2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006 Daniel Roethlisberger
4 * Copyright (C) 2005-2009 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * Hochschule fuer Technik Rapperswil
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * @defgroup ike_sa ike_sa
27 typedef enum ike_extension_t ike_extension_t
;
28 typedef enum ike_condition_t ike_condition_t
;
29 typedef enum ike_sa_state_t ike_sa_state_t
;
30 typedef enum statistic_t statistic_t
;
31 typedef struct ike_sa_t ike_sa_t
;
34 #include <encoding/message.h>
35 #include <encoding/payloads/proposal_substructure.h>
36 #include <encoding/payloads/configuration_attribute.h>
37 #include <sa/ike_sa_id.h>
38 #include <sa/child_sa.h>
39 #include <sa/tasks/task.h>
40 #include <sa/keymat.h>
41 #include <config/peer_cfg.h>
42 #include <config/ike_cfg.h>
43 #include <config/auth_cfg.h>
46 * Timeout in seconds after that a half open IKE_SA gets deleted.
48 #define HALF_OPEN_IKE_SA_TIMEOUT 30
51 * Interval to send keepalives when NATed, in seconds.
53 #define KEEPALIVE_INTERVAL 20
56 * After which time rekeying should be retried if it failed, in seconds.
58 #define RETRY_INTERVAL 30
61 * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
63 #define RETRY_JITTER 20
66 * Extensions (or optional features) the peer supports
68 enum ike_extension_t
{
71 * peer supports NAT traversal as specified in RFC4306
76 * peer supports MOBIKE (RFC4555)
81 * peer supports HTTP cert lookups as specified in RFC4306
83 EXT_HASH_AND_URL
= (1<<2),
86 * peer supports multiple authentication exchanges, RFC4739
88 EXT_MULTIPLE_AUTH
= (1<<3),
92 * Conditions of an IKE_SA, change during its lifetime
94 enum ike_condition_t
{
97 * Connection is natted (or faked) somewhere
99 COND_NAT_ANY
= (1<<0),
104 COND_NAT_HERE
= (1<<1),
107 * other is behind NAT
109 COND_NAT_THERE
= (1<<2),
112 * Faking NAT to enforce UDP encapsulation
114 COND_NAT_FAKE
= (1<<3),
117 * peer has been authenticated using EAP at least once
119 COND_EAP_AUTHENTICATED
= (1<<4),
122 * received a certificate request from the peer
124 COND_CERTREQ_SEEN
= (1<<5),
127 * Local peer is the "original" IKE initiator. Unaffected from rekeying.
129 COND_ORIGINAL_INITIATOR
= (1<<6),
132 * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
138 * Timing information and statistics to query from an SA
141 /** Timestamp of SA establishement */
142 STAT_ESTABLISHED
= 0,
143 /** Timestamp of scheudled rekeying */
145 /** Timestamp of scheudled reauthentication */
147 /** Timestamp of scheudled delete */
149 /** Timestamp of last inbound IKE packet */
151 /** Timestamp of last outbound IKE packet */
158 * State of an IKE_SA.
160 * An IKE_SA passes various states in its lifetime. A newly created
161 * SA is in the state CREATED.
167 on initiate()---> ¦ <----- on IKE_SA_INIT received
173 ¦ <----- on IKE_AUTH successfully completed
176 ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
179 on delete()---> ¦ <----- on IKE_SA +-------------+
180 ¦ delete request ¦ SA_REKEYING ¦
181 ¦ received +-------------+
184 ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
187 ¦ <----- after delete() acknowledged
194 enum ike_sa_state_t
{
197 * IKE_SA just got created, but is not initiating nor responding yet.
202 * IKE_SA gets initiated actively or passively
207 * IKE_SA is fully established
212 * IKE_SA is managed externally and does not process messages
217 * IKE_SA rekeying in progress
222 * IKE_SA is in progress of deletion
227 * IKE_SA object gets destroyed
233 * enum names for ike_sa_state_t.
235 extern enum_name_t
*ike_sa_state_names
;
238 * Class ike_sa_t representing an IKE_SA.
240 * An IKE_SA contains crypto information related to a connection
241 * with a peer. It contains multiple IPsec CHILD_SA, for which
242 * it is responsible. All traffic is handled by an IKE_SA, using
243 * the task manager and its tasks.
248 * Get the id of the SA.
250 * Returned ike_sa_id_t object is not getting cloned!
