]>
Commit | Line | Data |
---|---|---|
7ba38761 | 1 | /* |
9c2a905d | 2 | * Copyright (C) 2006-2008 Tobias Brunner |
d5cc1758 | 3 | * Copyright (C) 2006 Daniel Roethlisberger |
a44bb934 | 4 | * Copyright (C) 2005-2009 Martin Willi |
c71d53ba | 5 | * Copyright (C) 2005 Jan Hutter |
7ba38761 JH |
6 | * Hochschule fuer Technik Rapperswil |
7 | * | |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
552cc11b MW |
17 | */ |
18 | ||
19 | /** | |
20 | * @defgroup ike_sa ike_sa | |
21 | * @{ @ingroup sa | |
7ba38761 JH |
22 | */ |
23 | ||
24 | #ifndef IKE_SA_H_ | |
25 | #define IKE_SA_H_ | |
26 | ||
3b04350a | 27 | typedef enum ike_extension_t ike_extension_t; |
17d92e97 | 28 | typedef enum ike_condition_t ike_condition_t; |
382b4817 | 29 | typedef enum ike_sa_state_t ike_sa_state_t; |
ee614711 | 30 | typedef enum statistic_t statistic_t; |
382b4817 MW |
31 | typedef struct ike_sa_t ike_sa_t; |
32 | ||
db7ef624 | 33 | #include <library.h> |
4a962238 | 34 | #include <encoding/message.h> |
b9d9f188 | 35 | #include <encoding/payloads/proposal_substructure.h> |
7f56b494 | 36 | #include <encoding/payloads/configuration_attribute.h> |
96f79ff1 | 37 | #include <sa/ike_sa_id.h> |
30b5b412 | 38 | #include <sa/child_sa.h> |
c60c7694 | 39 | #include <sa/tasks/task.h> |
6a4ff35c | 40 | #include <sa/keymat.h> |
e0fe7651 MW |
41 | #include <config/peer_cfg.h> |
42 | #include <config/ike_cfg.h> | |
a44bb934 | 43 | #include <config/auth_cfg.h> |
8323a9c1 | 44 | |
3b138b84 | 45 | /** |
6554b5e4 | 46 | * Timeout in seconds after that a half open IKE_SA gets deleted. |
3b138b84 | 47 | */ |
6554b5e4 | 48 | #define HALF_OPEN_IKE_SA_TIMEOUT 30 |
3b138b84 MW |
49 | |
50 | /** | |
51 | * Interval to send keepalives when NATed, in seconds. | |
3b138b84 MW |
52 | */ |
53 | #define KEEPALIVE_INTERVAL 20 | |
54 | ||
55 | /** | |
56 | * After which time rekeying should be retried if it failed, in seconds. | |
3b138b84 MW |
57 | */ |
58 | #define RETRY_INTERVAL 30 | |
59 | ||
60 | /** | |
61 | * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry. | |
3b138b84 MW |
62 | */ |
63 | #define RETRY_JITTER 20 | |
64 | ||
3b04350a | 65 | /** |
552cc11b | 66 | * Extensions (or optional features) the peer supports |
3b04350a MW |
67 | */ |
68 | enum ike_extension_t { | |
69 | ||
70 | /** | |
71 | * peer supports NAT traversal as specified in RFC4306 | |
72 | */ | |
17d92e97 | 73 | EXT_NATT = (1<<0), |
3b04350a MW |
74 | |
75 | /** | |
76 | * peer supports MOBIKE (RFC4555) | |
77 | */ | |
17d92e97 | 78 | EXT_MOBIKE = (1<<1), |
6439267a TB |
79 | |
80 | /** | |
81 | * peer supports HTTP cert lookups as specified in RFC4306 | |
82 | */ | |
83 | EXT_HASH_AND_URL = (1<<2), | |
a44bb934 MW |
84 | |
85 | /** | |
86 | * peer supports multiple authentication exchanges, RFC4739 | |
87 | */ | |
88 | EXT_MULTIPLE_AUTH = (1<<3), | |
17d92e97 MW |
89 | }; |
90 | ||
91 | /** | |
552cc11b | 92 | * Conditions of an IKE_SA, change during its lifetime |
17d92e97 MW |
93 | */ |
94 | enum ike_condition_t { | |
95 | ||
96 | /** | |
9dae1bed | 97 | * Connection is natted (or faked) somewhere |
17d92e97 MW |
98 | */ |
99 | COND_NAT_ANY = (1<<0), | |
100 | ||
101 | /** | |
102 | * we are behind NAT | |
103 | */ | |
104 | COND_NAT_HERE = (1<<1), | |
105 | ||
106 | /** | |
107 | * other is behind NAT | |
108 | */ | |
109 | COND_NAT_THERE = (1<<2), | |
9dae1bed MW |
110 | |
111 | /** | |
112 | * Faking NAT to enforce UDP encapsulation | |
113 | */ | |
114 | COND_NAT_FAKE = (1<<3), | |
faf9569f | 115 | |
17d92e97 | 116 | /** |
a44bb934 | 117 | * peer has been authenticated using EAP at least once |
17d92e97 | 118 | */ |
ee614711 | 119 | COND_EAP_AUTHENTICATED = (1<<4), |
faf9569f | 120 | |
552cc11b MW |
121 | /** |
122 | * received a certificate request from the peer | |
123 | */ | |
96926b00 | 124 | COND_CERTREQ_SEEN = (1<<5), |
faf9569f MW |
125 | |
126 | /** | |
127 | * Local peer is the "original" IKE initiator. Unaffected from rekeying. | |
128 | */ | |
129 | COND_ORIGINAL_INITIATOR = (1<<6), | |
7afd9d66 MW |
130 | |
131 | /** | |
132 | * IKE_SA is stale, the peer is currently unreachable (MOBIKE) | |
133 | */ | |
134 | COND_STALE = (1<<7), | |
ee614711 MW |
135 | }; |
136 | ||
137 | /** | |
