]>
Commit | Line | Data |
---|---|---|
7ba38761 JH |
1 | /** |
2 | * @file ike_sa.h | |
c3dc6f1a | 3 | * |
39b2903f | 4 | * @brief Interface of ike_sa_t. |
c3dc6f1a | 5 | * |
7ba38761 JH |
6 | */ |
7 | ||
8 | /* | |
1396815a | 9 | * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger |
7ba38761 JH |
10 | * Copyright (C) 2005 Jan Hutter, Martin Willi |
11 | * Hochschule fuer Technik Rapperswil | |
12 | * | |
13 | * This program is free software; you can redistribute it and/or modify it | |
14 | * under the terms of the GNU General Public License as published by the | |
15 | * Free Software Foundation; either version 2 of the License, or (at your | |
16 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
17 | * | |
18 | * This program is distributed in the hope that it will be useful, but | |
19 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
20 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
21 | * for more details. | |
22 | */ | |
23 | ||
24 | #ifndef IKE_SA_H_ | |
25 | #define IKE_SA_H_ | |
26 | ||
021c2322 | 27 | #include <types.h> |
4a962238 | 28 | #include <encoding/message.h> |
b9d9f188 | 29 | #include <encoding/payloads/proposal_substructure.h> |
96f79ff1 | 30 | #include <sa/ike_sa_id.h> |
30b5b412 MW |
31 | #include <sa/child_sa.h> |
32 | #include <sa/states/state.h> | |
8a491129 | 33 | #include <config/configuration.h> |
021c2322 MW |
34 | #include <utils/logger.h> |
35 | #include <utils/randomizer.h> | |
68621281 MW |
36 | #include <crypto/prfs/prf.h> |
37 | #include <crypto/crypters/crypter.h> | |
38 | #include <crypto/signers/signer.h> | |
13e4a62f MW |
39 | #include <config/connections/connection.h> |
40 | #include <config/policies/policy.h> | |
b92eef28 | 41 | #include <utils/logger.h> |
8323a9c1 | 42 | |
8323a9c1 | 43 | /** |
39b2903f JH |
44 | * Nonce size in bytes for nonces sending to other peer. |
45 | * | |
46 | * @warning Nonce size MUST be between 16 and 256 bytes. | |
df3c59d0 MW |
47 | * |
48 | * @ingroup sa | |
8323a9c1 JH |
49 | */ |
50 | #define NONCE_SIZE 16 | |
7ba38761 | 51 | |
39b2903f | 52 | |
5796aa16 MW |
53 | typedef struct ike_sa_t ike_sa_t; |
54 | ||
7ba38761 | 55 | /** |
39b2903f JH |
56 | * @brief Class ike_sa_t representing an IKE_SA. |
57 | * | |
58 | * An object of this type is managed by an ike_sa_manager_t object | |
59 | * and represents an IKE_SA. Message processing is split up in different states. | |
60 | * They will handle all related things for the state they represent. | |
79b8aa19 MW |
61 | * |
62 | * @b Constructors: | |
63 | * - ike_sa_create() | |
df3c59d0 MW |
64 | * |
65 | * @ingroup sa | |
7ba38761 | 66 | */ |
5796aa16 | 67 | struct ike_sa_t { |
7ba38761 JH |
68 | |
69 | /** | |
39b2903f | 70 | * @brief Processes a incoming IKEv2-Message of type message_t. |
c3dc6f1a JH |
71 | * |
72 | * @param this ike_sa_t object object | |
73 | * @param[in] message message_t object to process | |
39b2903f JH |
74 | * @return |
75 | * - SUCCESS | |
76 | * - FAILED | |
4a5bba25 | 77 | * - DESTROY_ME if this IKE_SA MUST be deleted |
7ba38761 JH |
78 | */ |
79 | status_t (*process_message) (ike_sa_t *this,message_t *message); | |
80 | ||
2c220249 | 81 | /** |
16b9a73c MW |
82 | * @brief Initiate a new connection with given connection_t object. |
83 | * | |
84 | * The connection_t object is owned by the IKE_SA after the call, so | |
85 | * do not modify or destroy it. | |
2c220249 JH |
86 | * |
87 | * @param this calling object | |
16b9a73c | 88 | * @param connection connection to initiate |
79b8aa19 MW |
89 | * @return |
90 | * - SUCCESS if initialization started | |
91 | * - FAILED if in wrong state | |
4a5bba25 | 92 | * - DESTROY_ME if initialization failed and IKE_SA MUST be deleted |
2c220249 | 93 | */ |
16b9a73c | 94 | status_t (*initiate_connection) (ike_sa_t *this, connection_t *connection); |
5534ee84 | 95 | |
1396815a MW |
96 | /** |
97 | * @brief Checks whether retransmission is possible. | |