252 * @return ike_sa's ike_sa_id_t
254 ike_sa_id_t
* (*get_id
) (ike_sa_t
*this);
257 * Get the numerical ID uniquely defining this IKE_SA.
261 u_int32_t (*get_unique_id
) (ike_sa_t
*this);
264 * Get the state of the IKE_SA.
266 * @return state of the IKE_SA
268 ike_sa_state_t (*get_state
) (ike_sa_t
*this);
271 * Set the state of the IKE_SA.
273 * @param state state to set for the IKE_SA
275 void (*set_state
) (ike_sa_t
*this, ike_sa_state_t ike_sa
);
278 * Get the name of the connection this IKE_SA uses.
282 char* (*get_name
) (ike_sa_t
*this);
285 * Get statistic values from the IKE_SA.
287 * @param kind kind of requested value
288 * @return value as integer
290 u_int32_t (*get_statistic
)(ike_sa_t
*this, statistic_t kind
);
293 * Get the own host address.
295 * @return host address
297 host_t
* (*get_my_host
) (ike_sa_t
*this);
300 * Set the own host address.
302 * @param me host address
304 void (*set_my_host
) (ike_sa_t
*this, host_t
*me
);
307 * Get the other peers host address.
309 * @return host address
311 host_t
* (*get_other_host
) (ike_sa_t
*this);
314 * Set the others host address.
316 * @param other host address
318 void (*set_other_host
) (ike_sa_t
*this, host_t
*other
);
321 * Update the IKE_SAs host.
323 * Hosts may be NULL to use current host.
325 * @param me new local host address, or NULL
326 * @param other new remote host address, or NULL
328 void (*update_hosts
)(ike_sa_t
*this, host_t
*me
, host_t
*other
);
331 * Get the own identification.
333 * @return identification
335 identification_t
* (*get_my_id
) (ike_sa_t
*this);
338 * Set the own identification.
340 * @param me identification
342 void (*set_my_id
) (ike_sa_t
*this, identification_t
*me
);
345 * Get the other peer's identification.
347 * @return identification
349 identification_t
* (*get_other_id
) (ike_sa_t
*this);
352 * Set the other peer's identification.
354 * @param other identification
356 void (*set_other_id
) (ike_sa_t
*this, identification_t
*other
);
359 * Get the config used to setup this IKE_SA.
363 ike_cfg_t
* (*get_ike_cfg
) (ike_sa_t
*this);
366 * Set the config to setup this IKE_SA.
368 * @param config ike_config to use
370 void (*set_ike_cfg
) (ike_sa_t
*this, ike_cfg_t
* config
);
373 * Get the peer config used by this IKE_SA.
375 * @return peer_config
377 peer_cfg_t
* (*get_peer_cfg
) (ike_sa_t
*this);
380 * Set the peer config to use with this IKE_SA.
382 * @param config peer_config to use
384 void (*set_peer_cfg
) (ike_sa_t
*this, peer_cfg_t
*config
);
387 * Get the authentication config with rules of the current auth round.
389 * @param local TRUE for local rules, FALSE for remote constraints
390 * @return current cfg
392 auth_cfg_t
* (*get_auth_cfg
)(ike_sa_t
*this, bool local
);
395 * Insert a completed authentication round.
397 * @param local TRUE for own rules, FALSE for others constraints
398 * @param cfg auth config to append
400 void (*add_auth_cfg
)(ike_sa_t
*this, bool local
, auth_cfg_t
*cfg
);
403 * Create an enumerator over added authentication rounds.
405 * @param local TRUE for own rules, FALSE for others constraints
406 * @return enumerator over auth_cfg_t
408 enumerator_t
* (*create_auth_cfg_enumerator
)(ike_sa_t
*this, bool local
);
411 * Get the selected proposal of this IKE_SA.
413 * @return selected proposal
415 proposal_t
* (*get_proposal
)(ike_sa_t
*this);
418 * Set the proposal selected for this IKE_SA.
420 * @param selected proposal
422 void (*set_proposal
)(ike_sa_t
*this, proposal_t
*proposal
);
425 * Set the message id of the IKE_SA.
427 * The IKE_SA stores two message IDs, one for initiating exchanges (send)
428 * and one to respond to exchanges (expect).
430 * @param initiate TRUE to set message ID for initiating
431 * @param mid message id to set
433 void (*set_message_id
)(ike_sa_t
*this, bool initiate
, u_int32_t mid
);
436 * Add an additional address for the peer.