85ac2fa5 | 138 | * Timing information and statistics to query from an SA |
ee614711 MW |
139 | */ |
140 | enum statistic_t { | |
85ac2fa5 MW |
141 | /** Timestamp of SA establishement */ |
142 | STAT_ESTABLISHED = 0, | |
143 | /** Timestamp of scheudled rekeying */ | |
144 | STAT_REKEY, | |
145 | /** Timestamp of scheudled reauthentication */ | |
146 | STAT_REAUTH, | |
147 | /** Timestamp of scheudled delete */ | |
148 | STAT_DELETE, | |
149 | /** Timestamp of last inbound IKE packet */ | |
150 | STAT_INBOUND, | |
151 | /** Timestamp of last outbound IKE packet */ | |
152 | STAT_OUTBOUND, | |
ee614711 | 153 | |
85ac2fa5 | 154 | STAT_MAX |
3b04350a | 155 | }; |
3b138b84 | 156 | |
8323a9c1 | 157 | /** |
552cc11b | 158 | * State of an IKE_SA. |
cb5c41cd MW |
159 | * |
160 | * An IKE_SA passes various states in its lifetime. A newly created | |
161 | * SA is in the state CREATED. | |
162 | * @verbatim | |
163 | +----------------+ | |
3183006d | 164 | ¦ SA_CREATED ¦ |
cb5c41cd | 165 | +----------------+ |
3183006d MW |
166 | ¦ |
167 | on initiate()---> ¦ <----- on IKE_SA_INIT received | |
168 | V | |
cb5c41cd | 169 | +----------------+ |
3183006d | 170 | ¦ SA_CONNECTING ¦ |
cb5c41cd | 171 | +----------------+ |
3183006d MW |
172 | ¦ |
173 | ¦ <----- on IKE_AUTH successfully completed | |
174 | V | |
cb5c41cd | 175 | +----------------+ |
3183006d MW |
176 | ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying |
177 | +----------------+ ¦ | |
178 | ¦ V | |
179 | on delete()---> ¦ <----- on IKE_SA +-------------+ | |
180 | ¦ delete request ¦ SA_REKEYING ¦ | |
181 | ¦ received +-------------+ | |
182 | V ¦ | |
183 | +----------------+ ¦ | |
184 | ¦ SA_DELETING ¦<------------------------+ <-- after rekeying | |
cb5c41cd | 185 | +----------------+ |
3183006d MW |
186 | ¦ |
187 | ¦ <----- after delete() acknowledged | |
188 | ¦ | |
189 | \V/ | |
cb5c41cd MW |
190 | X |
191 | / \ | |
192 | @endverbatim | |
8323a9c1 | 193 | */ |
3dd3c5f3 MW |
194 | enum ike_sa_state_t { |
195 | ||
196 | /** | |
197 | * IKE_SA just got created, but is not initiating nor responding yet. | |
198 | */ | |
bcb95ced | 199 | IKE_CREATED, |
3dd3c5f3 MW |
200 | |
201 | /** | |
202 | * IKE_SA gets initiated actively or passively | |
203 | */ | |
bcb95ced | 204 | IKE_CONNECTING, |
3dd3c5f3 MW |
205 | |
206 | /** | |
207 | * IKE_SA is fully established | |
208 | */ | |
bcb95ced | 209 | IKE_ESTABLISHED, |
3dd3c5f3 | 210 | |
c610f424 MW |
211 | /** |
212 | * IKE_SA is managed externally and does not process messages | |
213 | */ | |
214 | IKE_PASSIVE, | |
215 | ||
3183006d MW |
216 | /** |
217 | * IKE_SA rekeying in progress | |
218 | */ | |
219 | IKE_REKEYING, | |
220 | ||
3dd3c5f3 MW |
221 | /** |
222 | * IKE_SA is in progress of deletion | |
223 | */ | |
bcb95ced | 224 | IKE_DELETING, |
a985db3f MW |
225 | |
226 | /** | |
227 | * IKE_SA object gets destroyed | |
228 | */ | |
229 | IKE_DESTROYING, | |
3dd3c5f3 MW |
230 | }; |
231 | ||
232 | /** | |
60356f33 | 233 | * enum names for ike_sa_state_t. |
3dd3c5f3 | 234 | */ |
60356f33 | 235 | extern enum_name_t *ike_sa_state_names; |
7ba38761 JH |
236 | |
237 | /** | |
552cc11b | 238 | * Class ike_sa_t representing an IKE_SA. |
3dd3c5f3 MW |
239 | * |
240 | * An IKE_SA contains crypto information related to a connection | |
241 | * with a peer. It contains multiple IPsec CHILD_SA, for which | |
242 | * it is responsible. All traffic is handled by an IKE_SA, using | |
c60c7694 | 243 | * the task manager and its tasks. |
7ba38761 | 244 | */ |
5796aa16 | 245 | struct ike_sa_t { |
7ba38761 JH |
246 | |
247 | /** | |
552cc11b | 248 | * Get the id of the SA. |
3dd3c5f3 MW |
249 | * |
250 | * Returned ike_sa_id_t object is not getting cloned! | |
c3dc6f1a | 251 | * |
3dd3c5f3 | 252 | * @return ike_sa's ike_sa_id_t |
7ba38761 | 253 | */ |
3dd3c5f3 MW |
254 | ike_sa_id_t* (*get_id) (ike_sa_t *this); |
255 | ||
c60c7694 | 256 | /** |
552cc11b | 257 | * Get the numerical ID uniquely defining this IKE_SA. |
c60c7694 | 258 | * |
c60c7694 MW |
259 | * @return unique ID |
260 | */ | |
261 | u_int32_t (*get_unique_id) (ike_sa_t *this); | |
262 | ||
3dd3c5f3 | 263 | /** |
552cc11b | 264 | * Get the state of the IKE_SA. |
