]>
Commit | Line | Data |
---|---|---|
7ba38761 JH |
1 | /** |
2 | * @file ike_sa.h | |
c3dc6f1a | 3 | * |
39b2903f | 4 | * @brief Interface of ike_sa_t. |
c3dc6f1a | 5 | * |
7ba38761 JH |
6 | */ |
7 | ||
8 | /* | |
1396815a | 9 | * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger |
c71d53ba MW |
10 | * Copyright (C) 2005-2006 Martin Willi |
11 | * Copyright (C) 2005 Jan Hutter | |
7ba38761 JH |
12 | * Hochschule fuer Technik Rapperswil |
13 | * | |
14 | * This program is free software; you can redistribute it and/or modify it | |
15 | * under the terms of the GNU General Public License as published by the | |
16 | * Free Software Foundation; either version 2 of the License, or (at your | |
17 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
18 | * | |
19 | * This program is distributed in the hope that it will be useful, but | |
20 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
21 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
22 | * for more details. | |
23 | */ | |
24 | ||
25 | #ifndef IKE_SA_H_ | |
26 | #define IKE_SA_H_ | |
27 | ||
382b4817 MW |
28 | typedef enum ike_sa_state_t ike_sa_state_t; |
29 | typedef struct ike_sa_t ike_sa_t; | |
30 | ||
db7ef624 | 31 | #include <library.h> |
4a962238 | 32 | #include <encoding/message.h> |
b9d9f188 | 33 | #include <encoding/payloads/proposal_substructure.h> |
96f79ff1 | 34 | #include <sa/ike_sa_id.h> |
30b5b412 | 35 | #include <sa/child_sa.h> |
382b4817 | 36 | #include <sa/transactions/transaction.h> |
8a491129 | 37 | #include <config/configuration.h> |
021c2322 | 38 | #include <utils/randomizer.h> |
68621281 MW |
39 | #include <crypto/prfs/prf.h> |
40 | #include <crypto/crypters/crypter.h> | |
41 | #include <crypto/signers/signer.h> | |
13e4a62f MW |
42 | #include <config/connections/connection.h> |
43 | #include <config/policies/policy.h> | |
698d7749 | 44 | #include <config/proposal.h> |
8323a9c1 | 45 | |
8323a9c1 | 46 | /** |
3dd3c5f3 | 47 | * @brief State of an IKE_SA. |
cb5c41cd MW |
48 | * |
49 | * An IKE_SA passes various states in its lifetime. A newly created | |
50 | * SA is in the state CREATED. | |
51 | * @verbatim | |
52 | +----------------+ | |
3183006d | 53 | ¦ SA_CREATED ¦ |
cb5c41cd | 54 | +----------------+ |
3183006d MW |
55 | ¦ |
56 | on initiate()---> ¦ <----- on IKE_SA_INIT received | |
57 | V | |
cb5c41cd | 58 | +----------------+ |
3183006d | 59 | ¦ SA_CONNECTING ¦ |
cb5c41cd | 60 | +----------------+ |
3183006d MW |
61 | ¦ |
62 | ¦ <----- on IKE_AUTH successfully completed | |
63 | V | |
cb5c41cd | 64 | +----------------+ |
3183006d MW |
65 | ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying |
66 | +----------------+ ¦ | |
67 | ¦ V | |
68 | on delete()---> ¦ <----- on IKE_SA +-------------+ | |
69 | ¦ delete request ¦ SA_REKEYING ¦ | |
70 | ¦ received +-------------+ | |
71 | V ¦ | |
72 | +----------------+ ¦ | |
73 | ¦ SA_DELETING ¦<------------------------+ <-- after rekeying | |
cb5c41cd | 74 | +----------------+ |
3183006d MW |
75 | ¦ |
76 | ¦ <----- after delete() acknowledged | |
77 | ¦ | |
78 | \V/ | |
cb5c41cd MW |
79 | X |
80 | / \ | |
81 | @endverbatim | |
82 | * | |
df3c59d0 | 83 | * @ingroup sa |
8323a9c1 | 84 | */ |
3dd3c5f3 MW |
85 | enum ike_sa_state_t { |
86 | ||
87 | /** | |
88 | * IKE_SA just got created, but is not initiating nor responding yet. | |
89 | */ | |
bcb95ced | 90 | IKE_CREATED, |
3dd3c5f3 MW |
91 | |
92 | /** | |