438 * In MOBIKE, a peer may transmit additional addresses where it is
439 * reachable. These are stored in the IKE_SA.
440 * The own list of addresses is not stored, they are queried from
441 * the kernel when required.
443 * @param host host to add to list
445 void (*add_additional_address
)(ike_sa_t
*this, host_t
*host
);
448 * Create an iterator over all additional addresses of the peer.
450 * @return iterator over addresses
452 iterator_t
* (*create_additional_address_iterator
)(ike_sa_t
*this);
455 * Check if mappings have changed on a NAT for our source address.
457 * @param hash received DESTINATION_IP hash
458 * @return TRUE if mappings have changed
460 bool (*has_mapping_changed
)(ike_sa_t
*this, chunk_t hash
);
463 * Enable an extension the peer supports.
465 * If support for an IKE extension is detected, this method is called
466 * to enable that extension and behave accordingly.
468 * @param extension extension to enable
470 void (*enable_extension
)(ike_sa_t
*this, ike_extension_t extension
);
473 * Check if the peer supports an extension.
475 * @param extension extension to check for support
476 * @return TRUE if peer supports it, FALSE otherwise
478 bool (*supports_extension
)(ike_sa_t
*this, ike_extension_t extension
);
481 * Enable/disable a condition flag for this IKE_SA.
483 * @param condition condition to enable/disable
484 * @param enable TRUE to enable condition, FALSE to disable
486 void (*set_condition
) (ike_sa_t
*this, ike_condition_t condition
, bool enable
);
489 * Check if a condition flag is set.
491 * @param condition condition to check
492 * @return TRUE if condition flag set, FALSE otherwise
494 bool (*has_condition
) (ike_sa_t
*this, ike_condition_t condition
);
497 * Get the number of queued MOBIKE address updates.
499 * @return number of pending updates
501 u_int32_t (*get_pending_updates
)(ike_sa_t
*this);
504 * Set the number of queued MOBIKE address updates.
506 * @param updates number of pending updates
508 void (*set_pending_updates
)(ike_sa_t
*this, u_int32_t updates
);
512 * Activate mediation server functionality for this IKE_SA.
514 void (*act_as_mediation_server
) (ike_sa_t
*this);
517 * Get the server reflexive host.
519 * @return server reflexive host
521 host_t
* (*get_server_reflexive_host
) (ike_sa_t
*this);
524 * Set the server reflexive host.
526 * @param host server reflexive host
528 void (*set_server_reflexive_host
) (ike_sa_t
*this, host_t
*host
);
531 * Get the connect ID.
535 chunk_t (*get_connect_id
) (ike_sa_t
*this);
538 * Initiate the mediation of a mediated connection (i.e. initiate a
539 * ME_CONNECT exchange to a mediation server).
541 * @param mediated_cfg peer_cfg of the mediated connection
543 * - SUCCESS if initialization started
544 * - DESTROY_ME if initialization failed
546 status_t (*initiate_mediation
) (ike_sa_t
*this, peer_cfg_t
*mediated_cfg
);
549 * Initiate the mediated connection
551 * @param me local endpoint (gets cloned)
552 * @param other remote endpoint (gets cloned)
553 * @param connect_id connect ID (gets cloned)
555 * - SUCCESS if initialization started
556 * - DESTROY_ME if initialization failed
558 status_t (*initiate_mediated
) (ike_sa_t
*this, host_t
*me
, host_t
*other
,
562 * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
567 * @param requester ID of the requesting peer
568 * @param connect_id data of the ME_CONNECTID payload
569 * @param connect_key data of the ME_CONNECTKEY payload
570 * @param endpoints endpoints
571 * @param response TRUE if this is a response
573 * - SUCCESS if relay started
574 * - DESTROY_ME if relay failed
576 status_t (*relay
) (ike_sa_t
*this, identification_t
*requester
,
577 chunk_t connect_id
, chunk_t connect_key
,
578 linked_list_t
*endpoints
, bool response
);
581 * Send a callback to a peer.
585 * @param peer_id ID of the other peer
587 * - SUCCESS if response started
588 * - DESTROY_ME if response failed
590 status_t (*callback
) (ike_sa_t
*this, identification_t
*peer_id
);
593 * Respond to a ME_CONNECT request.
