[thirdparty/strongswan.git] / src / charon / sa / ike_sa.h

/**
 * @file ike_sa.h
 *
 * @brief Interface of ike_sa_t.
 *
 */

/*
 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
 * Copyright (C) 2005-2006 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#ifndef IKE_SA_H_
#define IKE_SA_H_

typedef enum ike_sa_state_t ike_sa_state_t;
typedef struct ike_sa_t ike_sa_t;

#include <library.h>
#include <encoding/message.h>
#include <encoding/payloads/proposal_substructure.h>
#include <sa/ike_sa_id.h>
#include <sa/child_sa.h>
#include <sa/transactions/transaction.h>
#include <config/configuration.h>
#include <utils/randomizer.h>
#include <crypto/prfs/prf.h>
#include <crypto/crypters/crypter.h>
#include <crypto/signers/signer.h>
#include <config/connections/connection.h>
#include <config/policies/policy.h>
#include <config/proposal.h>

/**
 * @brief State of an IKE_SA.
 *
 * An IKE_SA passes various states in its lifetime. A newly created
 * SA is in the state CREATED.
 * @verbatim
                 +----------------+
                 ¦   SA_CREATED   ¦
                 +----------------+
                         ¦
    on initiate()--->    ¦   <----- on IKE_SA_INIT received 
                         V
                 +----------------+
                 ¦ SA_CONNECTING  ¦
                 +----------------+
                         ¦
                         ¦   <----- on IKE_AUTH successfully completed
                         V
                 +----------------+
                 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
                 +----------------+                         ¦
                         ¦                                  V
    on delete()--->      ¦   <----- on IKE_SA        +-------------+
                         ¦          delete request   ¦ SA_REKEYING ¦
                         ¦          received         +-------------+
                         V                                  ¦
                 +----------------+                         ¦
                 ¦  SA_DELETING   ¦<------------------------+ <-- after rekeying
                 +----------------+
                         ¦
                         ¦   <----- after delete() acknowledged
                         ¦
                        \V/
                         X
                        / \
   @endverbatim
 *
 * @ingroup sa
 */
enum ike_sa_state_t {
	
	/**
	 * IKE_SA just got created, but is not initiating nor responding yet.
	 */
	IKE_CREATED,
	
	/**
	 * IKE_SA gets initiated actively or passively
	 */
	IKE_CONNECTING,
	
	/**
	 * IKE_SA is fully established
	 */
	IKE_ESTABLISHED,
	
	/**
	 * IKE_SA rekeying in progress
	 */
	IKE_REKEYING,
	
	/**
	 * IKE_SA is in progress of deletion
	 */
	IKE_DELETING,
};

/**
 * enum names for ike_sa_state_t.
 */
extern enum_name_t *ike_sa_state_names;

/**
 * @brief Class ike_sa_t representing an IKE_SA.
 *
 * An IKE_SA contains crypto information related to a connection
 * with a peer. It contains multiple IPsec CHILD_SA, for which
 * it is responsible. All traffic is handled by an IKE_SA, using
 * transactions.
 *
 * @b Constructors:
 * - ike_sa_create()
 * 
 * @ingroup sa
 */
struct ike_sa_t {

	/**
	 * @brief Get the id of the SA.
	 * 
	 * Returned ike_sa_id_t object is not getting cloned!
	 *
	 * @param this 			calling object
	 * @return 				ike_sa's ike_sa_id_t
	 */
	ike_sa_id_t* (*get_id) (ike_sa_t *this);
	
	/**
	 * @brief Get the state of the IKE_SA.
	 *
	 * @param this			calling object
	 * @return				state of the IKE_SA
	 */
	ike_sa_state_t (*get_state) (ike_sa_t *this);
	
	/**
	 * @brief Set the state of the IKE_SA.
	 *
	 * @param this			calling object
	 * @param state			state to set for the IKE_SA
	 */
	void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
	
	/**
	 * @brief Get the name of the connection this IKE_SA uses.
	 *
	 * @param this			calling object
	 * @return				name
	 */
	char* (*get_name) (ike_sa_t *this);
	
	/**
	 * @brief Set the name of the connection this IKE_SA uses.
	 *
	 * @param this			calling object
	 * @param name			name, gets cloned
	 */
	void (*set_name) (ike_sa_t *this, char* name);
	
	/**
	 * @brief Get the own host address.
	 * 
	 * @param this 			calling object
	 * @return				host address
	 */
	host_t* (*get_my_host) (ike_sa_t *this);
	
	/**
	 * @brief Set the own host address.
	 * 
	 * @param this 			calling object
	 * @param me			host address
	 */
	void (*set_my_host) (ike_sa_t *this, host_t *me);
	
	/**
	 * @brief Get the other peers host address.
	 * 
	 * @param this 			calling object
	 * @return				host address
	 */
	host_t* (*get_other_host) (ike_sa_t *this);
	
	/**
	 * @brief Set the others host address.
	 * 
	 * @param this 			calling object
	 * @param other			host address
	 */
	void (*set_other_host) (ike_sa_t *this, host_t *other);
	
	/**
	 * @brief Get the own identification.
	 * 
	 * @param this 			calling object
	 * @return				identification
	 */
	identification_t* (*get_my_id) (ike_sa_t *this);
	
	/**
	 * @brief Set the own identification.
	 * 
	 * @param this 			calling object
	 * @param me			identification
	 */
	void (*set_my_id) (ike_sa_t *this, identification_t *me);
	
	/**
	 * @brief Get the other peers identification.
	 * 
	 * @param this 			calling object
	 * @return				identification
	 */
	identification_t* (*get_other_id) (ike_sa_t *this);
	
