4 * @brief Interface of ike_sa_t.
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
27 #include <encoding/message.h>
28 #include <encoding/payloads/proposal_substructure.h>
29 #include <sa/ike_sa_id.h>
30 #include <config/configuration_manager.h>
31 #include <utils/logger.h>
32 #include <utils/randomizer.h>
33 #include <sa/states/state.h>
34 #include <transforms/prfs/prf.h>
35 #include <transforms/crypters/crypter.h>
36 #include <transforms/signers/signer.h>
39 * Nonce size in bytes for nonces sending to other peer.
41 * @warning Nonce size MUST be between 16 and 256 bytes.
48 typedef struct ike_sa_t ike_sa_t
;
51 * @brief Class ike_sa_t representing an IKE_SA.
53 * An object of this type is managed by an ike_sa_manager_t object
54 * and represents an IKE_SA. Message processing is split up in different states.
55 * They will handle all related things for the state they represent.
65 * @brief Processes a incoming IKEv2-Message of type message_t.
67 * @param this ike_sa_t object object
68 * @param[in] message message_t object to process
72 * - DELETE_ME if this IKE_SA MUST be deleted
74 status_t (*process_message
) (ike_sa_t
*this,message_t
*message
);
77 * @brief Initiate a new connection with given configuration name.
79 * @param this calling object
80 * @param name name of the configuration
82 * - SUCCESS if initialization started
83 * - FAILED if in wrong state
84 * - DELETE_ME if initialization failed and IKE_SA MUST be deleted
86 status_t (*initialize_connection
) (ike_sa_t
*this, char *name
);
89 * @brief Retransmits a request.
91 * @param this calling object
92 * @param message_id ID of the request to retransmit
95 * - NOT_FOUND if request doesn't have to be retransmited
97 status_t (*retransmit_request
) (ike_sa_t
*this, u_int32_t message_id
);
100 * @brief Sends a request to delete IKE_SA.
102 * Only supported in state IKE_SA_ESTABLISHED
104 * @param this calling object
106 void (*send_delete_ike_sa_request
) (ike_sa_t
*this);
109 * @brief Get the id of the SA.
111 * Returned ike_sa_id_t object is not getting cloned!
113 * @param this calling object
114 * @return ike_sa's ike_sa_id_t
116 ike_sa_id_t
* (*get_id
) (ike_sa_t
*this);
119 * @brief Get the state of type of associated state object.
121 * @param this calling object
122 * @return state of IKE_SA
124 ike_sa_state_t (*get_state
) (ike_sa_t
*this);
127 * @brief Destroys a ike_sa_t object.
129 * @param this calling object
131 void (*destroy
) (ike_sa_t
*this);
135 typedef struct protected_ike_sa_t protected_ike_sa_t
;
138 * @brief Protected functions of an ike_sa_t object.
140 * This members are only accessed out from
141 * the various state_t implementations.
145 struct protected_ike_sa_t
{
148 * Public interface of an ike_sa_t object.
153 * @brief Build an empty IKEv2-Message and fills in default informations.
155 * Depending on the type of message (request or response), the message id is
156 * either message_id_out or message_id_in.
158 * Used in state_t Implementation to build an empty IKEv2-Message.
160 * @param this calling object
161 * @param type exchange type of new message
162 * @param request TRUE, if message has to be a request
163 * @param message new message is stored at this location
165 void (*build_message
) (protected_ike_sa_t
*this, exchange_type_t type
, bool request
, message_t
**message
);
168 * @brief Get the internal stored logger_t object for given ike_sa_t object.
170 * @warning Returned logger_t object is original one and managed by this object.
172 * @param this calling object
173 * @return pointer to the internal stored logger_t object
175 logger_t
*(*get_logger
) (protected_ike_sa_t
*this);
178 * @brief Get the internal stored init_config_t object.
180 * @param this calling object
181 * @return pointer to the internal stored init_config_t object
183 init_config_t
*(*get_init_config
) (protected_ike_sa_t
*this);
186 * @brief Set the internal init_config_t object.
188 * @param this calling object
189 * @param init_config object of type init_config_t
191 void (*set_init_config
) (protected_ike_sa_t
*this,init_config_t
*init_config
);
194 * @brief Get the internal stored sa_config_t object.
196 * @param this calling object
197 * @return pointer to the internal stored sa_config_t object
199 sa_config_t
*(*get_sa_config
) (protected_ike_sa_t
*this);
202 * @brief Set the internal sa_config_t object.
204 * @param this calling object
205 * @param sa_config object of type sa_config_t
207 void (*set_sa_config
) (protected_ike_sa_t
*this,sa_config_t
*sa_config
);
210 * @brief Get the internal stored host_t object for my host.
212 * @param this calling object
213 * @return pointer to the internal stored host_t object
215 host_t
*(*get_my_host
) (protected_ike_sa_t
*this);
218 * @brief Get the internal stored host_t object for other host.
220 * @param this calling object
221 * @return pointer to the internal stored host_t object
223 host_t
*(*get_other_host
) (protected_ike_sa_t
*this);
226 * @brief Set the internal stored host_t object for my host.
228 * Allready existing object gets destroyed. object gets not cloned!
230 * @param this calling object
231 * @param my_host pointer to the new host_t object
233 void (*set_my_host
) (protected_ike_sa_t
*this,host_t
* my_host
);
236 * @brief Set the internal stored host_t object for other host.
238 * Allready existing object gets destroyed. object gets not cloned!
