4 * @brief Interface of ike_sa_t.
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
28 typedef enum ike_sa_state_t ike_sa_state_t
;
29 typedef struct ike_sa_t ike_sa_t
;
32 #include <encoding/message.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <sa/ike_sa_id.h>
35 #include <sa/child_sa.h>
36 #include <sa/tasks/task.h>
37 #include <config/configuration.h>
38 #include <utils/randomizer.h>
39 #include <crypto/prfs/prf.h>
40 #include <crypto/crypters/crypter.h>
41 #include <crypto/signers/signer.h>
42 #include <config/connections/connection.h>
43 #include <config/policies/policy.h>
44 #include <config/proposal.h>
47 * @brief State of an IKE_SA.
49 * An IKE_SA passes various states in its lifetime. A newly created
50 * SA is in the state CREATED.
56 on initiate()---> ¦ <----- on IKE_SA_INIT received
62 ¦ <----- on IKE_AUTH successfully completed
65 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
68 on delete()---> ¦ <----- on IKE_SA +-------------+
69 ¦ delete request ¦ SA_REKEYING ¦
70 ¦ received +-------------+
73 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
76 ¦ <----- after delete() acknowledged
88 * IKE_SA just got created, but is not initiating nor responding yet.
93 * IKE_SA gets initiated actively or passively
98 * IKE_SA is fully established
103 * IKE_SA rekeying in progress
108 * IKE_SA is in progress of deletion
114 * enum names for ike_sa_state_t.
116 extern enum_name_t
*ike_sa_state_names
;
119 * @brief Class ike_sa_t representing an IKE_SA.
121 * An IKE_SA contains crypto information related to a connection
122 * with a peer. It contains multiple IPsec CHILD_SA, for which
123 * it is responsible. All traffic is handled by an IKE_SA, using
124 * the task manager and its tasks.
134 * @brief Get the id of the SA.
136 * Returned ike_sa_id_t object is not getting cloned!
138 * @param this calling object
139 * @return ike_sa's ike_sa_id_t
141 ike_sa_id_t
* (*get_id
) (ike_sa_t
*this);
144 * @brief Get the numerical ID uniquely defining this IKE_SA.
146 * @param this calling object
149 u_int32_t (*get_unique_id
) (ike_sa_t
*this);
152 * @brief Get the state of the IKE_SA.
154 * @param this calling object
155 * @return state of the IKE_SA
157 ike_sa_state_t (*get_state
) (ike_sa_t
*this);
160 * @brief Set the state of the IKE_SA.
162 * @param this calling object
163 * @param state state to set for the IKE_SA
165 void (*set_state
) (ike_sa_t
*this, ike_sa_state_t ike_sa
);
168 * @brief Get the name of the connection this IKE_SA uses.
170 * @param this calling object
173 char* (*get_name
) (ike_sa_t
*this);
176 * @brief Get the own host address.
178 * @param this calling object
179 * @return host address
181 host_t
* (*get_my_host
) (ike_sa_t
*this);
184 * @brief Set the own host address.
186 * @param this calling object
187 * @param me host address
189 void (*set_my_host
) (ike_sa_t
*this, host_t
*me
);
192 * @brief Get the other peers host address.
194 * @param this calling object
195 * @return host address
197 host_t
* (*get_other_host
) (ike_sa_t
*this);
200 * @brief Set the others host address.
202 * @param this calling object
203 * @param other host address
205 void (*set_other_host
) (ike_sa_t
*this, host_t
*other
);
208 * @brief Get the own identification.
210 * @param this calling object
211 * @return identification
213 identification_t
* (*get_my_id
) (ike_sa_t
*this);
216 * @brief Set the own identification.
218 * @param this calling object
219 * @param me identification
221 void (*set_my_id
) (ike_sa_t
*this, identification_t
*me
);
224 * @brief Get the other peers identification.
226 * @param this calling object
227 * @return identification
229 identification_t
* (*get_other_id
) (ike_sa_t
*this);
232 * @brief Set the other peers identification.
234 * @param this calling object
235 * @param other identification
237 void (*set_other_id
) (ike_sa_t
*this, identification_t
*other
);
240 * @brief Get the connection used by this IKE_SA.
242 * @param this calling object
245 connection_t
* (*get_connection
) (ike_sa_t
*this);
248 * @brief Set the connection to use with this IKE_SA.
250 * @param this calling object
251 * @param connection connection to use
253 void (*set_connection
) (ike_sa_t
*this, connection_t
* connection
);
256 * @brief Get the policy used by this IKE_SA.
258 * @param this calling object
261 policy_t
* (*get_policy
) (ike_sa_t
*this);
264 * @brief Set the policy to use with this IKE_SA.
266 * @param this calling object
267 * @param policy policy to use
269 void (*set_policy
) (ike_sa_t
*this, policy_t
*policy
);
272 * @brief Initiate a new connection.
274 * The policy/connection is owned by the IKE_SA after the call, so
275 * do not modify or destroy it.