	/**
	 * @brief Set the other peers identification.
	 * 
	 * @param this 			calling object
	 * @param other			identification
	 */
	void (*set_other_id) (ike_sa_t *this, identification_t *other);

	/**
	 * @brief Initiate a new connection.
	 *
	 * The policy/connection is owned by the IKE_SA after the call, so
	 * do not modify or destroy it.
	 * 
	 * @param this 			calling object
	 * @param connection	connection to initiate
	 * @param policy		policy to set up
	 * @return				
	 * 						- SUCCESS if initialization started
	 * 						- DESTROY_ME if initialization failed and IKE_SA MUST be deleted
	 */
	status_t (*initiate) (ike_sa_t *this, connection_t *connection, policy_t *policy);

	/**
	 * @brief Route a policy in the kernel.
	 *
	 * Installs the policies in the kernel. If traffic matches,
	 * the kernel requests connection setup from the IKE_SA via acquire().
	 * 
	 * @param this 			calling object
	 * @param connection	connection definition used for routing
	 * @param policy		policy to route
	 * @return				
	 * 						- SUCCESS if routed successfully
	 * 						- FAILED if routing failed
	 */
	status_t (*route) (ike_sa_t *this, connection_t *connection, policy_t *policy);

	/**
	 * @brief Unroute a policy in the kernel previously routed.
	 *
	 * @param this 			calling object
	 * @param policy		policy to route
	 * @return				
	 * 						- SUCCESS if route removed
	 * 						- DESTROY_ME if last route was removed from
	 * 						  an IKE_SA which was not established
	 */
	status_t (*unroute) (ike_sa_t *this, policy_t *policy);
	
	/**
	 * @brief Acquire connection setup for a policy.
	 *
	 * If an installed policy raises an acquire, the kernel calls
	 * this function to establish the CHILD_SA (and maybe the IKE_SA).
	 *
	 * @param this 			calling object
	 * @param reqid			reqid of the CHILD_SA the policy belongs to.
	 * @return				
	 * 						- SUCCESS if initialization started
	 * 						- DESTROY_ME if initialization failed and IKE_SA MUST be deleted
	 */
	status_t (*acquire) (ike_sa_t *this, u_int32_t reqid);
	
	/**
	 * @brief Initiates the deletion of an IKE_SA.
	 * 
	 * Sends a delete message to the remote peer and waits for
	 * its response. If the response comes in, or a timeout occurs,
	 * the IKE SA gets deleted.
	 * 
	 * @param this 			calling object
	 * @return
	 * 						- SUCCESS if deletion is initialized
	 * 						- INVALID_STATE, if the IKE_SA is not in 
	 * 						  an established state and can not be
	 * 						  delete (but destroyed).
	 */
	status_t (*delete) (ike_sa_t *this);
	
	/**
	 * @brief Retransmits a request.
	 * 
	 * @param this 			calling object
	 * @param message_id	ID of the request to retransmit
	 * @return
	 * 						- SUCCESS
	 * 						- NOT_FOUND if request doesn't have to be retransmited
	 */
	status_t (*retransmit_request) (ike_sa_t *this, u_int32_t message_id);
	
	/**
	 * @brief Processes a incoming IKEv2-Message.
	 *
	 * Message processing may fail. If a critical failure occurs, 
	 * process_message() return DESTROY_ME. Then the caller must 
	 * destroy the IKE_SA immediatly, as it is unusable.
	 * 
	 * @param this 			calling object
	 * @param[in] message 	message to process
	 * @return 				
	 * 						- SUCCESS
	 * 						- FAILED
	 * 						- DESTROY_ME if this IKE_SA MUST be deleted
	 */
	status_t (*process_message) (ike_sa_t *this, message_t *message);
	
	/**
	 * @brief Get the next message ID for a request.
	 *
	 * @param this 			calling object
	 * @return 				the next message id
	 */
	u_int32_t (*get_next_message_id) (ike_sa_t *this);
	
	/**
	 * @brief Check if NAT traversal is enabled for this IKE_SA.
	 *
	 * @param this 			calling object
	 * @return 				TRUE if NAT traversal enabled
	 */
	bool (*is_natt_enabled) (ike_sa_t *this);

	/**
	 * @brief Enable NAT detection for this IKE_SA.
	 *
	 * If a Network address translation is detected with
	 * NAT_DETECTION notifys, a SA must switch to ports
	 * 4500. To enable this behavior, call enable_natt().
	 * It is relevant which peer is NATted, this is specified
	 * with the "local" parameter. Call it twice when both
	 * are NATted.
	 *
	 * @param this 			calling object
	 * @param local			TRUE, if we are NATted, FALSE if other
	 */
	void (*enable_natt) (ike_sa_t *this, bool local);

	/**
	 * @brief Apply connection parameters for this IKE_SA.
	 * 
	 * @param this			calling object
	 * @param connection	connection definition
	 */
	void (*apply_connection) (ike_sa_t *this, connection_t *connection);

	/**
	 * @brief Sends a DPD request to the peer.
	 *
	 * To check if a peer is still alive, periodic
	 * empty INFORMATIONAL messages are sent if no
	 * other traffic was received.
	 * 
	 * @param this			calling object
	 * @return
	 * 						- SUCCESS
	 * 						- DESTROY_ME, if peer did not respond
	 */
	status_t (*send_dpd) (ike_sa_t *this);
	