93 | * IKE_SA gets initiated actively or passively | |
94 | */ | |
bcb95ced | 95 | IKE_CONNECTING, |
3dd3c5f3 MW |
96 | |
97 | /** | |
98 | * IKE_SA is fully established | |
99 | */ | |
bcb95ced | 100 | IKE_ESTABLISHED, |
3dd3c5f3 | 101 | |
3183006d MW |
102 | /** |
103 | * IKE_SA rekeying in progress | |
104 | */ | |
105 | IKE_REKEYING, | |
106 | ||
3dd3c5f3 MW |
107 | /** |
108 | * IKE_SA is in progress of deletion | |
109 | */ | |
bcb95ced | 110 | IKE_DELETING, |
3dd3c5f3 MW |
111 | }; |
112 | ||
113 | /** | |
60356f33 | 114 | * enum names for ike_sa_state_t. |
3dd3c5f3 | 115 | */ |
60356f33 | 116 | extern enum_name_t *ike_sa_state_names; |
7ba38761 JH |
117 | |
118 | /** | |
3dd3c5f3 MW |
119 | * @brief Class ike_sa_t representing an IKE_SA. |
120 | * | |
121 | * An IKE_SA contains crypto information related to a connection | |
122 | * with a peer. It contains multiple IPsec CHILD_SA, for which | |
123 | * it is responsible. All traffic is handled by an IKE_SA, using | |
124 | * transactions. | |
125 | * | |
79b8aa19 MW |
126 | * @b Constructors: |
127 | * - ike_sa_create() | |
df3c59d0 MW |
128 | * |
129 | * @ingroup sa | |
7ba38761 | 130 | */ |
5796aa16 | 131 | struct ike_sa_t { |
7ba38761 JH |
132 | |
133 | /** | |
3dd3c5f3 MW |
134 | * @brief Get the id of the SA. |
135 | * | |
136 | * Returned ike_sa_id_t object is not getting cloned! | |
c3dc6f1a | 137 | * |
3dd3c5f3 MW |
138 | * @param this calling object |
139 | * @return ike_sa's ike_sa_id_t | |
7ba38761 | 140 | */ |
3dd3c5f3 MW |
141 | ike_sa_id_t* (*get_id) (ike_sa_t *this); |
142 | ||
143 | /** | |
144 | * @brief Get the state of the IKE_SA. | |
145 | * | |
146 | * @param this calling object | |
147 | * @return state of the IKE_SA | |
148 | */ | |
149 | ike_sa_state_t (*get_state) (ike_sa_t *this); | |
150 | ||
151 | /** | |
152 | * @brief Set the state of the IKE_SA. | |
153 | * | |
154 | * @param this calling object | |
155 | * @param state state to set for the IKE_SA | |
156 | */ | |
157 | void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa); | |
8dfbe71b MW |
158 | |
159 | /** | |
160 | * @brief Get the name of the connection this IKE_SA uses. | |
161 | * | |
162 | * @param this calling object | |
163 | * @return name | |
164 | */ | |
165 | char* (*get_name) (ike_sa_t *this); | |
166 | ||
167 | /** | |
168 | * @brief Set the name of the connection this IKE_SA uses. | |
169 | * | |
170 | * @param this calling object | |
171 | * @param name name, gets cloned | |
172 | */ | |
173 | void (*set_name) (ike_sa_t *this, char* name); | |
174 | ||
175 | /** | |
176 | * @brief Get the own host address. | |
177 | * | |
178 | * @param this calling object | |
179 | * @return host address | |
180 | */ | |
181 | host_t* (*get_my_host) (ike_sa_t *this); | |
182 | ||
fe04e93a MW |
183 | /** |
184 | * @brief Set the own host address. | |
185 | * | |
186 | * @param this calling object | |
187 | * @param me host address | |
188 | */ | |
189 | void (*set_my_host) (ike_sa_t *this, host_t *me); | |
190 | ||
8dfbe71b MW |
191 | /** |
192 | * @brief Get the other peers host address. | |
193 | * | |
194 | * @param this calling object | |
195 | * @return host address | |
196 | */ | |
197 | host_t* (*get_other_host) (ike_sa_t *this); | |
198 | ||
fe04e93a MW |
199 | /** |
200 | * @brief Set the others host address. | |
201 | * | |
202 | * @param this calling object | |
203 | * @param other host address | |
204 | */ | |