597 * @param peer_id ID of the other peer
598 * @param connect_id the connect ID supplied by the initiator
600 * - SUCCESS if response started
601 * - DESTROY_ME if response failed
603 status_t (*respond
) (ike_sa_t
*this, identification_t
*peer_id
,
608 * Initiate a new connection.
610 * The configs are owned by the IKE_SA after the call. If the initiate
611 * is triggered by a packet, traffic selectors of the packet can be added
614 * @param child_cfg child config to create CHILD from
615 * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely
616 * @param tsi source of triggering packet
617 * @param tsr destination of triggering packet.
619 * - SUCCESS if initialization started
620 * - DESTROY_ME if initialization failed
622 status_t (*initiate
) (ike_sa_t
*this, child_cfg_t
*child_cfg
,
623 u_int32_t reqid
, traffic_selector_t
*tsi
,
624 traffic_selector_t
*tsr
);
627 * Initiates the deletion of an IKE_SA.
629 * Sends a delete message to the remote peer and waits for
630 * its response. If the response comes in, or a timeout occurs,
631 * the IKE SA gets deleted.
634 * - SUCCESS if deletion is initialized
635 * - DESTROY_ME, if the IKE_SA is not in
636 * an established state and can not be
637 * deleted (but destroyed).
639 status_t (*delete) (ike_sa_t
*this);
642 * Update IKE_SAs after network interfaces have changed.
644 * Whenever the network interface configuration changes, the kernel
645 * interface calls roam() on each IKE_SA. The IKE_SA then checks if
646 * the new network config requires changes, and handles appropriate.
647 * If MOBIKE is supported, addresses are updated; If not, the tunnel is
650 * @param address TRUE if address list changed, FALSE otherwise
651 * @return SUCCESS, FAILED, DESTROY_ME
653 status_t (*roam
)(ike_sa_t
*this, bool address
);
656 * Processes a incoming IKEv2-Message.
658 * Message processing may fail. If a critical failure occurs,
659 * process_message() return DESTROY_ME. Then the caller must
660 * destroy the IKE_SA immediatly, as it is unusable.
662 * @param message message to process
666 * - DESTROY_ME if this IKE_SA MUST be deleted
668 status_t (*process_message
) (ike_sa_t
*this, message_t
*message
);
671 * Generate a IKE message to send it to the peer.
673 * This method generates all payloads in the message and encrypts/signs
676 * @param message message to generate
677 * @param packet generated output packet
681 * - DESTROY_ME if this IKE_SA MUST be deleted
683 status_t (*generate_message
) (ike_sa_t
*this, message_t
*message
,
687 * Retransmits a request.
689 * @param message_id ID of the request to retransmit
692 * - NOT_FOUND if request doesn't have to be retransmited
694 status_t (*retransmit
) (ike_sa_t
*this, u_int32_t message_id
);
697 * Sends a DPD request to the peer.
699 * To check if a peer is still alive, periodic
700 * empty INFORMATIONAL messages are sent if no
701 * other traffic was received.
705 * - DESTROY_ME, if peer did not respond
707 status_t (*send_dpd
) (ike_sa_t
*this);
710 * Sends a keep alive packet.
712 * To refresh NAT tables in a NAT router
713 * between the peers, periodic empty
714 * UDP packets are sent if no other traffic
717 void (*send_keepalive
) (ike_sa_t
*this);
720 * Get the keying material of this IKE_SA.
722 * @return per IKE_SA keymat instance
724 keymat_t
* (*get_keymat
)(ike_sa_t
*this);
727 * Associates a child SA to this IKE SA
729 * @param child_sa child_sa to add
731 void (*add_child_sa
) (ike_sa_t
*this, child_sa_t
*child_sa
);
734 * Get a CHILD_SA identified by protocol and SPI.
736 * @param protocol protocol of the SA
737 * @param spi SPI of the CHILD_SA
738 * @param inbound TRUE if SPI is inbound, FALSE if outbound
739 * @return child_sa, or NULL if none found
741 child_sa_t
* (*get_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
,
742 u_int32_t spi
, bool inbound
);
745 * Create an iterator over all CHILD_SAs.
749 iterator_t
* (*create_child_sa_iterator
) (ike_sa_t
*this);
752 * Rekey the CHILD SA with the specified reqid.
754 * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
756 * @param protocol protocol of the SA
757 * @param spi inbound SPI of the CHILD_SA
759 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
760 * - SUCCESS, if rekeying initiated
762 status_t (*rekey_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, u_int32_t spi
);
765 * Close the CHILD SA with the specified protocol/SPI.