	/**
	 * @brief Sends a keep alive packet.
	 *
	 * To refresh NAT tables in a NAT router
	 * between the peers, periodic empty
	 * UDP packets are sent if no other traffic
	 * was sent.
	 *
	 * @param this			calling object
	 */
	void (*send_keepalive) (ike_sa_t *this);

	/**
	 * @brief Derive all keys and create the transforms for IKE communication.
	 *
	 * Keys are derived using the diffie hellman secret, nonces and internal
	 * stored SPIs.
	 * Key derivation differs when an IKE_SA is set up to replace an
	 * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA
	 * is included in the derivation process.
	 *
	 * @param this 			calling object
	 * @param proposal		proposal which contains algorithms to use
	 * @param dh			diffie hellman object with shared secret
	 * @param nonce_i		initiators nonce
	 * @param nonce_r		responders nonce
	 * @param initiator		TRUE if initiator, FALSE otherwise
	 * @param child_prf		PRF with SK_d key when rekeying, NULL otherwise
	 * @param old_prf		general purpose PRF of old SA when rekeying
	 */
	status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal,
							diffie_hellman_t *dh,
							chunk_t nonce_i, chunk_t nonce_r,
							bool initiator, prf_t *child_prf, prf_t *old_prf);
	
	/**
	 * @brief Get the multi purpose prf.
	 * 
	 * @param this 			calling object
	 * @return				pointer to prf_t object
	 */
	prf_t *(*get_prf) (ike_sa_t *this);
	
	/**
	 * @brief Get the prf-object, which is used to derive keys for child SAs.
	 * 
	 * @param this 			calling object
	 * @return				pointer to prf_t object
	 */
	prf_t *(*get_child_prf) (ike_sa_t *this);
	
	/**
	 * @brief Get the prf to build outgoing authentication data.
	 * 
	 * @param this 			calling object
	 * @return				pointer to prf_t object
	 */
	prf_t *(*get_auth_build) (ike_sa_t *this);
	
	/**
	 * @brief Get the prf to verify incoming authentication data.
	 * 
	 * @param this 			calling object
	 * @return				pointer to prf_t object
	 */
	prf_t *(*get_auth_verify) (ike_sa_t *this);
	
	/**
	 * @brief Associates a child SA to this IKE SA
	 * 
	 * @param this 			calling object
	 * @param child_sa		child_sa to add
	 */
	void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
	
	/**
	 * @brief Check if an IKE_SA has one or more CHILD_SAs with a given reqid.
	 * 
	 * @param this 			calling object
	 * @param reqid			reqid of the CHILD
	 * @return				TRUE if it has such a CHILD, FALSE if not
	 */
	bool (*has_child_sa) (ike_sa_t *this, u_int32_t reqid);
	
	/**
	 * @brief Get a CHILD_SA identified by protocol and SPI.
	 * 
	 * @param this 			calling object
	 * @param protocol		protocol of the SA
	 * @param spi			SPI of the CHILD_SA
	 * @param inbound		TRUE if SPI is inbound, FALSE if outbound
	 * @return				child_sa, or NULL if none found
	 */
	child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, 
								 u_int32_t spi, bool inbound);
	
	/**
	 * @brief Create an iterator over all CHILD_SAs.
	 * 
	 * @param this 			calling object
	 * @return				iterator
	 */
	iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
	
	/**
	 * @brief Rekey the CHILD SA with the specified reqid.
	 *
	 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
	 *
	 * @param this 			calling object
	 * @param protocol		protocol of the SA
	 * @param spi			inbound SPI of the CHILD_SA
	 * @return
	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
	 * 						- SUCCESS, if rekeying initiated
	 */
	status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);

	/**
	 * @brief Close the CHILD SA with the specified protocol/SPI.
	 *
	 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
	 * notify's the remote peer about the delete. The associated
	 * states and policies in the kernel get deleted, if they exist.
	 *
	 * @param this 			calling object
	 * @param protocol		protocol of the SA
	 * @param spi			inbound SPI of the CHILD_SA
	 * @return
	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
	 * 						- SUCCESS, if delete message sent
	 */
	status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);

	/**
	 * @brief Destroy a CHILD SA with the specified protocol/SPI.
	 *
	 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
	 *
	 * @param this 			calling object
	 * @param protocol		protocol of the SA
	 * @param spi			inbound SPI of the CHILD_SA
	 * @return
	 * 						- NOT_FOUND, if IKE_SA has no such CHILD_SA
	 * 						- SUCCESS
	 */
	status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);

	/**
	 * @brief Set lifetimes of an IKE_SA.
	 *
	 * Two lifetimes are specified. The soft_lifetime says, when rekeying should
	 * be initiated. The hard_lifetime says, when the IKE_SA has been expired
	 * and must be deleted. Normally, hard_lifetime > soft_lifetime, and 
	 * hard_lifetime is only reached when rekeying at soft_lifetime fails.
	 *
	 * @param this 			calling object
	 * @param reauth		use full reauthentication instead of rekeying.
	 * @param soft_lifetime	soft_lifetime
	 * @param hard_lifetime	hard_lifetime
	 */
	void (*set_lifetimes) (ike_sa_t *this, bool reauth,
						   u_int32_t soft_lifetime, u_int32_t hard_lifetime);

	/**
	 * @brief Rekey the IKE_SA.
	 *
	 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
	 *
	 * @param this 			calling object
	 * @return				- SUCCESS, if IKE_SA rekeying initiated
	 */
	status_t (*rekey) (ike_sa_t *this);

	/**
	 * @brief Reauthentication the IKE_SA.
	 *
	 * Create a completely new IKE_SA with authentication, recreates all children
	 * within the IKE_SA and shuts the old SA down.
	 *
	 * @param this 			calling object
	 * @return				- SUCCESS, if IKE_SA rekeying initiated
	 */
	status_t (*reauth) (ike_sa_t *this);