205 | void (*set_other_host) (ike_sa_t *this, host_t *other); | |
206 | ||
8dfbe71b MW |
207 | /** |
208 | * @brief Get the own identification. | |
209 | * | |
210 | * @param this calling object | |
211 | * @return identification | |
212 | */ | |
213 | identification_t* (*get_my_id) (ike_sa_t *this); | |
214 | ||
215 | /** | |
216 | * @brief Set the own identification. | |
217 | * | |
218 | * @param this calling object | |
219 | * @param me identification | |
220 | */ | |
221 | void (*set_my_id) (ike_sa_t *this, identification_t *me); | |
222 | ||
223 | /** | |
224 | * @brief Get the other peers identification. | |
225 | * | |
226 | * @param this calling object | |
227 | * @return identification | |
228 | */ | |
229 | identification_t* (*get_other_id) (ike_sa_t *this); | |
230 | ||
231 | /** | |
232 | * @brief Set the other peers identification. | |
233 | * | |
234 | * @param this calling object | |
235 | * @param other identification | |
236 | */ | |
237 | void (*set_other_id) (ike_sa_t *this, identification_t *other); | |
7ba38761 | 238 | |
2c220249 | 239 | /** |
3dd3c5f3 MW |
240 | * @brief Initiate a new connection. |
241 | * | |
8dfbe71b | 242 | * The policy/connection is owned by the IKE_SA after the call, so |
16b9a73c | 243 | * do not modify or destroy it. |
2c220249 JH |
244 | * |
245 | * @param this calling object | |
16b9a73c | 246 | * @param connection connection to initiate |
8dfbe71b MW |
247 | * @param policy policy to set up |
248 | * @return | |
249 | * - SUCCESS if initialization started | |
250 | * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted | |
251 | */ | |
252 | status_t (*initiate) (ike_sa_t *this, connection_t *connection, policy_t *policy); | |
253 | ||
254 | /** | |
255 | * @brief Route a policy in the kernel. | |
256 | * | |
257 | * Installs the policies in the kernel. If traffic matches, | |
258 | * the kernel requests connection setup from the IKE_SA via acquire(). | |
8dfbe71b MW |
259 | * |
260 | * @param this calling object | |
45f76a7d | 261 | * @param connection connection definition used for routing |
8dfbe71b MW |
262 | * @param policy policy to route |
263 | * @return | |
45f76a7d MW |
264 | * - SUCCESS if routed successfully |
265 | * - FAILED if routing failed | |
8dfbe71b | 266 | */ |
45f76a7d MW |
267 | status_t (*route) (ike_sa_t *this, connection_t *connection, policy_t *policy); |
268 | ||
269 | /** | |
270 | * @brief Unroute a policy in the kernel previously routed. | |
271 | * | |
272 | * @param this calling object | |
273 | * @param policy policy to route | |
274 | * @return | |
275 | * - SUCCESS if route removed | |
276 | * - DESTROY_ME if last route was removed from | |
277 | * an IKE_SA which was not established | |
278 | */ | |
279 | status_t (*unroute) (ike_sa_t *this, policy_t *policy); | |
8dfbe71b MW |
280 | |
281 | /** | |
282 | * @brief Acquire connection setup for a policy. | |
283 | * | |
284 | * If an installed policy raises an acquire, the kernel calls | |
3183006d | 285 | * this function to establish the CHILD_SA (and maybe the IKE_SA). |
8dfbe71b MW |
286 | * |
287 | * @param this calling object | |
288 | * @param reqid reqid of the CHILD_SA the policy belongs to. | |
79b8aa19 MW |
289 | * @return |
290 | * - SUCCESS if initialization started | |
4a5bba25 | 291 | * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted |
2c220249 | 292 | */ |
8dfbe71b | 293 | status_t (*acquire) (ike_sa_t *this, u_int32_t reqid); |