3dd3c5f3 | 265 | * |
3dd3c5f3 MW |
266 | * @return state of the IKE_SA |
267 | */ | |
268 | ike_sa_state_t (*get_state) (ike_sa_t *this); | |
269 | ||
270 | /** | |
552cc11b | 271 | * Set the state of the IKE_SA. |
3dd3c5f3 | 272 | * |
3dd3c5f3 MW |
273 | * @param state state to set for the IKE_SA |
274 | */ | |
275 | void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa); | |
8dfbe71b MW |
276 | |
277 | /** | |
552cc11b | 278 | * Get the name of the connection this IKE_SA uses. |
8dfbe71b | 279 | * |
8dfbe71b MW |
280 | * @return name |
281 | */ | |
282 | char* (*get_name) (ike_sa_t *this); | |
283 | ||
ee614711 | 284 | /** |
552cc11b | 285 | * Get statistic values from the IKE_SA. |
ee614711 | 286 | * |
ee614711 MW |
287 | * @param kind kind of requested value |
288 | * @return value as integer | |
289 | */ | |
290 | u_int32_t (*get_statistic)(ike_sa_t *this, statistic_t kind); | |
291 | ||
8dfbe71b | 292 | /** |
552cc11b | 293 | * Get the own host address. |
8dfbe71b | 294 | * |
8dfbe71b MW |
295 | * @return host address |
296 | */ | |
297 | host_t* (*get_my_host) (ike_sa_t *this); | |
298 | ||
fe04e93a | 299 | /** |
552cc11b | 300 | * Set the own host address. |
fe04e93a | 301 | * |
fe04e93a MW |
302 | * @param me host address |
303 | */ | |
304 | void (*set_my_host) (ike_sa_t *this, host_t *me); | |
305 | ||
8dfbe71b | 306 | /** |
552cc11b | 307 | * Get the other peers host address. |
8dfbe71b | 308 | * |
8dfbe71b MW |
309 | * @return host address |
310 | */ | |
311 | host_t* (*get_other_host) (ike_sa_t *this); | |
312 | ||
fe04e93a | 313 | /** |
552cc11b | 314 | * Set the others host address. |
fe04e93a | 315 | * |
fe04e93a MW |
316 | * @param other host address |
317 | */ | |
318 | void (*set_other_host) (ike_sa_t *this, host_t *other); | |
319 | ||
2b3100b5 | 320 | /** |
552cc11b | 321 | * Update the IKE_SAs host. |
2b3100b5 MW |
322 | * |
323 | * Hosts may be NULL to use current host. | |
324 | * | |
2b3100b5 MW |
325 | * @param me new local host address, or NULL |
326 | * @param other new remote host address, or NULL | |
327 | */ | |
328 | void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other); | |
329 | ||
8dfbe71b | 330 | /** |
552cc11b | 331 | * Get the own identification. |
8dfbe71b | 332 | * |
8dfbe71b MW |
333 | * @return identification |
334 | */ | |
335 | identification_t* (*get_my_id) (ike_sa_t *this); | |
336 | ||
337 | /** | |
552cc11b | 338 | * Set the own identification. |
8dfbe71b | 339 | * |
8dfbe71b MW |
340 | * @param me identification |
341 | */ | |
342 | void (*set_my_id) (ike_sa_t *this, identification_t *me); | |
343 | ||
344 | /** | |
552cc11b | 345 | * Get the other peer's identification. |
8dfbe71b | 346 | * |
8dfbe71b MW |
347 | * @return identification |
348 | */ | |
349 | identification_t* (*get_other_id) (ike_sa_t *this); | |
350 | ||
351 | /** | |
552cc11b | 352 | * Set the other peer's identification. |
8dfbe71b | 353 | * |
8dfbe71b MW |
354 | * @param other identification |
355 | */ | |
356 | void (*set_other_id) (ike_sa_t *this, identification_t *other); | |
c60c7694 | 357 | |
82290106 MW |
358 | /** |
359 | * Get the peers EAP identity. | |
360 | * | |
361 | * The EAP identity is exchanged in a EAP-Identity exchange. | |
362 | * | |
363 | * @return identification, NULL if none set | |
364 | */ | |
365 | identification_t* (*get_eap_identity) (ike_sa_t *this); | |
366 | ||
367 | /** | |
368 | * Set the peer's EAP identity. | |
369 | * | |
370 | * @param id identification | |
371 | */ | |
372 | void (*set_eap_identity) (ike_sa_t *this, identification_t *id); | |
373 | ||
7d26a0ee | 374 | /** |
552cc11b | 375 | * Get the config used to setup this IKE_SA. |
7d26a0ee | 376 | * |
e0fe7651 | 377 | * @return ike_config |
c60c7694 | 378 | */ |
e0fe7651 | 379 | ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this); |
c60c7694 MW |
380 | |
381 | /** | |
552cc11b | 382 | * Set the config to setup this IKE_SA. |
c60c7694 | 383 | * |
e0fe7651 | 384 | * @param config ike_config to use |
c60c7694 | 385 | */ |
e0fe7651 | 386 | void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config); |
c60c7694 MW |
387 | |
388 | /** | |
552cc11b | 389 | * Get the peer config used by this IKE_SA. |