767 * Looks for a CHILD SA owned by this IKE_SA, deletes it and
768 * notify's the remote peer about the delete. The associated
769 * states and policies in the kernel get deleted, if they exist.
771 * @param protocol protocol of the SA
772 * @param spi inbound SPI of the CHILD_SA
774 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
775 * - SUCCESS, if delete message sent
777 status_t (*delete_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, u_int32_t spi
);
780 * Destroy a CHILD SA with the specified protocol/SPI.
782 * Looks for a CHILD SA owned by this IKE_SA and destroys it.
784 * @param protocol protocol of the SA
785 * @param spi inbound SPI of the CHILD_SA
787 * - NOT_FOUND, if IKE_SA has no such CHILD_SA
790 status_t (*destroy_child_sa
) (ike_sa_t
*this, protocol_id_t protocol
, u_int32_t spi
);
795 * Sets up a new IKE_SA, moves all CHILDs to it and deletes this IKE_SA.
797 * @return - SUCCESS, if IKE_SA rekeying initiated
799 status_t (*rekey
) (ike_sa_t
*this);
802 * Reauthenticate the IKE_SA.
804 * Create a completely new IKE_SA with authentication, recreates all children
805 * within the IKE_SA, closes this IKE_SA.
807 * @return DESTROY_ME to destroy the IKE_SA
809 status_t (*reauth
) (ike_sa_t
*this);
812 * Restablish the IKE_SA.
814 * Reestablish an IKE_SA after it has been closed.
816 * @return DESTROY_ME to destroy the IKE_SA
818 status_t (*reestablish
) (ike_sa_t
*this);
821 * Set the lifetime limit received from a AUTH_LIFETIME notify.
823 * @param lifetime lifetime in seconds
825 void (*set_auth_lifetime
)(ike_sa_t
*this, u_int32_t lifetime
);
828 * Set the virtual IP to use for this IKE_SA and its children.
830 * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
831 * lifetime as the IKE_SA.
833 * @param local TRUE to set local address, FALSE for remote
834 * @param ip IP to set as virtual IP
836 void (*set_virtual_ip
) (ike_sa_t
*this, bool local
, host_t
*ip
);
839 * Get the virtual IP configured.
841 * @param local TRUE to get local virtual IP, FALSE for remote
842 * @return host_t *virtual IP
844 host_t
* (*get_virtual_ip
) (ike_sa_t
*this, bool local
);
847 * Register a configuration attribute to the IKE_SA.
849 * If an IRAS sends a configuration attribute it is installed and
850 * registered at the IKE_SA. Attributes are inherit()ed and get released
851 * when the IKE_SA is closed.
853 * @param handler handler installed the attribute, use for release()
854 * @param type configuration attribute type
855 * @param data associated attribute data
857 void (*add_configuration_attribute
)(ike_sa_t
*this,
858 attribute_handler_t
*handler
,
859 configuration_attribute_type_t type
, chunk_t data
);
862 * Set local and remote host addresses to be used for IKE.
864 * These addresses are communicated via the KMADDRESS field of a MIGRATE
865 * message sent via the NETLINK or PF _KEY kernel socket interface.
867 * @param local local kmaddress
868 * @param remote remote kmaddress
870 void (*set_kmaddress
) (ike_sa_t
*this, host_t
*local
, host_t
*remote
);
873 * Inherit all attributes of other to this after rekeying.
875 * When rekeying is completed, all CHILD_SAs, the virtual IP and all
876 * outstanding tasks are moved from other to this.
877 * As this call may initiate inherited tasks, a status is returned.
879 * @param other other task to inherit from
880 * @return DESTROY_ME if initiation of inherited task failed
882 status_t (*inherit
) (ike_sa_t
*this, ike_sa_t
*other
);
885 * Reset the IKE_SA, useable when initiating fails
887 void (*reset
) (ike_sa_t
*this);
890 * Destroys a ike_sa_t object.
892 void (*destroy
) (ike_sa_t
*this);
896 * Creates an ike_sa_t object with a specific ID.
898 * @param ike_sa_id ike_sa_id_t object to associate with new IKE_SA
899 * @return ike_sa_t object
901 ike_sa_t
*ike_sa_create(ike_sa_id_t
*ike_sa_id
);
903 #endif /** IKE_SA_H_ @}*/