5534ee84 | 294 | |
1396815a | 295 | /** |
3dd3c5f3 MW |
296 | * @brief Initiates the deletion of an IKE_SA. |
297 | * | |
298 | * Sends a delete message to the remote peer and waits for | |
299 | * its response. If the response comes in, or a timeout occurs, | |
300 | * the IKE SA gets deleted. | |
1396815a MW |
301 | * |
302 | * @param this calling object | |
1396815a | 303 | * @return |
3dd3c5f3 MW |
304 | * - SUCCESS if deletion is initialized |
305 | * - INVALID_STATE, if the IKE_SA is not in | |
306 | * an established state and can not be | |
307 | * delete (but destroyed). | |
1396815a | 308 | */ |
3dd3c5f3 MW |
309 | status_t (*delete) (ike_sa_t *this); |
310 | ||
5534ee84 JH |
311 | /** |
312 | * @brief Retransmits a request. | |
313 | * | |
314 | * @param this calling object | |
315 | * @param message_id ID of the request to retransmit | |
316 | * @return | |
317 | * - SUCCESS | |
318 | * - NOT_FOUND if request doesn't have to be retransmited | |
319 | */ | |
320 | status_t (*retransmit_request) (ike_sa_t *this, u_int32_t message_id); | |
3dd3c5f3 | 321 | |
13e4a62f | 322 | /** |
3dd3c5f3 | 323 | * @brief Processes a incoming IKEv2-Message. |
13e4a62f | 324 | * |
3dd3c5f3 MW |
325 | * Message processing may fail. If a critical failure occurs, |
326 | * process_message() return DESTROY_ME. Then the caller must | |
327 | * destroy the IKE_SA immediatly, as it is unusable. | |
e168ee17 | 328 | * |
e168ee17 | 329 | * @param this calling object |
3dd3c5f3 MW |
330 | * @param[in] message message to process |
331 | * @return | |
332 | * - SUCCESS | |
333 | * - FAILED | |
334 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
e168ee17 | 335 | */ |
698d7749 | 336 | status_t (*process_message) (ike_sa_t *this, message_t *message); |
e314700c | 337 | |
bcb95ced MW |
338 | /** |
339 | * @brief Get the next message ID for a request. | |
340 | * | |
341 | * @param this calling object | |
342 | * @return the next message id | |
343 | */ | |
344 | u_int32_t (*get_next_message_id) (ike_sa_t *this); | |
345 | ||
1396815a | 346 | /** |
3dd3c5f3 | 347 | * @brief Check if NAT traversal is enabled for this IKE_SA. |
1396815a MW |
348 | * |
349 | * @param this calling object | |
3dd3c5f3 | 350 | * @return TRUE if NAT traversal enabled |
1396815a | 351 | */ |
3dd3c5f3 | 352 | bool (*is_natt_enabled) (ike_sa_t *this); |
1396815a MW |
353 | |
354 | /** | |
3dd3c5f3 | 355 | * @brief Enable NAT detection for this IKE_SA. |
1396815a | 356 | * |
3dd3c5f3 MW |
357 | * If a Network address translation is detected with |
358 | * NAT_DETECTION notifys, a SA must switch to ports | |
359 | * 4500. To enable this behavior, call enable_natt(). | |
360 | * It is relevant which peer is NATted, this is specified | |
361 | * with the "local" parameter. Call it twice when both | |
362 | * are NATted. | |
1396815a MW |
363 | * |
364 | * @param this calling object | |
3dd3c5f3 | 365 | * @param local TRUE, if we are NATted, FALSE if other |
1396815a | 366 | */ |
3dd3c5f3 | 367 | void (*enable_natt) (ike_sa_t *this, bool local); |
1396815a | 368 | |
397f3448 | 369 | /** |
1ce2ad09 | 370 | * @brief Apply connection parameters for this IKE_SA. |
397f3448 MW |
371 | * |
372 | * @param this calling object | |
1ce2ad09 | 373 | * @param connection connection definition |
397f3448 | 374 | */ |
1ce2ad09 | 375 | void (*apply_connection) (ike_sa_t *this, connection_t *connection); |