c60c7694 | 390 | * |
e0fe7651 | 391 | * @return peer_config |
c60c7694 | 392 | */ |
e0fe7651 | 393 | peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this); |
c60c7694 MW |
394 | |
395 | /** | |
552cc11b | 396 | * Set the peer config to use with this IKE_SA. |
c60c7694 | 397 | * |
e0fe7651 | 398 | * @param config peer_config to use |
c60c7694 | 399 | */ |
e0fe7651 | 400 | void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config); |
3b04350a MW |
401 | |
402 | /** | |
a44bb934 | 403 | * Get the authentication config with rules of the current auth round. |
552cc11b | 404 | * |
a44bb934 MW |
405 | * @param local TRUE for local rules, FALSE for remote constraints |
406 | * @return current cfg | |
552cc11b | 407 | */ |
a44bb934 | 408 | auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local); |
552cc11b | 409 | |
5dffdea1 MW |
410 | /** |
411 | * Get the selected proposal of this IKE_SA. | |
412 | * | |
413 | * @return selected proposal | |
414 | */ | |
415 | proposal_t* (*get_proposal)(ike_sa_t *this); | |
416 | ||
417 | /** | |
418 | * Set the proposal selected for this IKE_SA. | |
419 | * | |
420 | * @param selected proposal | |
421 | */ | |
422 | void (*set_proposal)(ike_sa_t *this, proposal_t *proposal); | |
423 | ||
b09ca747 MW |
424 | /** |
425 | * Set the message id of the IKE_SA. | |
426 | * | |
427 | * The IKE_SA stores two message IDs, one for initiating exchanges (send) | |
428 | * and one to respond to exchanges (expect). | |
429 | * | |
430 | * @param initiate TRUE to set message ID for initiating | |
431 | * @param mid message id to set | |
432 | */ | |
433 | void (*set_message_id)(ike_sa_t *this, bool initiate, u_int32_t mid); | |
434 | ||
552cc11b MW |
435 | /** |
436 | * Add an additional address for the peer. | |
17d92e97 MW |
437 | * |
438 | * In MOBIKE, a peer may transmit additional addresses where it is | |
439 | * reachable. These are stored in the IKE_SA. | |
440 | * The own list of addresses is not stored, they are queried from | |
441 | * the kernel when required. | |
3b04350a | 442 | * |
17d92e97 | 443 | * @param host host to add to list |
3b04350a | 444 | */ |
17d92e97 MW |
445 | void (*add_additional_address)(ike_sa_t *this, host_t *host); |
446 | ||
447 | /** | |
552cc11b | 448 | * Create an iterator over all additional addresses of the peer. |
17d92e97 | 449 | * |
17d92e97 MW |
450 | * @return iterator over addresses |
451 | */ | |
452 | iterator_t* (*create_additional_address_iterator)(ike_sa_t *this); | |
3b04350a | 453 | |
9d9a772e MW |
454 | /** |
455 | * Check if mappings have changed on a NAT for our source address. | |
456 | * | |
457 | * @param hash received DESTINATION_IP hash | |
458 | * @return TRUE if mappings have changed | |
459 | */ | |
460 | bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash); | |
461 | ||
3b04350a | 462 | /** |
552cc11b | 463 | * Enable an extension the peer supports. |
3b04350a MW |
464 | * |
465 | * If support for an IKE extension is detected, this method is called | |
466 | * to enable that extension and behave accordingly. | |
467 | * | |
3b04350a MW |
468 | * @param extension extension to enable |
469 | */ | |
470 | void (*enable_extension)(ike_sa_t *this, ike_extension_t extension); | |
471 | ||
17d92e97 | 472 | /** |
552cc11b | 473 | * Check if the peer supports an extension. |
17d92e97 | 474 | * |
17d92e97 MW |
475 | * @param extension extension to check for support |
476 | * @return TRUE if peer supports it, FALSE otherwise | |
477 | */ | |
478 | bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension); | |
479 | ||
480 | /** | |
552cc11b | 481 | * Enable/disable a condition flag for this IKE_SA. |
17d92e97 | 482 | * |
17d92e97 MW |
483 | * @param condition condition to enable/disable |
484 | * @param enable TRUE to enable condition, FALSE to disable | |
485 | */ | |
486 | void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable); | |
487 | ||
488 | /** | |
552cc11b | 489 | * Check if a condition flag is set. |
17d92e97 | 490 | * |
17d92e97 MW |
491 | * @param condition condition to check |
492 | * @return TRUE if condition flag set, FALSE otherwise | |
493 | */ | |
494 | bool (*has_condition) (ike_sa_t *this, ike_condition_t condition); | |