	/**
	 * @brief Get the transaction which rekeys this IKE_SA.
	 *
	 * @param this 			calling object
	 * @return				rekey_ike_sa_t transaction or NULL
	 */
	transaction_t* (*get_rekeying_transaction) (ike_sa_t *this);

	/**
	 * @brief Set the transaction which rekeys this IKE_SA.
	 *
	 * @param this 			calling object
	 * @param rekey			rekey_ike_sa_t transaction or NULL
	 */
	void (*set_rekeying_transaction) (ike_sa_t *this, transaction_t *rekey);

	/**
	 * @brief Move all children from other IKE_SA to this IKE_SA.
	 *
	 * After rekeying completes, all children are switched over to the
	 * newly created IKE_SA.
	 *
	 * @param this 			stepfather
	 * @param other			deceased (rekeyed) IKE_SA
	 */
	void (*adopt_children) (ike_sa_t *this, ike_sa_t *other);
	
	/**
	 * @brief Destroys a ike_sa_t object.
	 *
	 * @param this 			calling object
	 */
	void (*destroy) (ike_sa_t *this);
};

/**
 * @brief Creates an ike_sa_t object with a specific ID.
 *
 * The ID gets cloned internally.
 *
 * @param ike_sa_id 	ike_sa_id_t object to associate with new IKE_SA
 * @return 				ike_sa_t object
 * 
 * @ingroup sa
 */
ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);