277 * @param this calling object
278 * @param connection connection to initiate
279 * @param policy policy to set up
281 * - SUCCESS if initialization started
282 * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted
284 status_t (*initiate
) (ike_sa_t
*this, connection_t
*connection
, policy_t
*policy
);
287 * @brief Route a policy in the kernel.
289 * Installs the policies in the kernel. If traffic matches,
290 * the kernel requests connection setup from the IKE_SA via acquire().
292 * @param this calling object
293 * @param connection connection definition used for routing
294 * @param policy policy to route
296 * - SUCCESS if routed successfully
297 * - FAILED if routing failed
299 status_t (*route
) (ike_sa_t
*this, connection_t
*connection
, policy_t
*policy
);
302 * @brief Unroute a policy in the kernel previously routed.
304 * @param this calling object
305 * @param policy policy to route
307 * - SUCCESS if route removed
308 * - DESTROY_ME if last route was removed from
309 * an IKE_SA which was not established
311 status_t (*unroute
) (ike_sa_t
*this, policy_t
*policy
);
314 * @brief Acquire connection setup for a policy.
316 * If an installed policy raises an acquire, the kernel calls
317 * this function to establish the CHILD_SA (and maybe the IKE_SA).
319 * @param this calling object
320 * @param reqid reqid of the CHILD_SA the policy belongs to.
322 * - SUCCESS if initialization started
323 * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted
325 status_t (*acquire
) (ike_sa_t
*this, u_int32_t reqid
);
328 * @brief Initiates the deletion of an IKE_SA.
330 * Sends a delete message to the remote peer and waits for
331 * its response. If the response comes in, or a timeout occurs,
332 * the IKE SA gets deleted.
334 * @param this calling object
336 * - SUCCESS if deletion is initialized
337 * - INVALID_STATE, if the IKE_SA is not in
338 * an established state and can not be
339 * delete (but destroyed).
341 status_t (*delete) (ike_sa_t
*this);
344 * @brief Processes a incoming IKEv2-Message.
346 * Message processing may fail. If a critical failure occurs,
347 * process_message() return DESTROY_ME. Then the caller must
348 * destroy the IKE_SA immediatly, as it is unusable.
350 * @param this calling object
351 * @param message message to process
355 * - DESTROY_ME if this IKE_SA MUST be deleted
357 status_t (*process_message
) (ike_sa_t
*this, message_t
*message
);
360 * @brief Generate a IKE message to send it to the peer.
362 * This method generates all payloads in the message and encrypts/signs
365 * @param this calling object
366 * @param message message to generate
367 * @param packet generated output packet
371 * - DESTROY_ME if this IKE_SA MUST be deleted
373 status_t (*generate_message
) (ike_sa_t
*this, message_t
*message
,
377 * @brief Retransmits a request.
379 * @param this calling object
380 * @param message_id ID of the request to retransmit
383 * - NOT_FOUND if request doesn't have to be retransmited
385 status_t (*retransmit
) (ike_sa_t
*this, u_int32_t message_id
);
388 * @brief Sends a DPD request to the peer.
390 * To check if a peer is still alive, periodic
391 * empty INFORMATIONAL messages are sent if no
392 * other traffic was received.
394 * @param this calling object
397 * - DESTROY_ME, if peer did not respond
399 status_t (*send_dpd
) (ike_sa_t
*this);
402 * @brief Sends a keep alive packet.
404 * To refresh NAT tables in a NAT router
405 * between the peers, periodic empty
406 * UDP packets are sent if no other traffic
409 * @param this calling object
411 void (*send_keepalive
) (ike_sa_t
*this);
414 * @brief Check if NAT traversal is enabled for this IKE_SA.
416 * @param this calling object
417 * @return TRUE if NAT traversal enabled
419 bool (*is_natt_enabled
) (ike_sa_t
*this);
422 * @brief Enable NAT detection for this IKE_SA.
424 * If a Network address translation is detected with
425 * NAT_DETECTION notifys, a SA must switch to ports
426 * 4500. To enable this behavior, call enable_natt().
427 * It is relevant which peer is NATted, this is specified
428 * with the "local" parameter. Call it twice when both
431 * @param this calling object
432 * @param local TRUE, if we are NATted, FALSE if other
434 void (*enable_natt
) (ike_sa_t
*this, bool local
);
437 * @brief Derive all keys and create the transforms for IKE communication.
439 * Keys are derived using the diffie hellman secret, nonces and internal
441 * Key derivation differs when an IKE_SA is set up to replace an
442 * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA
443 * is included in the derivation process.
445 * @param this calling object
446 * @param proposal proposal which contains algorithms to use
447 * @param secret secret derived from DH exchange, gets freed
448 * @param nonce_i initiators nonce
449 * @param nonce_r responders nonce
450 * @param initiator TRUE if initiator, FALSE otherwise
451 * @param child_prf PRF with SK_d key when rekeying, NULL otherwise
452 * @param old_prf general purpose PRF of old SA when rekeying
454 status_t (*derive_keys
)(ike_sa_t
*this, proposal_t
* proposal
, chunk_t secret
,
455 chunk_t nonce_i
, chunk_t nonce_r
,
456 bool initiator
, prf_t
*child_prf
, prf_t
*old_prf
);
459 * @brief Get the multi purpose prf.
