server. To use it, it is installed on the | |
889 | * system. The DNS entry has a lifetime until the IKE_SA gets closed. | |
890 | * | |
c60c7694 MW |
891 | * @param dns DNS server to install on the system |
892 | */ | |
893 | void (*add_dns_server) (ike_sa_t *this, host_t *dns); | |
894 | ||
fe04e93a | 895 | /** |
552cc11b | 896 | * Inherit all attributes of other to this after rekeying. |
fe04e93a | 897 | * |
c60c7694 MW |
898 | * When rekeying is completed, all CHILD_SAs, the virtual IP and all |
899 | * outstanding tasks are moved from other to this. | |
e23a59f6 | 900 | * As this call may initiate inherited tasks, a status is returned. |
c60c7694 | 901 | * |
e23a59f6 MW |
902 | * @param other other task to inherit from |
903 | * @return DESTROY_ME if initiation of inherited task failed | |
c60c7694 | 904 | */ |
e23a59f6 | 905 | status_t (*inherit) (ike_sa_t *this, ike_sa_t *other); |
c60c7694 MW |
906 | |
907 | /** | |
552cc11b | 908 | * Reset the IKE_SA, useable when initiating fails |
fe04e93a | 909 | */ |
c60c7694 | 910 | void (*reset) (ike_sa_t *this); |
3dd3c5f3 | 911 | |
1396815a | 912 | /** |
552cc11b | 913 | * Destroys a ike_sa_t object. |
1396815a | 914 | */ |
3dd3c5f3 | 915 | void (*destroy) (ike_sa_t *this); |
8323a9c1 JH |
916 | }; |
917 | ||
7ba38761 | 918 | /** |
552cc11b | 919 | * Creates an ike_sa_t object with a specific ID. |
c3dc6f1a | 920 | * |
698d7749 MW |
921 | * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA |
922 | * @return ike_sa_t object | |
7ba38761 | 923 | */ |
3dd3c5f3 | 924 | ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id); |
7ba38761 | 925 | |
552cc11b | 926 | #endif /* IKE_SA_H_ @} */ |