]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/charon/sa/ike_sa.h
projects / thirdparty / strongswan.git / blob
? search:


604ec94a95f83e32844feb4c96477153009b8380
[thirdparty/strongswan.git] / src / charon / sa / ike_sa.h
1 /**
2 * @file ike_sa.h
3 *
4 * @brief Interface of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005-2006 Martin Willi
11 * Copyright (C) 2005 Jan Hutter
12 * Hochschule fuer Technik Rapperswil
13 *
14 * This program is free software; you can redistribute it and/or modify it
15 * under the terms of the GNU General Public License as published by the
16 * Free Software Foundation; either version 2 of the License, or (at your
17 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 *
19 * This program is distributed in the hope that it will be useful, but
20 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
21 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
22 * for more details.
23 */
24
25 #ifndef IKE_SA_H_
26 #define IKE_SA_H_
27
28 typedef enum ike_sa_state_t ike_sa_state_t;
29 typedef struct ike_sa_t ike_sa_t;
30
31 #include <library.h>
32 #include <encoding/message.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <sa/ike_sa_id.h>
35 #include <sa/child_sa.h>
36 #include <sa/tasks/task.h>
37 #include <config/configuration.h>
38 #include <utils/randomizer.h>
39 #include <crypto/prfs/prf.h>
40 #include <crypto/crypters/crypter.h>
41 #include <crypto/signers/signer.h>
42 #include <config/connections/connection.h>
43 #include <config/policies/policy.h>
44 #include <config/proposal.h>
45
46 /**
47 * @brief State of an IKE_SA.
48 *
49 * An IKE_SA passes various states in its lifetime. A newly created
50 * SA is in the state CREATED.
51 * @verbatim
52 +----------------+
53 ¦ SA_CREATED ¦
54 +----------------+
55 ¦
56 on initiate()---> ¦ <----- on IKE_SA_INIT received
57 V
58 +----------------+
59 ¦ SA_CONNECTING ¦
60 +----------------+
61 ¦
62 ¦ <----- on IKE_AUTH successfully completed
63 V
64 +----------------+
65 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
66 +----------------+ ¦
67 ¦ V
68 on delete()---> ¦ <----- on IKE_SA +-------------+
69 ¦ delete request ¦ SA_REKEYING ¦
70 ¦ received +-------------+
71 V ¦
72 +----------------+ ¦
73 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
74 +----------------+
75 ¦
76 ¦ <----- after delete() acknowledged
77 ¦
78 \V/
79 X
80 / \
81 @endverbatim
82 *
83 * @ingroup sa
84 */
85 enum ike_sa_state_t {
86
87 /**
88 * IKE_SA just got created, but is not initiating nor responding yet.
89 */
90 IKE_CREATED,
91
92 /**
93 * IKE_SA gets initiated actively or passively
94 */
95 IKE_CONNECTING,
96
97 /**
98 * IKE_SA is fully established
99 */
100 IKE_ESTABLISHED,
101
102 /**
103 * IKE_SA rekeying in progress
104 */
105 IKE_REKEYING,
106
107 /**
108 * IKE_SA is in progress of deletion
109 */
110 IKE_DELETING,
111 };
112
113 /**
114 * enum names for ike_sa_state_t.
115 */
116 extern enum_name_t *ike_sa_state_names;
117
118 /**
119 * @brief Class ike_sa_t representing an IKE_SA.
120 *
121 * An IKE_SA contains crypto information related to a connection
122 * with a peer. It contains multiple IPsec CHILD_SA, for which
123 * it is responsible. All traffic is handled by an IKE_SA, using
124 * the task manager and its tasks.
125 *
126 * @b Constructors:
127 * - ike_sa_create()
128 *
129 * @ingroup sa
130 */
131 struct ike_sa_t {
132
133 /**
134 * @brief Get the id of the SA.
135 *
136 * Returned ike_sa_id_t object is not getting cloned!
137 *
138 * @param this calling object
139 * @return ike_sa's ike_sa_id_t
140 */
141 ike_sa_id_t* (*get_id) (ike_sa_t *this);
142
143 /**
144 * @brief Get the numerical ID uniquely defining this IKE_SA.
145 *
146 * @param this calling object
147 * @return unique ID
148 */
149 u_int32_t (*get_unique_id) (ike_sa_t *this);
150
151 /**
152 * @brief Get the state of the IKE_SA.
153 *
154 * @param this calling object
155 * @return state of the IKE_SA
156 */
157 ike_sa_state_t (*get_state) (ike_sa_t *this);
158
159 /**
160 * @brief Set the state of the IKE_SA.
161 *
162 * @param this calling object
163 * @param state state to set for the IKE_SA
164 */
165 void (*set_state) (ike_sa_t *this, ike_sa_state_t ike_sa);
166
167 /**
168 * @brief Get the name of the connection this IKE_SA uses.