495 | ||
3bc62fe7 | 496 | /** |
552cc11b | 497 | * Get the number of queued MOBIKE address updates. |
3bc62fe7 | 498 | * |
3bc62fe7 MW |
499 | * @return number of pending updates |
500 | */ | |
501 | u_int32_t (*get_pending_updates)(ike_sa_t *this); | |
502 | ||
503 | /** | |
552cc11b | 504 | * Set the number of queued MOBIKE address updates. |
3bc62fe7 | 505 | * |
3bc62fe7 MW |
506 | * @param updates number of pending updates |
507 | */ | |
508 | void (*set_pending_updates)(ike_sa_t *this, u_int32_t updates); | |
4a035181 | 509 | |
dc04b7c7 | 510 | #ifdef ME |
22452f70 TB |
511 | /** |
512 | * Activate mediation server functionality for this IKE_SA. | |
513 | */ | |
514 | void (*act_as_mediation_server) (ike_sa_t *this); | |
515 | ||
d5cc1758 | 516 | /** |
552cc11b | 517 | * Get the server reflexive host. |
d5cc1758 | 518 | * |
d5cc1758 TB |
519 | * @return server reflexive host |
520 | */ | |
521 | host_t* (*get_server_reflexive_host) (ike_sa_t *this); | |
522 | ||
523 | /** | |
552cc11b | 524 | * Set the server reflexive host. |
d5cc1758 | 525 | * |
d5cc1758 TB |
526 | * @param host server reflexive host |
527 | */ | |
528 | void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host); | |
529 | ||
9c2a905d TB |
530 | /** |
531 | * Get the connect ID. | |
532 | * | |
533 | * @return connect ID | |
534 | */ | |
535 | chunk_t (*get_connect_id) (ike_sa_t *this); | |
536 | ||
d5cc1758 | 537 | /** |
552cc11b | 538 | * Initiate the mediation of a mediated connection (i.e. initiate a |
dc04b7c7 | 539 | * ME_CONNECT exchange). |
d5cc1758 | 540 | * |
d5cc1758 TB |
541 | * @param mediated_cfg peer_cfg of the mediated connection |
542 | * @return | |
552cc11b MW |
543 | * - SUCCESS if initialization started |
544 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
545 | */ |
546 | status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg); | |
547 | ||
548 | /** | |
552cc11b | 549 | * Initiate the mediated connection |
d5cc1758 | 550 | * |
d5cc1758 TB |
551 | * @param me local endpoint (gets cloned) |
552 | * @param other remote endpoint (gets cloned) | |
9c2a905d | 553 | * @param connect_id connect ID (gets cloned) |
d5cc1758 | 554 | * @return |
552cc11b MW |
555 | * - SUCCESS if initialization started |
556 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
557 | */ |
558 | status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other, | |
4a6474c2 | 559 | chunk_t connect_id); |
d5cc1758 TB |
560 | |
561 | /** | |
552cc11b | 562 | * Relay data from one peer to another (i.e. initiate a |
dc04b7c7 | 563 | * ME_CONNECT exchange). |
d5cc1758 TB |
564 | * |
565 | * Data is cloned. | |
566 | * | |
d5cc1758 | 567 | * @param requester ID of the requesting peer |
dc04b7c7 TB |
568 | * @param connect_id data of the ME_CONNECTID payload |
569 | * @param connect_key data of the ME_CONNECTKEY payload | |
d5cc1758 TB |
570 | * @param endpoints endpoints |
571 | * @param response TRUE if this is a response | |
572 | * @return | |
552cc11b MW |
573 | * - SUCCESS if relay started |
574 | * - DESTROY_ME if relay failed | |
d5cc1758 | 575 | */ |
dc04b7c7 TB |
576 | status_t (*relay) (ike_sa_t *this, identification_t *requester, chunk_t connect_id, |
577 | chunk_t connect_key, linked_list_t *endpoints, bool response); | |
d5cc1758 TB |
578 | |
579 | /** | |
552cc11b | 580 | * Send a callback to a peer. |
d5cc1758 TB |
581 | * |
582 | * Data is cloned. | |
583 | * | |
d5cc1758 TB |
584 | * @param peer_id ID of the other peer |
585 | * @return | |
552cc11b MW |
586 | * - SUCCESS if response started |
587 | * - DESTROY_ME if response failed | |
d5cc1758 TB |
588 | */ |
589 | status_t (*callback) (ike_sa_t *this, identification_t *peer_id); | |
590 | ||
591 | /** | |
dc04b7c7 | 592 | * Respond to a ME_CONNECT request. |
d5cc1758 TB |
593 | * |
594 | * Data is cloned. | |
595 | * | |
d5cc1758 | 596 | * @param peer_id ID of the other peer |
dc04b7c7 | 597 | * @param connect_id the connect ID supplied by the initiator |
d5cc1758 | 598 | * @return |
552cc11b MW |
599 | * - SUCCESS if response started |
600 | * - DESTROY_ME if response failed | |
d5cc1758 | 601 | */ |
dc04b7c7 TB |