240 * @param this calling object
241 * @param other_host pointer to the new host_t object
243 void (*set_other_host
) (protected_ike_sa_t
*this,host_t
*other_host
);
246 * @brief Derive all keys and create the transforms for IKE communication.
248 * Keys are derived using the diffie hellman secret, nonces and internal
250 * Allready existing objects get destroyed.
252 * @param this calling object
253 * @param proposal proposal which contains algorithms to use
254 * @param dh diffie hellman object with shared secret
255 * @param nonce_i initiators nonce
256 * @param nonce_r responders nonce
258 status_t (*build_transforms
) (protected_ike_sa_t
*this, proposal_t
* proposal
,
259 diffie_hellman_t
*dh
, chunk_t nonce_i
, chunk_t nonce_r
);
262 * @brief Send the next request message.
264 * Also the first retransmit job is created.
266 * Last stored requested message gets destroyed. Object gets not cloned!
268 * @param this calling object
269 * @param message pointer to the message which should be sent
272 * - FAILED if message id is not next expected one
274 status_t (*send_request
) (protected_ike_sa_t
*this,message_t
* message
);
277 * @brief Send the next response message.
279 * Last stored responded message gets destroyed. Object gets not cloned!
281 * @param this calling object
282 * @param message pointer to the message which should be sent
285 * - FAILED if message id is not next expected one
287 status_t (*send_response
) (protected_ike_sa_t
*this,message_t
* message
);
290 * @brief Send a notify reply message.
292 * @param this calling object
293 * @param exchange_type type of exchange in which the notify should be wrapped
294 * @param type type of the notify message to send
295 * @param data notification data
297 void (*send_notify
) (protected_ike_sa_t
*this, exchange_type_t exchange_type
, notify_message_type_t type
, chunk_t data
);
300 * @brief Get the internal stored randomizer_t object.
302 * @param this calling object
303 * @return pointer to the internal randomizer_t object
305 randomizer_t
*(*get_randomizer
) (protected_ike_sa_t
*this);
308 * @brief Set the new state_t object of the IKE_SA object.
310 * The old state_t object gets not destroyed. It's the callers duty to
311 * make sure old state is destroyed (Normally the old state is the caller).
313 * @param this calling object
314 * @param state pointer to the new state_t object
316 void (*set_new_state
) (protected_ike_sa_t
*this,state_t
*state
);
319 * @brief Set the last replied message id.
321 * @param this calling object
322 * @param message_id message id
324 void (*set_last_replied_message_id
) (protected_ike_sa_t
*this,u_int32_t message_id
);
327 * @brief Get the internal stored initiator crypter_t object.
329 * @param this calling object
330 * @return pointer to crypter_t object
332 crypter_t
*(*get_crypter_initiator
) (protected_ike_sa_t
*this);
335 * @brief Get the internal stored initiator signer_t object.
337 * @param this calling object
338 * @return pointer to signer_t object
340 signer_t
*(*get_signer_initiator
) (protected_ike_sa_t
*this);
343 * @brief Get the internal stored responder crypter_t object.
345 * @param this calling object
346 * @return pointer to crypter_t object
348 crypter_t
*(*get_crypter_responder
) (protected_ike_sa_t
*this);
351 * @brief Get the internal stored responder signer object.
353 * @param this calling object
354 * @return pointer to signer_t object
356 signer_t
*(*get_signer_responder
) (protected_ike_sa_t
*this);
359 * @brief Get the multi purpose prf.
361 * @param this calling object
362 * @return pointer to prf_t object
364 prf_t
*(*get_prf
) (protected_ike_sa_t
*this);
367 * @brief Get the prf-object, which is used to derive keys for child SAs.
369 * @param this calling object
370 * @return pointer to prf_t object
372 prf_t
*(*get_child_prf
) (protected_ike_sa_t
*this);
375 * @brief Get the prf used for authentication of initiator.
377 * @param this calling object
378 * @return pointer to prf_t object
380 prf_t
*(*get_prf_auth_i
) (protected_ike_sa_t
*this);
383 * @brief Get the prf used for authentication of responder.
385 * @param this calling object
386 * @return pointer to prf_t object
388 prf_t
*(*get_prf_auth_r
) (protected_ike_sa_t
*this);
391 * @brief Get the last responded message.
393 * @param this calling object
395 * - last received as message_t object
396 * - NULL if no last request available
398 message_t
*(*get_last_responded_message
) (protected_ike_sa_t
*this);
401 * @brief Get the last requested message.
403 * @param this calling object
405 * - last sent as message_t object
406 * - NULL if no last request available
408 message_t
*(*get_last_requested_message
) (protected_ike_sa_t
*this);
411 * @brief Resets message counters and does destroy stored received and sent messages.
413 * @param this calling object
415 void (*reset_message_buffers
) (protected_ike_sa_t
*this);
418 * @brief Creates a job of type DELETE_ESTABLISHED_IKE_SA for the current IKE_SA.
420 * @param this calling object
421 * @param timeout timeout after the IKE_SA gets deleted
424 void (*create_delete_established_ike_sa_job
) (protected_ike_sa_t
*this,u_int32_t timeout
);
429 * @brief Creates an ike_sa_t object with a specific ID.
431 * @warning the Content of internal ike_sa_id_t object can change over time
432 * e.g. when a IKE_SA_INIT has been finished.
434 * @param[in] ike_sa_id ike_sa_id_t object to associate with new IKE_SA.
435 * The object is internal getting cloned
436 * and so has to be destroyed by the caller.
437 * @return ike_sa_t object
441 ike_sa_t
* ike_sa_create(ike_sa_id_t
*ike_sa_id
);