169 *
170 * @param this calling object
171 * @return name
172 */
173 char* (*get_name) (ike_sa_t *this);
174
175 /**
176 * @brief Get the own host address.
177 *
178 * @param this calling object
179 * @return host address
180 */
181 host_t* (*get_my_host) (ike_sa_t *this);
182
183 /**
184 * @brief Set the own host address.
185 *
186 * @param this calling object
187 * @param me host address
188 */
189 void (*set_my_host) (ike_sa_t *this, host_t *me);
190
191 /**
192 * @brief Get the other peers host address.
193 *
194 * @param this calling object
195 * @return host address
196 */
197 host_t* (*get_other_host) (ike_sa_t *this);
198
199 /**
200 * @brief Set the others host address.
201 *
202 * @param this calling object
203 * @param other host address
204 */
205 void (*set_other_host) (ike_sa_t *this, host_t *other);
206
207 /**
208 * @brief Get the own identification.
209 *
210 * @param this calling object
211 * @return identification
212 */
213 identification_t* (*get_my_id) (ike_sa_t *this);
214
215 /**
216 * @brief Set the own identification.
217 *
218 * @param this calling object
219 * @param me identification
220 */
221 void (*set_my_id) (ike_sa_t *this, identification_t *me);
222
223 /**
224 * @brief Get the other peers identification.
225 *
226 * @param this calling object
227 * @return identification
228 */
229 identification_t* (*get_other_id) (ike_sa_t *this);
230
231 /**
232 * @brief Set the other peers identification.
233 *
234 * @param this calling object
235 * @param other identification
236 */
237 void (*set_other_id) (ike_sa_t *this, identification_t *other);
238
239 /**
240 * @brief Get the connection used by this IKE_SA.
241 *
242 * @param this calling object
243 * @return connection
244 */
245 connection_t* (*get_connection) (ike_sa_t *this);
246
247 /**
248 * @brief Set the connection to use with this IKE_SA.
249 *
250 * @param this calling object
251 * @param connection connection to use
252 */
253 void (*set_connection) (ike_sa_t *this, connection_t* connection);
254
255 /**
256 * @brief Get the policy used by this IKE_SA.
257 *
258 * @param this calling object
259 * @return policy
260 */
261 policy_t* (*get_policy) (ike_sa_t *this);
262
263 /**
264 * @brief Set the policy to use with this IKE_SA.
265 *
266 * @param this calling object
267 * @param policy policy to use
268 */
269 void (*set_policy) (ike_sa_t *this, policy_t *policy);
270
271 /**
272 * @brief Initiate a new connection.
273 *
274 * The policy/connection is owned by the IKE_SA after the call, so
275 * do not modify or destroy it.
276 *
277 * @param this calling object
278 * @param connection connection to initiate
279 * @param policy policy to set up
280 * @return
281 * - SUCCESS if initialization started
282 * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted
283 */
284 status_t (*initiate) (ike_sa_t *this, connection_t *connection, policy_t *policy);
285
286 /**
287 * @brief Route a policy in the kernel.
288 *
289 * Installs the policies in the kernel. If traffic matches,
290 * the kernel requests connection setup from the IKE_SA via acquire().
291 *
292 * @param this calling object
293 * @param connection connection definition used for routing
294 * @param policy policy to route
295 * @return
296 * - SUCCESS if routed successfully
297 * - FAILED if routing failed
298 */
299 status_t (*route) (ike_sa_t *this, connection_t *connection, policy_t *policy);
300
301 /**
302 * @brief Unroute a policy in the kernel previously routed.
303 *
304 * @param this calling object
305 * @param policy policy to route
306 * @return
307 * - SUCCESS if route removed
308 * - DESTROY_ME if last route was removed from
309 * an IKE_SA which was not established
310 */
311 status_t (*unroute) (ike_sa_t *this, policy_t *policy);
312
313 /**
314 * @brief Acquire connection setup for a policy.
315 *
316 * If an installed policy raises an acquire, the kernel calls
317 * this function to establish the CHILD_SA (and maybe the IKE_SA).
318 *
319 * @param this calling object
320 * @param reqid reqid of the CHILD_SA the policy belongs to.
321 * @return
322 * - SUCCESS if initialization started
323 * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted
324 */
325 status_t (*acquire) (ike_sa_t *this, u_int32_t reqid);
326
327 /**
328 * @brief Initiates the deletion of an IKE_SA.
329 *
330 * Sends a delete message to the remote peer and waits for
331 * its response. If the response comes in, or a timeout occurs,
332 * the IKE SA gets deleted.
333 *
334 * @param this calling object
335 * @return
336 * - SUCCESS if deletion is initialized
337 * - INVALID_STATE, if the IKE_SA is not in
338 * an established state and can not be
339 * delete (but destroyed).