602 | status_t (*respond) (ike_sa_t *this, identification_t *peer_id, chunk_t connect_id); |
603 | #endif /* ME */ | |
3bc62fe7 | 604 | |
2c220249 | 605 | /** |
552cc11b | 606 | * Initiate a new connection. |
3dd3c5f3 | 607 | * |
a13c013b MW |
608 | * The configs are owned by the IKE_SA after the call. If the initiate |
609 | * is triggered by a packet, traffic selectors of the packet can be added | |
610 | * to the CHILD_SA. | |
2c220249 | 611 | * |
e0fe7651 | 612 | * @param child_cfg child config to create CHILD from |
c3626c2c | 613 | * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely |
a13c013b MW |
614 | * @param tsi source of triggering packet |
615 | * @param tsr destination of triggering packet. | |
8dfbe71b MW |
616 | * @return |
617 | * - SUCCESS if initialization started | |
e0fe7651 | 618 | * - DESTROY_ME if initialization failed |
8dfbe71b | 619 | */ |
c3626c2c | 620 | status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg, |
a13c013b MW |
621 | u_int32_t reqid, traffic_selector_t *tsi, |
622 | traffic_selector_t *tsr); | |
5534ee84 | 623 | |
1396815a | 624 | /** |
552cc11b | 625 | * Initiates the deletion of an IKE_SA. |
3dd3c5f3 MW |
626 | * |
627 | * Sends a delete message to the remote peer and waits for | |
628 | * its response. If the response comes in, or a timeout occurs, | |
629 | * the IKE SA gets deleted. | |
1396815a | 630 | * |
1396815a | 631 | * @return |
3dd3c5f3 | 632 | * - SUCCESS if deletion is initialized |
58464dd7 | 633 | * - DESTROY_ME, if the IKE_SA is not in |
3dd3c5f3 | 634 | * an established state and can not be |
58464dd7 | 635 | * deleted (but destroyed). |
1396815a | 636 | */ |
3dd3c5f3 MW |
637 | status_t (*delete) (ike_sa_t *this); |
638 | ||
17d92e97 | 639 | /** |
552cc11b | 640 | * Update IKE_SAs after network interfaces have changed. |
17d92e97 MW |
641 | * |
642 | * Whenever the network interface configuration changes, the kernel | |
643 | * interface calls roam() on each IKE_SA. The IKE_SA then checks if | |
644 | * the new network config requires changes, and handles appropriate. | |
645 | * If MOBIKE is supported, addresses are updated; If not, the tunnel is | |
646 | * restarted. | |
647 | * | |
3bc62fe7 MW |
648 | * @param address TRUE if address list changed, FALSE otherwise |
649 | * @return SUCCESS, FAILED, DESTROY_ME | |
17d92e97 | 650 | */ |
3bc62fe7 | 651 | status_t (*roam)(ike_sa_t *this, bool address); |
17d92e97 | 652 | |
13e4a62f | 653 | /** |
552cc11b | 654 | * Processes a incoming IKEv2-Message. |
13e4a62f | 655 | * |
3dd3c5f3 MW |
656 | * Message processing may fail. If a critical failure occurs, |
657 | * process_message() return DESTROY_ME. Then the caller must | |
658 | * destroy the IKE_SA immediatly, as it is unusable. | |
e168ee17 | 659 | * |
552cc11b | 660 | * @param message message to process |
3dd3c5f3 MW |
661 | * @return |
662 | * - SUCCESS | |
663 | * - FAILED | |
664 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
e168ee17 | 665 | */ |
698d7749 | 666 | status_t (*process_message) (ike_sa_t *this, message_t *message); |
e314700c | 667 | |
bcb95ced | 668 | /** |
552cc11b | 669 | * Generate a IKE message to send it to the peer. |
c60c7694 MW |
670 | * |
671 | * This method generates all payloads in the message and encrypts/signs | |
672 | * the packet. | |
673 | * | |
c60c7694 MW |
674 | * @param message message to generate |
675 | * @param packet generated output packet | |
676 | * @return | |
677 | * - SUCCESS | |
678 | * - FAILED | |
679 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
bcb95ced | 680 | */ |
c60c7694 MW |
681 | status_t (*generate_message) (ike_sa_t *this, message_t *message, |
682 | packet_t **packet); | |
bcb95ced | 683 | |
1396815a | 684 | /** |
552cc11b | 685 | * Retransmits a request. |
397f3448 | 686 | * |
c60c7694 MW |
687 | * @param message_id ID of the request to retransmit |
688 | * @return | |
689 | * - SUCCESS | |
690 | * - NOT_FOUND if request doesn't have to be retransmited | |
397f3448 | 691 | */ |
c60c7694 MW |
692 | status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id); |
693 | ||
1396815a | 694 | /** |
552cc11b | 695 | * Sends a DPD request to the peer. |
1396815a | 696 | * |
3dd3c5f3 MW |
697 | * To check if a peer is still alive, periodic |