#endif /* IKE_SA_H_ */
Commit	Line	Data
7ba38761 JH	1	/**
7ba38761 JH	2	* @file ike_sa.h
c3dc6f1a	3	*
39b2903f	4	* @brief Interface of ike_sa_t.
c3dc6f1a	5	*
7ba38761 JH	6	*/
	7
	8	/*
1396815a	9	* Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
c71d53ba MW	10	* Copyright (C) 2005-2006 Martin Willi
c71d53ba MW	11	* Copyright (C) 2005 Jan Hutter
7ba38761 JH	12	* Hochschule fuer Technik Rapperswil
	13	*
	14	* This program is free software; you can redistribute it and/or modify it
	15	* under the terms of the GNU General Public License as published by the
	16	* Free Software Foundation; either version 2 of the License, or (at your
	17	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	18	*
	19	* This program is distributed in the hope that it will be useful, but
	20	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	21	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	22	* for more details.
	23	*/
	24
	25	#ifndef IKE_SA_H_
	26	#define IKE_SA_H_
	27
382b4817 MW	28	typedef enum ike_sa_state_t ike_sa_state_t;
	29	typedef struct ike_sa_t ike_sa_t;
	30
db7ef624	31	#include <library.h>
4a962238	32	#include <encoding/message.h>
b9d9f188	33	#include <encoding/payloads/proposal_substructure.h>
96f79ff1	34	#include <sa/ike_sa_id.h>
30b5b412	35	#include <sa/child_sa.h>
382b4817	36	#include <sa/transactions/transaction.h>
8a491129	37	#include <config/configuration.h>
021c2322	38	#include <utils/randomizer.h>
68621281 MW	39	#include <crypto/prfs/prf.h>
	40	#include <crypto/crypters/crypter.h>
	41	#include <crypto/signers/signer.h>
13e4a62f MW	42	#include <config/connections/connection.h>
13e4a62f MW	43	#include <config/policies/policy.h>
698d7749	44	#include <config/proposal.h>
8323a9c1	45
8323a9c1	46	/**
3dd3c5f3	47	* @brief State of an IKE_SA.
cb5c41cd MW	48	*
	49	* An IKE_SA passes various states in its lifetime. A newly created
	50	* SA is in the state CREATED.
	51	* @verbatim
	52	+----------------+
3183006d	53	¦ SA_CREATED ¦
cb5c41cd	54	+----------------+
3183006d MW	55	¦
	56	on initiate()---> ¦ <----- on IKE_SA_INIT received
	57	V
cb5c41cd	58	+----------------+
3183006d	59	¦ SA_CONNECTING ¦
cb5c41cd	60	+----------------+
3183006d MW	61	¦
	62	¦ <----- on IKE_AUTH successfully completed
	63	V
cb5c41cd	64	+----------------+
3183006d MW	65	¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
	66	+----------------+ ¦
	67	¦ V
	68	on delete()---> ¦ <----- on IKE_SA +-------------+
	69	¦ delete request ¦ SA_REKEYING ¦
	70	¦ received +-------------+
	71	V ¦
	72	+----------------+ ¦
	73	¦ SA_DELETING ¦<------------------------+ <-- after rekeying
cb5c41cd	74	+----------------+
3183006d MW	75	¦
	76	¦ <----- after delete() acknowledged
	77	¦
	78	\V/
cb5c41cd MW	79	X
	80	/ \
	81	@endverbatim
	82	*
df3c59d0	83	* @ingroup sa
8323a9c1	84	*/
3dd3c5f3 MW	85	enum ike_sa_state_t {
	86
	87	/**
	88	* IKE_SA just got created, but is not initiating nor responding yet.
	89	*/
bcb95ced	90	IKE_CREATED,
3dd3c5f3 MW	91
	92	/**
	93	* IKE_SA gets initiated actively or passively
	94	*/
bcb95ced	95	IKE_CONNECTING,
3dd3c5f3 MW	96
	97	/**
	98	* IKE_SA is fully established
	99	*/
bcb95ced	100	IKE_ESTABLISHED,
3dd3c5f3	101
3183006d MW	102	/**
	103	* IKE_SA rekeying in progress
	104	*/
	105	IKE_REKEYING,
	106
3dd3c5f3 MW	107	/**
	108	* IKE_SA is in progress of deletion
	109	*/
bcb95ced	110	IKE_DELETING,
3dd3c5f3 MW	111	};
	112
	113	/**
60356f33	114	* enum names for ike_sa_state_t.
3dd3c5f3	115	*/
60356f33	116	extern enum_name_t *ike_sa_state_names;
7ba38761 JH	117
7ba38761 JH	118	/**
3dd3c5f3 MW	119	* @brief Class ike_sa_t representing an IKE_SA.
	120	*
	121	* An IKE_SA contains crypto information related to a connection
	122	* with a peer. It contains multiple IPsec CHILD_SA, for which
	123	* it is responsible. All traffic is handled by an IKE_SA, using
	124	* transactions.
	125	*
79b8aa19 MW	126	* @b Constructors:
79b8aa19 MW	127	* - ike_sa_create()
df3c59d0 MW	128	*
df3c59d0 MW	129	* @ingroup sa
7ba38761	130	*/
5796aa16	131	struct ike_sa_t {
7ba38761 JH	132
7ba38761 JH	133	/**
3dd3c5f3 MW	134	* @brief Get the id of the SA.
	135	*
	136	* Returned ike_sa_id_t object is not getting cloned!
c3dc6f1a	137	*
3dd3c5f3 MW	138	* @param this calling object
3dd3c5f3 MW	139	* @return ike_sa's ike_sa_id_t
7ba38761	140	*/
3dd3c5f3 MW	141	ike_sa_id_t* (get_id) (ike_sa_t this);
	142
	143	/**
	144	* @brief Get the state of the IKE_SA.
	145	*
	146	* @param this calling object
	147	* @return state of the IKE_SA
	148	*/
	149	ike_sa_state_t (get_state) (ike_sa_t this);
	150
	151	/**
	152	* @brief Set the state of the IKE_SA.
	153	*
	154	* @param this calling object
	155	* @param state state to set for the IKE_SA
	156	*/
	157	void (set_state) (ike_sa_t this, ike_sa_state_t ike_sa);
8dfbe71b MW	158
	159	/**
	160	* @brief Get the name of the connection this IKE_SA uses.
	161	*
	162	* @param this calling object
	163	* @return name
	164	*/
	165	char* (get_name) (ike_sa_t this);
	166
	167	/**
	168	* @brief Set the name of the connection this IKE_SA uses.
	169	*
	170	* @param this calling object
	171	* @param name name, gets cloned
	172	*/
	173	void (set_name) (ike_sa_t this, char* name);
	174
	175	/**
	176	* @brief Get the own host address.
	177	*
	178	* @param this calling object
	179	* @return host address
	180	*/