340 */
341 status_t (*delete) (ike_sa_t *this);
342
343 /**
344 * @brief Processes a incoming IKEv2-Message.
345 *
346 * Message processing may fail. If a critical failure occurs,
347 * process_message() return DESTROY_ME. Then the caller must
348 * destroy the IKE_SA immediatly, as it is unusable.
349 *
350 * @param this calling object
351 * @param message message to process
352 * @return
353 * - SUCCESS
354 * - FAILED
355 * - DESTROY_ME if this IKE_SA MUST be deleted
356 */
357 status_t (*process_message) (ike_sa_t *this, message_t *message);
358
359 /**
360 * @brief Generate a IKE message to send it to the peer.
361 *
362 * This method generates all payloads in the message and encrypts/signs
363 * the packet.
364 *
365 * @param this calling object
366 * @param message message to generate
367 * @param packet generated output packet
368 * @return
369 * - SUCCESS
370 * - FAILED
371 * - DESTROY_ME if this IKE_SA MUST be deleted
372 */
373 status_t (*generate_message) (ike_sa_t *this, message_t *message,
374 packet_t **packet);
375
376 /**
377 * @brief Retransmits a request.
378 *
379 * @param this calling object
380 * @param message_id ID of the request to retransmit
381 * @return
382 * - SUCCESS
383 * - NOT_FOUND if request doesn't have to be retransmited
384 */
385 status_t (*retransmit) (ike_sa_t *this, u_int32_t message_id);
386
387 /**
388 * @brief Sends a DPD request to the peer.
389 *
390 * To check if a peer is still alive, periodic
391 * empty INFORMATIONAL messages are sent if no
392 * other traffic was received.
393 *
394 * @param this calling object
395 * @return
396 * - SUCCESS
397 * - DESTROY_ME, if peer did not respond
398 */
399 status_t (*send_dpd) (ike_sa_t *this);
400
401 /**
402 * @brief Sends a keep alive packet.
403 *
404 * To refresh NAT tables in a NAT router
405 * between the peers, periodic empty
406 * UDP packets are sent if no other traffic
407 * was sent.
408 *
409 * @param this calling object
410 */
411 void (*send_keepalive) (ike_sa_t *this);
412
413 /**
414 * @brief Check if NAT traversal is enabled for this IKE_SA.
415 *
416 * @param this calling object
417 * @return TRUE if NAT traversal enabled
418 */
419 bool (*is_natt_enabled) (ike_sa_t *this);
420
421 /**
422 * @brief Enable NAT detection for this IKE_SA.
423 *
424 * If a Network address translation is detected with
425 * NAT_DETECTION notifys, a SA must switch to ports
426 * 4500. To enable this behavior, call enable_natt().
427 * It is relevant which peer is NATted, this is specified
428 * with the "local" parameter. Call it twice when both
429 * are NATted.
430 *
431 * @param this calling object
432 * @param local TRUE, if we are NATted, FALSE if other
433 */
434 void (*enable_natt) (ike_sa_t *this, bool local);
435
436 /**
437 * @brief Derive all keys and create the transforms for IKE communication.
438 *
439 * Keys are derived using the diffie hellman secret, nonces and internal
440 * stored SPIs.
441 * Key derivation differs when an IKE_SA is set up to replace an
442 * existing IKE_SA (rekeying). The SK_d key from the old IKE_SA
443 * is included in the derivation process.
444 *
445 * @param this calling object
446 * @param proposal proposal which contains algorithms to use
447 * @param secret secret derived from DH exchange, gets freed
448 * @param nonce_i initiators nonce
449 * @param nonce_r responders nonce
450 * @param initiator TRUE if initiator, FALSE otherwise
451 * @param child_prf PRF with SK_d key when rekeying, NULL otherwise
452 * @param old_prf general purpose PRF of old SA when rekeying
453 */
454 status_t (*derive_keys)(ike_sa_t *this, proposal_t* proposal, chunk_t secret,
455 chunk_t nonce_i, chunk_t nonce_r,
456 bool initiator, prf_t *child_prf, prf_t *old_prf);
457
458 /**
459 * @brief Get the multi purpose prf.
460 *
461 * @param this calling object
462 * @return pointer to prf_t object
463 */
464 prf_t *(*get_prf) (ike_sa_t *this);
465
466 /**
467 * @brief Get the prf-object, which is used to derive keys for child SAs.
468 *
469 * @param this calling object
470 * @return pointer to prf_t object
471 */
472 prf_t *(*get_child_prf) (ike_sa_t *this);
473
474 /**
475 * @brief Get the prf to build outgoing authentication data.