698 | * empty INFORMATIONAL messages are sent if no | |
699 | * other traffic was received. | |
700 | * | |
3dd3c5f3 MW |
701 | * @return |
702 | * - SUCCESS | |
703 | * - DESTROY_ME, if peer did not respond | |
2f89902d | 704 | */ |
3dd3c5f3 MW |
705 | status_t (*send_dpd) (ike_sa_t *this); |
706 | ||
2f89902d | 707 | /** |
552cc11b | 708 | * Sends a keep alive packet. |
2f89902d | 709 | * |
3dd3c5f3 MW |
710 | * To refresh NAT tables in a NAT router |
711 | * between the peers, periodic empty | |
712 | * UDP packets are sent if no other traffic | |
713 | * was sent. | |
1396815a | 714 | */ |
3dd3c5f3 | 715 | void (*send_keepalive) (ike_sa_t *this); |
0fdc3c7f | 716 | |
bc997f65 | 717 | /** |
6a4ff35c | 718 | * Get the keying material of this IKE_SA. |
bc997f65 | 719 | * |
6a4ff35c | 720 | * @return per IKE_SA keymat instance |
695723d4 | 721 | */ |
6a4ff35c | 722 | keymat_t* (*get_keymat)(ike_sa_t *this); |
695723d4 MW |
723 | |
724 | /** | |
552cc11b | 725 | * Associates a child SA to this IKE SA |
695723d4 | 726 | * |
698d7749 | 727 | * @param child_sa child_sa to add |
695723d4 | 728 | */ |
698d7749 MW |
729 | void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa); |
730 | ||
971218c3 | 731 | /** |
552cc11b | 732 | * Get a CHILD_SA identified by protocol and SPI. |
ae3012a0 | 733 | * |
698d7749 MW |
734 | * @param protocol protocol of the SA |
735 | * @param spi SPI of the CHILD_SA | |
736 | * @param inbound TRUE if SPI is inbound, FALSE if outbound | |
737 | * @return child_sa, or NULL if none found | |
3dd3c5f3 | 738 | */ |
698d7749 MW |
739 | child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, |
740 | u_int32_t spi, bool inbound); | |
1396815a | 741 | |
3183006d | 742 | /** |
552cc11b | 743 | * Create an iterator over all CHILD_SAs. |
3183006d | 744 | * |
3183006d MW |
745 | * @return iterator |
746 | */ | |
747 | iterator_t* (*create_child_sa_iterator) (ike_sa_t *this); | |
748 | ||
1396815a | 749 | /** |
552cc11b | 750 | * Rekey the CHILD SA with the specified reqid. |
1396815a | 751 | * |
3dd3c5f3 | 752 | * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing. |
1396815a | 753 | * |
698d7749 MW |
754 | * @param protocol protocol of the SA |
755 | * @param spi inbound SPI of the CHILD_SA | |
3dd3c5f3 MW |
756 | * @return |
757 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
758 | * - SUCCESS, if rekeying initiated | |
1396815a | 759 | */ |
698d7749 MW |
760 | status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
761 | ||
1396815a | 762 | /** |
552cc11b | 763 | * Close the CHILD SA with the specified protocol/SPI. |
698d7749 MW |
764 | * |
765 | * Looks for a CHILD SA owned by this IKE_SA, deletes it and | |
766 | * notify's the remote peer about the delete. The associated | |
767 | * states and policies in the kernel get deleted, if they exist. | |
768 | * | |
698d7749 MW |
769 | * @param protocol protocol of the SA |
770 | * @param spi inbound SPI of the CHILD_SA | |
771 | * @return | |
772 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
773 | * - SUCCESS, if delete message sent | |
1396815a | 774 | */ |
698d7749 MW |
775 | status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
776 | ||
1396815a | 777 | /** |
552cc11b | 778 | * Destroy a CHILD SA with the specified protocol/SPI. |
698d7749 MW |
779 | * |
780 | * Looks for a CHILD SA owned by this IKE_SA and destroys it. | |
781 | * | |
698d7749 MW |
782 | * @param protocol protocol of the SA |
783 | * @param spi inbound SPI of the CHILD_SA | |
784 | * @return | |
785 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
786 | * - SUCCESS | |
1396815a | 787 | */ |
698d7749 | 788 | status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
fe04e93a | 789 | |
fe04e93a | 790 | /** |
552cc11b | 791 | * Rekey the IKE_SA. |
fe04e93a MW |
792 | * |
793 | * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA. | |
794 | * | |
fe04e93a MW |
795 | * @return - SUCCESS, if IKE_SA rekeying initiated |
796 | */ | |
797 | status_t (*rekey) (ike_sa_t *this); | |
798 | ||
6fe03b0a | 799 | /** |
96926b00 | 800 | * Reauthenticate the IKE_SA. |
6fe03b0a MW |
801 | * |
802 | * Create a completely new IKE_SA with authentication, recreates all children | |