	181	host_t* (get_my_host) (ike_sa_t this);
	182
fe04e93a MW	183	/**
	184	* @brief Set the own host address.
	185	*
	186	* @param this calling object
	187	* @param me host address
	188	*/
	189	void (set_my_host) (ike_sa_t this, host_t *me);
	190
8dfbe71b MW	191	/**
	192	* @brief Get the other peers host address.
	193	*
	194	* @param this calling object
	195	* @return host address
	196	*/
	197	host_t* (get_other_host) (ike_sa_t this);
	198
fe04e93a MW	199	/**
	200	* @brief Set the others host address.
	201	*
	202	* @param this calling object
	203	* @param other host address
	204	*/
	205	void (set_other_host) (ike_sa_t this, host_t *other);
	206
8dfbe71b MW	207	/**
	208	* @brief Get the own identification.
	209	*
	210	* @param this calling object
	211	* @return identification
	212	*/
	213	identification_t* (get_my_id) (ike_sa_t this);
	214
	215	/**
	216	* @brief Set the own identification.
	217	*
	218	* @param this calling object
	219	* @param me identification
	220	*/
	221	void (set_my_id) (ike_sa_t this, identification_t *me);
	222
	223	/**
	224	* @brief Get the other peers identification.
	225	*
	226	* @param this calling object
	227	* @return identification
	228	*/
	229	identification_t* (get_other_id) (ike_sa_t this);
	230
	231	/**
	232	* @brief Set the other peers identification.
	233	*
	234	* @param this calling object
	235	* @param other identification
	236	*/
	237	void (set_other_id) (ike_sa_t this, identification_t *other);
7ba38761	238
2c220249	239	/**
3dd3c5f3 MW	240	* @brief Initiate a new connection.
3dd3c5f3 MW	241	*
8dfbe71b	242	* The policy/connection is owned by the IKE_SA after the call, so
16b9a73c	243	* do not modify or destroy it.
2c220249 JH	244	*
2c220249 JH	245	* @param this calling object
16b9a73c	246	* @param connection connection to initiate
8dfbe71b MW	247	* @param policy policy to set up
	248	* @return
	249	* - SUCCESS if initialization started
	250	* - DESTROY_ME if initialization failed and IKE_SA MUST be deleted
	251	*/
	252	status_t (initiate) (ike_sa_t this, connection_t connection, policy_t policy);
	253
	254	/**
	255	* @brief Route a policy in the kernel.
	256	*
	257	* Installs the policies in the kernel. If traffic matches,
	258	* the kernel requests connection setup from the IKE_SA via acquire().
8dfbe71b MW	259	*
8dfbe71b MW	260	* @param this calling object
45f76a7d	261	* @param connection connection definition used for routing
8dfbe71b MW	262	* @param policy policy to route
8dfbe71b MW	263	* @return
45f76a7d MW	264	* - SUCCESS if routed successfully
45f76a7d MW	265	* - FAILED if routing failed
8dfbe71b	266	*/
45f76a7d MW	267	status_t (route) (ike_sa_t this, connection_t connection, policy_t policy);
	268
	269	/**
	270	* @brief Unroute a policy in the kernel previously routed.
	271	*
	272	* @param this calling object
	273	* @param policy policy to route
	274	* @return
	275	* - SUCCESS if route removed
	276	* - DESTROY_ME if last route was removed from
	277	* an IKE_SA which was not established
	278	*/
	279	status_t (unroute) (ike_sa_t this, policy_t *policy);
8dfbe71b MW	280
	281	/**
	282	* @brief Acquire connection setup for a policy.
	283	*
	284	* If an installed policy raises an acquire, the kernel calls
3183006d	285	* this function to establish the CHILD_SA (and maybe the IKE_SA).
8dfbe71b MW	286	*
	287	* @param this calling object
	288	* @param reqid reqid of the CHILD_SA the policy belongs to.
79b8aa19 MW	289	* @return
79b8aa19 MW	290	* - SUCCESS if initialization started
4a5bba25	291	* - DESTROY_ME if initialization failed and IKE_SA MUST be deleted
2c220249	292	*/
8dfbe71b	293	status_t (acquire) (ike_sa_t this, u_int32_t reqid);
5534ee84	294
1396815a	295	/**
3dd3c5f3 MW	296	* @brief Initiates the deletion of an IKE_SA.
	297	*
	298	* Sends a delete message to the remote peer and waits for
	299	* its response. If the response comes in, or a timeout occurs,
	300	* the IKE SA gets deleted.
1396815a MW	301	*
1396815a MW	302	* @param this calling object
1396815a	303	* @return
3dd3c5f3 MW	304	* - SUCCESS if deletion is initialized
	305	* - INVALID_STATE, if the IKE_SA is not in
	306	* an established state and can not be
	307	* delete (but destroyed).
1396815a	308	*/
3dd3c5f3 MW	309	status_t (delete) (ike_sa_t this);
3dd3c5f3 MW	310
5534ee84 JH	311	/**
	312	* @brief Retransmits a request.
	313	*
	314	* @param this calling object
	315	* @param message_id ID of the request to retransmit
	316	* @return
	317	* - SUCCESS
	318	* - NOT_FOUND if request doesn't have to be retransmited
	319	*/
	320	status_t (retransmit_request) (ike_sa_t this, u_int32_t message_id);
3dd3c5f3	321
13e4a62f	322	/**
3dd3c5f3	323	* @brief Processes a incoming IKEv2-Message.
13e4a62f	324	*
3dd3c5f3 MW	325	* Message processing may fail. If a critical failure occurs,
	326	* process_message() return DESTROY_ME. Then the caller must
	327	* destroy the IKE_SA immediatly, as it is unusable.
e168ee17	328	*
e168ee17	329	* @param this calling object
3dd3c5f3 MW	330	* @param[in] message message to process
	331	* @return
	332	* - SUCCESS
	333	* - FAILED
	334	* - DESTROY_ME if this IKE_SA MUST be deleted
e168ee17	335	*/
698d7749	336	status_t (process_message) (ike_sa_t this, message_t *message);
e314700c	337
bcb95ced MW	338	/**
	339	* @brief Get the next message ID for a request.