397f3448 | 376 | |
1396815a | 377 | /** |
3dd3c5f3 | 378 | * @brief Sends a DPD request to the peer. |
1396815a | 379 | * |
3dd3c5f3 MW |
380 | * To check if a peer is still alive, periodic |
381 | * empty INFORMATIONAL messages are sent if no | |
382 | * other traffic was received. | |
383 | * | |
2f89902d | 384 | * @param this calling object |
3dd3c5f3 MW |
385 | * @return |
386 | * - SUCCESS | |
387 | * - DESTROY_ME, if peer did not respond | |
2f89902d | 388 | */ |
3dd3c5f3 MW |
389 | status_t (*send_dpd) (ike_sa_t *this); |
390 | ||
2f89902d | 391 | /** |
3dd3c5f3 | 392 | * @brief Sends a keep alive packet. |
2f89902d | 393 | * |
3dd3c5f3 MW |
394 | * To refresh NAT tables in a NAT router |
395 | * between the peers, periodic empty | |
396 | * UDP packets are sent if no other traffic | |
397 | * was sent. | |
e314700c | 398 | * |
698d7749 | 399 | * @param this calling object |
1396815a | 400 | */ |
3dd3c5f3 | 401 | void (*send_keepalive) (ike_sa_t *this); |
3dd3c5f3 | 402 | |
2c220249 | 403 | /** |
ce461bbd | 404 | * @brief Derive all keys and create the transforms for IKE communication. |
fe04e93a | 405 | * |
ce461bbd | 406 | * Keys are derived using the diffie hellman secret, nonces and internal |
3dd3c5f3 | 407 | * stored SPIs. |
fe04e93a MW |
408 | * Key derivation differs when an IKE_SA is set up to replace an |
409 | * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA | |
410 | * is included in the derivation process. | |
411 | * | |
3dd3c5f3 MW |
412 | * @param this calling object |
413 | * @param proposal proposal which contains algorithms to use | |
414 | * @param dh diffie hellman object with shared secret | |
415 | * @param nonce_i initiators nonce | |
416 | * @param nonce_r responders nonce | |
fe04e93a | 417 | * @param initiator TRUE if initiator, FALSE otherwise |
3183006d MW |
418 | * @param child_prf PRF with SK_d key when rekeying, NULL otherwise |
419 | * @param old_prf general purpose PRF of old SA when rekeying | |
3dd3c5f3 | 420 | */ |
fe04e93a MW |
421 | status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal, |
422 | diffie_hellman_t *dh, | |
423 | chunk_t nonce_i, chunk_t nonce_r, | |
3183006d | 424 | bool initiator, prf_t *child_prf, prf_t *old_prf); |
0fdc3c7f JH |
425 | |
426 | /** | |
ce461bbd | 427 | * @brief Get the multi purpose prf. |
0fdc3c7f | 428 | * |
3dd3c5f3 MW |
429 | * @param this calling object |
430 | * @return pointer to prf_t object | |
0fdc3c7f | 431 | */ |
3dd3c5f3 | 432 | prf_t *(*get_prf) (ike_sa_t *this); |
0fdc3c7f | 433 | |
5b97779f MW |
434 | /** |
435 | * @brief Get the prf-object, which is used to derive keys for child SAs. | |
436 | * | |
3dd3c5f3 MW |
437 | * @param this calling object |
438 | * @return pointer to prf_t object | |
5b97779f | 439 | */ |
3dd3c5f3 | 440 | prf_t *(*get_child_prf) (ike_sa_t *this); |
5b97779f | 441 | |
ce461bbd | 442 | /** |
382b4817 | 443 | * @brief Get the prf to build outgoing authentication data. |
ce461bbd | 444 | * |
3dd3c5f3 MW |
445 | * @param this calling object |
446 | * @return pointer to prf_t object | |
ce461bbd | 447 | */ |
382b4817 | 448 | prf_t *(*get_auth_build) (ike_sa_t *this); |
ce461bbd MW |
449 | |
450 | /** | |
382b4817 | 451 | * @brief Get the prf to verify incoming authentication data. |
ce461bbd | 452 | * |
3dd3c5f3 MW |
453 | * @param this calling object |
454 | * @return pointer to prf_t object | |
695723d4 | 455 | */ |