476 *
477 * @param this calling object
478 * @return pointer to prf_t object
479 */
480 prf_t *(*get_auth_build) (ike_sa_t *this);
481
482 /**
483 * @brief Get the prf to verify incoming authentication data.
484 *
485 * @param this calling object
486 * @return pointer to prf_t object
487 */
488 prf_t *(*get_auth_verify) (ike_sa_t *this);
489
490 /**
491 * @brief Associates a child SA to this IKE SA
492 *
493 * @param this calling object
494 * @param child_sa child_sa to add
495 */
496 void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
497
498 /**
499 * @brief Get a CHILD_SA identified by protocol and SPI.
500 *
501 * @param this calling object
502 * @param protocol protocol of the SA
503 * @param spi SPI of the CHILD_SA
504 * @param inbound TRUE if SPI is inbound, FALSE if outbound
505 * @return child_sa, or NULL if none found
506 */
507 child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
508 u_int32_t spi, bool inbound);
509
510 /**
511 * @brief Create an iterator over all CHILD_SAs.
512 *
513 * @param this calling object
514 * @return iterator
515 */
516 iterator_t* (*create_child_sa_iterator) (ike_sa_t *this);
517
518 /**
519 * @brief Rekey the CHILD SA with the specified reqid.
520 *
521 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
522 *
523 * @param this calling object
524 * @param protocol protocol of the SA
525 * @param spi inbound SPI of the CHILD_SA
526 * @return
527 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
528 * - SUCCESS, if rekeying initiated
529 */
530 status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
531
532 /**
533 * @brief Close the CHILD SA with the specified protocol/SPI.
534 *
535 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
536 * notify's the remote peer about the delete. The associated
537 * states and policies in the kernel get deleted, if they exist.
538 *
539 * @param this calling object
540 * @param protocol protocol of the SA
541 * @param spi inbound SPI of the CHILD_SA
542 * @return
543 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
544 * - SUCCESS, if delete message sent
545 */
546 status_t (*delete_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
547
548 /**
549 * @brief Destroy a CHILD SA with the specified protocol/SPI.
550 *
551 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
552 *
553 * @param this calling object
554 * @param protocol protocol of the SA
555 * @param spi inbound SPI of the CHILD_SA
556 * @return
557 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
558 * - SUCCESS
559 */
560 status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, u_int32_t spi);
561
562 /**
563 * @brief Rekey the IKE_SA.
564 *
565 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
566 *
567 * @param this calling object
568 * @return - SUCCESS, if IKE_SA rekeying initiated
569 */
570 status_t (*rekey) (ike_sa_t *this);
571
572 /**
573 * @brief Restablish the IKE_SA.
574 *
575 * Create a completely new IKE_SA with authentication, recreates all children
576 * within the IKE_SA, but lets the old IKE_SA untouched.
577 *
578 * @param this calling object
579 */
580 void (*reestablish) (ike_sa_t *this);
581
582 /**
583 * @brief Set the virtual IP to use for this IKE_SA and its children.
584 *
585 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
586 * lifetime as the IKE_SA.
587 *
588 * @param this calling object
589 */
590 void (*set_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
591
592 /**
593 * @brief Get the virtual IP configured.
594 *
595 * @param this calling object
596 * @param local TRUE to get local virtual IP, FALSE for remote
597 */
598 host_t* (*get_virtual_ip) (ike_sa_t *this, bool local);
599
600 /**
601 * @brief Add a DNS server to the system.
602 *
603 * An IRAS may send a DNS server. To use it, it is installed on the
604 * system. The DNS entry has a lifetime until the IKE_SA gets closed.
605 *
606 * @param this calling object
607 * @param dns DNS server to install on the system
608 */
609 void (*add_dns_server) (ike_sa_t *this, host_t *dns);
610
611 /**
612 * @brief Inherit all attributes of other to this after rekeying.
613 *
614 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
615 * outstanding tasks are moved from other to this.
616 * As this call may initiate inherited tasks, a status is returned.
617 *
618 * @param this calling object
619 * @param other other task to inherit from
620 * @return DESTROY_ME if initiation of inherited task failed
621 */
622 status_t (*inherit) (ike_sa_t *this, ike_sa_t *other);
623
624 /**
625 * @brief Reset the IKE_SA, useable when initiating fails
626 *
627 * @param this calling object
628 */
629 void (*reset) (ike_sa_t *this);
630
631 /**
632 * @brief Destroys a ike_sa_t object.
633 *
634 * @param this calling object
635 */
636 void (*destroy) (ike_sa_t *this);
637 };
638
639 /**
640 * @brief Creates an ike_sa_t object with a specific ID.
641 *
642 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
643 * @return ike_sa_t object
644 *
645 * @ingroup sa
646 */
647 ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id);
648
649 #endif /* IKE_SA_H_ */
Unnamed repository; edit this file 'description' to name the repository.