	340	*
	341	* @param this calling object
	342	* @return the next message id
	343	*/
	344	u_int32_t (get_next_message_id) (ike_sa_t this);
	345
1396815a	346	/**
3dd3c5f3	347	* @brief Check if NAT traversal is enabled for this IKE_SA.
1396815a MW	348	*
1396815a MW	349	* @param this calling object
3dd3c5f3	350	* @return TRUE if NAT traversal enabled
1396815a	351	*/
3dd3c5f3	352	bool (is_natt_enabled) (ike_sa_t this);
1396815a MW	353
1396815a MW	354	/**
3dd3c5f3	355	* @brief Enable NAT detection for this IKE_SA.
1396815a	356	*
3dd3c5f3 MW	357	* If a Network address translation is detected with
	358	* NAT_DETECTION notifys, a SA must switch to ports
	359	* 4500. To enable this behavior, call enable_natt().
	360	* It is relevant which peer is NATted, this is specified
	361	* with the "local" parameter. Call it twice when both
	362	* are NATted.
1396815a MW	363	*
1396815a MW	364	* @param this calling object
3dd3c5f3	365	* @param local TRUE, if we are NATted, FALSE if other
1396815a	366	*/
3dd3c5f3	367	void (enable_natt) (ike_sa_t this, bool local);
1396815a	368
397f3448	369	/**
1ce2ad09	370	* @brief Apply connection parameters for this IKE_SA.
397f3448 MW	371	*
397f3448 MW	372	* @param this calling object
1ce2ad09	373	* @param connection connection definition
397f3448	374	*/
1ce2ad09	375	void (apply_connection) (ike_sa_t this, connection_t *connection);
397f3448	376
1396815a	377	/**
3dd3c5f3	378	* @brief Sends a DPD request to the peer.
1396815a	379	*
3dd3c5f3 MW	380	* To check if a peer is still alive, periodic
	381	* empty INFORMATIONAL messages are sent if no
	382	* other traffic was received.
	383	*
2f89902d	384	* @param this calling object
3dd3c5f3 MW	385	* @return
	386	* - SUCCESS
	387	* - DESTROY_ME, if peer did not respond
2f89902d	388	*/
3dd3c5f3 MW	389	status_t (send_dpd) (ike_sa_t this);
3dd3c5f3 MW	390
2f89902d	391	/**
3dd3c5f3	392	* @brief Sends a keep alive packet.
2f89902d	393	*
3dd3c5f3 MW	394	* To refresh NAT tables in a NAT router
	395	* between the peers, periodic empty
	396	* UDP packets are sent if no other traffic
	397	* was sent.
e314700c	398	*
698d7749	399	* @param this calling object
1396815a	400	*/
3dd3c5f3	401	void (send_keepalive) (ike_sa_t this);
3dd3c5f3	402
2c220249	403	/**
ce461bbd	404	* @brief Derive all keys and create the transforms for IKE communication.
fe04e93a	405	*
ce461bbd	406	* Keys are derived using the diffie hellman secret, nonces and internal
3dd3c5f3	407	* stored SPIs.
fe04e93a MW	408	* Key derivation differs when an IKE_SA is set up to replace an
	409	* existing IKE_SA (rekeying). The SK_d key from the old IKE_SA
	410	* is included in the derivation process.
	411	*
3dd3c5f3 MW	412	* @param this calling object
	413	* @param proposal proposal which contains algorithms to use
	414	* @param dh diffie hellman object with shared secret
	415	* @param nonce_i initiators nonce
	416	* @param nonce_r responders nonce
fe04e93a	417	* @param initiator TRUE if initiator, FALSE otherwise
3183006d MW	418	* @param child_prf PRF with SK_d key when rekeying, NULL otherwise
3183006d MW	419	* @param old_prf general purpose PRF of old SA when rekeying
3dd3c5f3	420	*/
fe04e93a MW	421	status_t (derive_keys)(ike_sa_t this, proposal_t* proposal,
	422	diffie_hellman_t *dh,
	423	chunk_t nonce_i, chunk_t nonce_r,
3183006d	424	bool initiator, prf_t child_prf, prf_t old_prf);
0fdc3c7f JH	425
0fdc3c7f JH	426	/**
ce461bbd	427	* @brief Get the multi purpose prf.
0fdc3c7f	428	*
3dd3c5f3 MW	429	* @param this calling object
3dd3c5f3 MW	430	* @return pointer to prf_t object
0fdc3c7f	431	*/
3dd3c5f3	432	prf_t (get_prf) (ike_sa_t *this);
0fdc3c7f	433
5b97779f MW	434	/**
	435	* @brief Get the prf-object, which is used to derive keys for child SAs.
	436	*
3dd3c5f3 MW	437	* @param this calling object
3dd3c5f3 MW	438	* @return pointer to prf_t object
5b97779f	439	*/
3dd3c5f3	440	prf_t (get_child_prf) (ike_sa_t *this);
5b97779f	441
ce461bbd	442	/**
382b4817	443	* @brief Get the prf to build outgoing authentication data.
ce461bbd	444	*
3dd3c5f3 MW	445	* @param this calling object
3dd3c5f3 MW	446	* @return pointer to prf_t object
ce461bbd	447	*/
382b4817	448	prf_t (get_auth_build) (ike_sa_t *this);
ce461bbd MW	449
ce461bbd MW	450	/**
382b4817	451	* @brief Get the prf to verify incoming authentication data.
ce461bbd	452	*
3dd3c5f3 MW	453	* @param this calling object
3dd3c5f3 MW	454	* @return pointer to prf_t object
695723d4	455	*/
382b4817	456	prf_t (get_auth_verify) (ike_sa_t *this);
695723d4 MW	457
695723d4 MW	458	/**
698d7749	459	* @brief Associates a child SA to this IKE SA
695723d4	460	*
3dd3c5f3	461	* @param this calling object
698d7749	462	* @param child_sa child_sa to add
695723d4	463	*/
698d7749 MW	464	void (add_child_sa) (ike_sa_t this, child_sa_t *child_sa);
698d7749 MW	465
45f76a7d MW	466	/**
	467	* @brief Check if an IKE_SA has one or more CHILD_SAs with a given reqid.
	468	*
	469	* @param this calling object
	470	* @param reqid reqid of the CHILD
	471	* @return TRUE if it has such a CHILD, FALSE if not
	472	*/
	473	bool (has_child_sa) (ike_sa_t this, u_int32_t reqid);
	474
971218c3	475	/**
698d7749	476	* @brief Get a CHILD_SA identified by protocol and SPI.
ae3012a0	477	*
698d7749 MW	478	* @param this calling object