382b4817 | 456 | prf_t *(*get_auth_verify) (ike_sa_t *this); |
695723d4 MW |
457 | |
458 | /** | |
698d7749 | 459 | * @brief Associates a child SA to this IKE SA |
695723d4 | 460 | * |
3dd3c5f3 | 461 | * @param this calling object |
698d7749 | 462 | * @param child_sa child_sa to add |
695723d4 | 463 | */ |
698d7749 MW |
464 | void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa); |
465 | ||
45f76a7d MW |
466 | /** |
467 | * @brief Check if an IKE_SA has one or more CHILD_SAs with a given reqid. | |
468 | * | |
469 | * @param this calling object | |
470 | * @param reqid reqid of the CHILD | |
471 | * @return TRUE if it has such a CHILD, FALSE if not | |
472 | */ | |
473 | bool (*has_child_sa) (ike_sa_t *this, u_int32_t reqid); | |
474 | ||
971218c3 | 475 | /** |
698d7749 | 476 | * @brief Get a CHILD_SA identified by protocol and SPI. |
ae3012a0 | 477 | * |
698d7749 MW |
478 | * @param this calling object |
479 | * @param protocol protocol of the SA | |
480 | * @param spi SPI of the CHILD_SA | |
481 | * @param inbound TRUE if SPI is inbound, FALSE if outbound | |
482 | * @return child_sa, or NULL if none found | |
3dd3c5f3 | 483 | */ |
698d7749 MW |
484 | child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, |
485 | u_int32_t spi, bool inbound); | |
1396815a | 486 | |
3183006d MW |
487 | /** |
488 | * @brief Create an iterator over all CHILD_SAs. | |
489 | * | |
490 | * @param this calling object | |
491 | * @return iterator | |
492 | */ | |
493 | iterator_t* (*create_child_sa_iterator) (ike_sa_t *this); | |
494 | ||
1396815a | 495 | /** |
3dd3c5f3 | 496 | * @brief Rekey the CHILD SA with the specified reqid. |
1396815a | 497 | * |
3dd3c5f3 | 498 | * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing. |
1396815a | 499 | * |
3dd3c5f3 | 500 | * @param this calling object |
698d7749 MW |
501 | * @param protocol protocol of the SA |
502 | * @param spi inbound SPI of the CHILD_SA | |
3dd3c5f3 MW |
503 | * @return |
504 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
505 | * - SUCCESS, if rekeying initiated | |
1396815a | 506 | */ |
698d7749 MW |
507 | status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
508 | ||
1396815a | 509 | /** |
698d7749 MW |
510 | * @brief Close the CHILD SA with the specified protocol/SPI. |
511 | * | |
512 | * Looks for a CHILD SA owned by this IKE_SA, deletes it and | |
513 | * notify's the remote peer about the delete. The associated | |
514 | * states and policies in the kernel get deleted, if they exist. | |
515 | * | |
3dd3c5f3 | 516 | * @param this calling object |
698d7749 MW |
517 | * @param protocol protocol of the SA |
518 | * @param spi inbound SPI of the CHILD_SA | |
519 | * @return | |
520 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
521 | * - SUCCESS, if delete message sent | |
1396815a | 522 | */ |
698d7749 MW |
523 | status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
524 | ||
1396815a | 525 | /** |
698d7749 MW |
526 | * @brief Destroy a CHILD SA with the specified protocol/SPI. |
527 | * | |
528 | * Looks for a CHILD SA owned by this IKE_SA and destroys it. | |
529 | * | |
3dd3c5f3 | 530 | * @param this calling object |
698d7749 MW |
531 | * @param protocol protocol of the SA |
532 | * @param spi inbound SPI of the CHILD_SA | |
533 | * @return | |
534 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
535 | * - SUCCESS | |
1396815a | 536 | */ |