461 * @param this calling object
462 * @return pointer to prf_t object
464 prf_t
*(*get_prf
) (ike_sa_t
*this);
467 * @brief Get the prf-object, which is used to derive keys for child SAs.
469 * @param this calling object
470 * @return pointer to prf_t object
472 prf_t
*(*get_child_prf
) (ike_sa_t
*this);
475 * @brief Get the prf to build outgoing authentication data.
477 * @param this calling object
478 * @return pointer to prf_t object
480 prf_t
*(*get_auth_build
) (ike_sa_t
*this);
483 * @brief Get the prf to verify incoming authentication data.
485 * @param this calling object
486 * @return pointer to prf_t object
488 prf_t
*(*get_auth_verify
) (ike_sa_t
*this);
491 * @brief Associates a child SA to this IKE SA
493 * @param this calling object
494 * @param child_sa child_sa to add
496 void (*add_child_sa
) (ike_sa_t
*this, child_sa_t
*child_sa
);
499 * @brief Get a CHILD_SA identified by protocol and SPI.
501 * @param this calling object
502 * @param protocol protocol of the SA
503 * @param spi SPI of the CHILD_SA
504 * @param inbound TRUE if SPI is inbound, FALSE if outbound
505 * @return child_sa, or NULL if none found
507 child_sa_t
* (*get_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
,
508 u_int32_t spi
, bool inbound
);
511 * @brief Create an iterator over all CHILD_SAs.
513 * @param this calling object
516 iterator_t
* (*create_child_sa_iterator
) (ike_sa_t
*this);
519 * @brief Rekey the CHILD SA with the specified reqid.
521 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
523 * @param this calling object
524 * @param protocol protocol of the SA
525 * @param spi inbound SPI of the CHILD_SA
527 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
528 * - SUCCESS, if rekeying initiated
530 status_t (*rekey_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, u_int32_t spi
);
533 * @brief Close the CHILD SA with the specified protocol/SPI.
535 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
536 * notify's the remote peer about the delete. The associated
537 * states and policies in the kernel get deleted, if they exist.
539 * @param this calling object
540 * @param protocol protocol of the SA
541 * @param spi inbound SPI of the CHILD_SA
543 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
544 * - SUCCESS, if delete message sent
546 status_t (*delete_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, u_int32_t spi
);
549 * @brief Destroy a CHILD SA with the specified protocol/SPI.
551 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
553 * @param this calling object
554 * @param protocol protocol of the SA
555 * @param spi inbound SPI of the CHILD_SA
557 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
560 status_t (*destroy_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, u_int32_t spi
);
563 * @brief Rekey the IKE_SA.
565 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
567 * @param this calling object
568 * @return - SUCCESS, if IKE_SA rekeying initiated
570 status_t (*rekey
) (ike_sa_t
*this);
573 * @brief Restablish the IKE_SA.
575 * Create a completely new IKE_SA with authentication, recreates all children
576 * within the IKE_SA, but lets the old IKE_SA untouched.
578 * @param this calling object
580 void (*reestablish
) (ike_sa_t
*this);
583 * @brief Set the virtual IP to use for this IKE_SA and its children.
585 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
586 * lifetime as the IKE_SA.
588 * @param this calling object
590 void (*set_virtual_ip
) (ike_sa_t
*this, bool local
, host_t
*ip
);
593 * @brief Get the virtual IP configured.
595 * @param this calling object
596 * @param local TRUE to get local virtual IP, FALSE for remote
598 host_t
* (*get_virtual_ip
) (ike_sa_t
*this, bool local
);
601 * @brief Add a DNS server to the system.
603 * An IRAS may send a DNS server. To use it, it is installed on the
604 * system. The DNS entry has a lifetime until the IKE_SA gets closed.
606 * @param this calling object
607 * @param dns DNS server to install on the system
609 void (*add_dns_server
) (ike_sa_t
*this, host_t
*dns
);
612 * @brief Inherit all attributes of other to this after rekeying.
614 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
615 * outstanding tasks are moved from other to this.
616 * As this call may initiate inherited tasks, a status is returned.
618 * @param this calling object
619 * @param other other task to inherit from
620 * @return DESTROY_ME if initiation of inherited task failed
622 status_t (*inherit
) (ike_sa_t
*this, ike_sa_t
*other
);
625 * @brief Reset the IKE_SA, useable when initiating fails
627 * @param this calling object
629 void (*reset
) (ike_sa_t
*this);
632 * @brief Destroys a ike_sa_t object.
634 * @param this calling object
636 void (*destroy
) (ike_sa_t
*this);
640 * @brief Creates an ike_sa_t object with a specific ID.
642 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
643 * @return ike_sa_t object
647 ike_sa_t
*ike_sa_create(ike_sa_id_t
*ike_sa_id
);
649 #endif /* IKE_SA_H_ */