	479	* @param protocol protocol of the SA
	480	* @param spi SPI of the CHILD_SA
	481	* @param inbound TRUE if SPI is inbound, FALSE if outbound
	482	* @return child_sa, or NULL if none found
3dd3c5f3	483	*/
698d7749 MW	484	child_sa_t* (get_child_sa) (ike_sa_t this, protocol_id_t protocol,
698d7749 MW	485	u_int32_t spi, bool inbound);
1396815a	486
3183006d MW	487	/**
	488	* @brief Create an iterator over all CHILD_SAs.
	489	*
	490	* @param this calling object
	491	* @return iterator
	492	*/
	493	iterator_t* (create_child_sa_iterator) (ike_sa_t this);
	494
1396815a	495	/**
3dd3c5f3	496	* @brief Rekey the CHILD SA with the specified reqid.
1396815a	497	*
3dd3c5f3	498	* Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
1396815a	499	*
3dd3c5f3	500	* @param this calling object
698d7749 MW	501	* @param protocol protocol of the SA
698d7749 MW	502	* @param spi inbound SPI of the CHILD_SA
3dd3c5f3 MW	503	* @return
	504	* - NOT_FOUND, if IKE_SA has no such CHILD_SA
	505	* - SUCCESS, if rekeying initiated
1396815a	506	*/
698d7749 MW	507	status_t (rekey_child_sa) (ike_sa_t this, protocol_id_t protocol, u_int32_t spi);
698d7749 MW	508
1396815a	509	/**
698d7749 MW	510	* @brief Close the CHILD SA with the specified protocol/SPI.
	511	*
	512	* Looks for a CHILD SA owned by this IKE_SA, deletes it and
	513	* notify's the remote peer about the delete. The associated
	514	* states and policies in the kernel get deleted, if they exist.
	515	*
3dd3c5f3	516	* @param this calling object
698d7749 MW	517	* @param protocol protocol of the SA
	518	* @param spi inbound SPI of the CHILD_SA
	519	* @return
	520	* - NOT_FOUND, if IKE_SA has no such CHILD_SA
	521	* - SUCCESS, if delete message sent
1396815a	522	*/
698d7749 MW	523	status_t (delete_child_sa) (ike_sa_t this, protocol_id_t protocol, u_int32_t spi);
698d7749 MW	524
1396815a	525	/**
698d7749 MW	526	* @brief Destroy a CHILD SA with the specified protocol/SPI.
	527	*
	528	* Looks for a CHILD SA owned by this IKE_SA and destroys it.
	529	*
3dd3c5f3	530	* @param this calling object
698d7749 MW	531	* @param protocol protocol of the SA
	532	* @param spi inbound SPI of the CHILD_SA
	533	* @return
	534	* - NOT_FOUND, if IKE_SA has no such CHILD_SA
	535	* - SUCCESS
1396815a	536	*/
698d7749	537	status_t (destroy_child_sa) (ike_sa_t this, protocol_id_t protocol, u_int32_t spi);
fe04e93a MW	538
	539	/**
	540	* @brief Set lifetimes of an IKE_SA.
	541	*
	542	* Two lifetimes are specified. The soft_lifetime says, when rekeying should
	543	* be initiated. The hard_lifetime says, when the IKE_SA has been expired
	544	* and must be deleted. Normally, hard_lifetime > soft_lifetime, and
	545	* hard_lifetime is only reached when rekeying at soft_lifetime fails.
	546	*
	547	* @param this calling object
6fe03b0a	548	* @param reauth use full reauthentication instead of rekeying.
fe04e93a MW	549	* @param soft_lifetime soft_lifetime
	550	* @param hard_lifetime hard_lifetime
	551	*/
6fe03b0a	552	void (set_lifetimes) (ike_sa_t this, bool reauth,
fe04e93a MW	553	u_int32_t soft_lifetime, u_int32_t hard_lifetime);
	554
	555	/**
	556	* @brief Rekey the IKE_SA.
	557	*
	558	* Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
	559	*
	560	* @param this calling object
	561	* @return - SUCCESS, if IKE_SA rekeying initiated
	562	*/
	563	status_t (rekey) (ike_sa_t this);
	564
6fe03b0a MW	565	/**
	566	* @brief Reauthentication the IKE_SA.
	567	*
	568	* Create a completely new IKE_SA with authentication, recreates all children
	569	* within the IKE_SA and shuts the old SA down.
	570	*
	571	* @param this calling object
	572	* @return - SUCCESS, if IKE_SA rekeying initiated
	573	*/
	574	status_t (reauth) (ike_sa_t this);
	575
3183006d MW	576	/**
3183006d MW	577	* @brief Get the transaction which rekeys this IKE_SA.
3183006d MW	578	*
	579	* @param this calling object
	580	* @return rekey_ike_sa_t transaction or NULL
	581	*/
382b4817	582	transaction_t* (get_rekeying_transaction) (ike_sa_t this);
3183006d MW	583
	584	/**
	585	* @brief Set the transaction which rekeys this IKE_SA.
	586	*
	587	* @param this calling object
	588	* @param rekey rekey_ike_sa_t transaction or NULL
	589	*/
382b4817	590	void (set_rekeying_transaction) (ike_sa_t this, transaction_t *rekey);
3183006d	591
fe04e93a MW	592	/**
	593	* @brief Move all children from other IKE_SA to this IKE_SA.
	594	*
	595	* After rekeying completes, all children are switched over to the
	596	* newly created IKE_SA.
	597	*
	598	* @param this stepfather
	599	* @param other deceased (rekeyed) IKE_SA
	600	*/
	601	void (adopt_children) (ike_sa_t this, ike_sa_t *other);
3dd3c5f3	602
1396815a	603	/**
3dd3c5f3	604	* @brief Destroys a ike_sa_t object.
1396815a	605	*
3dd3c5f3	606	* @param this calling object
1396815a	607	*/
3dd3c5f3	608	void (destroy) (ike_sa_t this);
8323a9c1 JH	609	};
8323a9c1 JH	610
7ba38761	611	/**
39b2903f	612	* @brief Creates an ike_sa_t object with a specific ID.
c3dc6f1a	613	*
3dd3c5f3 MW	614	* The ID gets cloned internally.
3dd3c5f3 MW	615	*
698d7749 MW	616	* @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
698d7749 MW	617	* @return ike_sa_t object
df3c59d0 MW	618	*
df3c59d0 MW	619	* @ingroup sa
7ba38761	620	*/
3dd3c5f3	621	ike_sa_t ike_sa_create(ike_sa_id_t ike_sa_id);
7ba38761	622
698d7749	623	#endif /* IKE_SA_H_ */