26424f03 | 803 | * within the IKE_SA, closes this IKE_SA. |
6fe03b0a | 804 | * |
26424f03 | 805 | * @return DESTROY_ME to destroy the IKE_SA |
6fe03b0a | 806 | */ |
96926b00 MW |
807 | status_t (*reauth) (ike_sa_t *this); |
808 | ||
809 | /** | |
810 | * Restablish the IKE_SA. | |
811 | * | |
812 | * Reestablish an IKE_SA after it has been closed. | |
813 | * | |
814 | * @return DESTROY_ME to destroy the IKE_SA | |
815 | */ | |
26424f03 | 816 | status_t (*reestablish) (ike_sa_t *this); |
c60c7694 | 817 | |
ee614711 | 818 | /** |
552cc11b | 819 | * Set the lifetime limit received from a AUTH_LIFETIME notify. |
ee614711 | 820 | * |
ee614711 MW |
821 | * @param lifetime lifetime in seconds |
822 | */ | |
823 | void (*set_auth_lifetime)(ike_sa_t *this, u_int32_t lifetime); | |
824 | ||
3183006d | 825 | /** |
552cc11b | 826 | * Set the virtual IP to use for this IKE_SA and its children. |
c60c7694 MW |
827 | * |
828 | * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same | |
829 | * lifetime as the IKE_SA. | |
3183006d | 830 | * |
552cc11b MW |
831 | * @param local TRUE to set local address, FALSE for remote |
832 | * @param ip IP to set as virtual IP | |
3183006d | 833 | */ |
c60c7694 MW |
834 | void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip); |
835 | ||
3183006d | 836 | /** |
552cc11b | 837 | * Get the virtual IP configured. |
3183006d | 838 | * |
c60c7694 | 839 | * @param local TRUE to get local virtual IP, FALSE for remote |
552cc11b | 840 | * @return host_t *virtual IP |
3183006d | 841 | */ |
c60c7694 MW |
842 | host_t* (*get_virtual_ip) (ike_sa_t *this, bool local); |
843 | ||
844 | /** | |
7f56b494 | 845 | * Register a configuration attribute to the IKE_SA. |
c60c7694 | 846 | * |
7f56b494 MW |
847 | * If an IRAS sends a configuration attribute it is installed and |
848 | * registered at the IKE_SA. Attributes are inherit()ed and get released | |
849 | * when the IKE_SA is closed. | |
c60c7694 | 850 | * |
7f56b494 MW |
851 | * @param handler handler installed the attribute, use for release() |
852 | * @param type configuration attribute type | |
853 | * @param data associated attribute data | |
c60c7694 | 854 | */ |
7f56b494 MW |
855 | void (*add_configuration_attribute)(ike_sa_t *this, |
856 | configuration_attribute_type_t type, chunk_t data); | |
c60c7694 | 857 | |
d487b4b7 AS |
858 | /** |
859 | * Set local and remote host addresses to be used for IKE. | |
860 | * | |
861 | * These addresses are communicated via the KMADDRESS field of a MIGRATE | |
862 | * message sent via the NETLINK or PF _KEY kernel socket interface. | |
863 | * | |
864 | * @param local local kmaddress | |
865 | * @param remote remote kmaddress | |
866 | */ | |
867 | void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote); | |
7f56b494 | 868 | |
fe04e93a | 869 | /** |
552cc11b | 870 | * Inherit all attributes of other to this after rekeying. |
fe04e93a | 871 | * |
c60c7694 MW |
872 | * When rekeying is completed, all CHILD_SAs, the virtual IP and all |
873 | * outstanding tasks are moved from other to this. | |
e23a59f6 | 874 | * As this call may initiate inherited tasks, a status is returned. |
c60c7694 | 875 | * |
e23a59f6 MW |
876 | * @param other other task to inherit from |
877 | * @return DESTROY_ME if initiation of inherited task failed | |
c60c7694 | 878 | */ |
e23a59f6 | 879 | status_t (*inherit) (ike_sa_t *this, ike_sa_t *other); |
c60c7694 MW |
880 | |
881 | /** | |
552cc11b | 882 | * Reset the IKE_SA, useable when initiating fails |
fe04e93a | 883 | */ |
c60c7694 | 884 | void (*reset) (ike_sa_t *this); |
3dd3c5f3 | 885 | |
1396815a | 886 | /** |
552cc11b | 887 | * Destroys a ike_sa_t object. |
1396815a | 888 | */ |
3dd3c5f3 | 889 | void (*destroy) (ike_sa_t *this); |
8323a9c1 JH |
890 | }; |
891 | ||
7ba38761 | 892 | /** |
552cc11b | 893 | * Creates an ike_sa_t object with a specific ID. |
c3dc6f1a | 894 | * |
698d7749 MW |
895 | * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA |
896 | * @return ike_sa_t object | |
7ba38761 | 897 | */ |
3dd3c5f3 | 898 | ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id); |
7ba38761 | 899 | |
1490ff4d | 900 | #endif /** IKE_SA_H_ @}*/ |