698d7749 | 537 | status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi); |
fe04e93a MW |
538 | |
539 | /** | |
540 | * @brief Set lifetimes of an IKE_SA. | |
541 | * | |
542 | * Two lifetimes are specified. The soft_lifetime says, when rekeying should | |
543 | * be initiated. The hard_lifetime says, when the IKE_SA has been expired | |
544 | * and must be deleted. Normally, hard_lifetime > soft_lifetime, and | |
545 | * hard_lifetime is only reached when rekeying at soft_lifetime fails. | |
546 | * | |
547 | * @param this calling object | |
6fe03b0a | 548 | * @param reauth use full reauthentication instead of rekeying. |
fe04e93a MW |
549 | * @param soft_lifetime soft_lifetime |
550 | * @param hard_lifetime hard_lifetime | |
551 | */ | |
6fe03b0a | 552 | void (*set_lifetimes) (ike_sa_t *this, bool reauth, |
fe04e93a MW |
553 | u_int32_t soft_lifetime, u_int32_t hard_lifetime); |
554 | ||
555 | /** | |
556 | * @brief Rekey the IKE_SA. | |
557 | * | |
558 | * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA. | |
559 | * | |
560 | * @param this calling object | |
561 | * @return - SUCCESS, if IKE_SA rekeying initiated | |
562 | */ | |
563 | status_t (*rekey) (ike_sa_t *this); | |
564 | ||
6fe03b0a MW |
565 | /** |
566 | * @brief Reauthentication the IKE_SA. | |
567 | * | |
568 | * Create a completely new IKE_SA with authentication, recreates all children | |
569 | * within the IKE_SA and shuts the old SA down. | |
570 | * | |
571 | * @param this calling object | |
572 | * @return - SUCCESS, if IKE_SA rekeying initiated | |
573 | */ | |
574 | status_t (*reauth) (ike_sa_t *this); | |
575 | ||
3183006d MW |
576 | /** |
577 | * @brief Get the transaction which rekeys this IKE_SA. | |
3183006d MW |
578 | * |
579 | * @param this calling object | |
580 | * @return rekey_ike_sa_t transaction or NULL | |
581 | */ | |
382b4817 | 582 | transaction_t* (*get_rekeying_transaction) (ike_sa_t *this); |
3183006d MW |
583 | |
584 | /** | |
585 | * @brief Set the transaction which rekeys this IKE_SA. | |
586 | * | |
587 | * @param this calling object | |
588 | * @param rekey rekey_ike_sa_t transaction or NULL | |
589 | */ | |
382b4817 | 590 | void (*set_rekeying_transaction) (ike_sa_t *this, transaction_t *rekey); |
3183006d | 591 | |
fe04e93a MW |
592 | /** |
593 | * @brief Move all children from other IKE_SA to this IKE_SA. | |
594 | * | |
595 | * After rekeying completes, all children are switched over to the | |
596 | * newly created IKE_SA. | |
597 | * | |
598 | * @param this stepfather | |
599 | * @param other deceased (rekeyed) IKE_SA | |
600 | */ | |
601 | void (*adopt_children) (ike_sa_t *this, ike_sa_t *other); | |
3dd3c5f3 | 602 | |
1396815a | 603 | /** |
3dd3c5f3 | 604 | * @brief Destroys a ike_sa_t object. |
1396815a | 605 | * |
3dd3c5f3 | 606 | * @param this calling object |
1396815a | 607 | */ |
3dd3c5f3 | 608 | void (*destroy) (ike_sa_t *this); |
8323a9c1 JH |
609 | }; |
610 | ||
7ba38761 | 611 | /** |
39b2903f | 612 | * @brief Creates an ike_sa_t object with a specific ID. |
c3dc6f1a | 613 | * |
3dd3c5f3 MW |
614 | * The ID gets cloned internally. |
615 | * | |
698d7749 MW |
616 | * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA |
617 | * @return ike_sa_t object | |
df3c59d0 MW |
618 | * |
619 | * @ingroup sa | |
7ba38761 | 620 | */ |
3dd3c5f3 | 621 | ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id); |
7ba38761 | 622 | |
698d7749 | 623 | #endif /* IKE_SA_H_ */ |