98 | * | |
99 | * @param this calling object | |
100 | * @param message_id ID of the request to retransmit | |
101 | * @return | |
102 | * - TRUE if retransmit is possible | |
103 | * - FALSE if not | |
104 | */ | |
105 | bool (*retransmit_possible) (ike_sa_t *this, u_int32_t message_id); | |
106 | ||
5534ee84 JH |
107 | /** |
108 | * @brief Retransmits a request. | |
109 | * | |
110 | * @param this calling object | |
111 | * @param message_id ID of the request to retransmit | |
112 | * @return | |
113 | * - SUCCESS | |
114 | * - NOT_FOUND if request doesn't have to be retransmited | |
115 | */ | |
116 | status_t (*retransmit_request) (ike_sa_t *this, u_int32_t message_id); | |
c3dc6f1a | 117 | |
472217f1 | 118 | /** |
d048df5c | 119 | * @brief Get the id of the SA. |
39b2903f JH |
120 | * |
121 | * Returned ike_sa_id_t object is not getting cloned! | |
c3dc6f1a | 122 | * |
39b2903f | 123 | * @param this calling object |
d048df5c | 124 | * @return ike_sa's ike_sa_id_t |
472217f1 MW |
125 | */ |
126 | ike_sa_id_t* (*get_id) (ike_sa_t *this); | |
f2ee13a7 | 127 | |
32b6500f MW |
128 | /** |
129 | * @brief Get the CHILD_SA with the specified reqid. | |
130 | * | |
131 | * The reqid is a unique ID for a child SA, which is | |
132 | * generated on child SA creation. | |
133 | * Returned child_sa_t object is not cloned! | |
134 | * | |
135 | * @param this calling object | |
136 | * @param reqid reqid of the child SA, as used in the kernel | |
137 | * @return child_sa, or NULL if not found | |
138 | */ | |
139 | child_sa_t* (*get_child_sa) (ike_sa_t *this, u_int32_t reqid); | |
140 | ||
8d77edde MW |
141 | /** |
142 | * @brief Close the CHILD SA with the specified reqid. | |
143 | * | |
144 | * Looks for a CHILD SA owned by this IKE_SA, deletes it and | |
145 | * notify's the remote peer about the delete. The associated | |
146 | * states and policies in the kernel get deleted, if they exist. | |
147 | * | |
148 | * @param this calling object | |
149 | * @param reqid reqid of the child SA, as used in the kernel | |
150 | * @return | |
151 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
152 | * - SUCCESS, if deleted and delete message sent | |
153 | */ | |
154 | status_t (*delete_child_sa) (ike_sa_t *this, u_int32_t reqid); | |
155 | ||
156 | /** | |
157 | * @brief Rekey the CHILD SA with the specified reqid. | |
158 | * | |
159 | * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing. | |
160 | * | |
161 | * @param this calling object | |
162 | * @param spi security parameter index identifying the SA to rekey | |
163 | * @return | |
164 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA | |
165 | * - SUCCESS, if rekeying initiated | |
166 | */ | |
167 | status_t (*rekey_child_sa) (ike_sa_t *this, u_int32_t reqid); | |
168 | ||
f2ee13a7 MW |
169 | /** |
170 | * @brief Get local peer address of the IKE_SA. | |
171 | * | |
172 | * @param this calling object | |
173 | * @return local host_t | |
174 | */ | |
175 | host_t* (*get_my_host) (ike_sa_t *this); | |
176 | ||
177 | /** | |
178 | * @brief Get remote peer address of the IKE_SA. | |
179 | * | |
180 | * @param this calling object | |
181 | * @return remote host_t | |
182 | */ | |
183 | host_t* (*get_other_host) (ike_sa_t *this); | |
13e4a62f MW |
184 | |
185 | /** | |
186 | * @brief Get own ID of the IKE_SA. | |
187 | * | |
188 | * @param this calling object | |
189 | * @return local identification_t | |
190 | */ | |
191 | identification_t* (*get_my_id) (ike_sa_t *this); | |
192 | ||
193 | /** | |
194 | * @brief Get remote ID the IKE_SA. | |
195 | * | |
196 | * @param this calling object | |
197 | * @return remote identification_t | |
198 | */ | |
199 | identification_t* (*get_other_id) (ike_sa_t *this); | |
e168ee17 MW |
200 | |
201 | /** | |
202 | * @brief Get the connection of the IKE_SA. | |
203 | * | |
204 | * The internal used connection specification | |
205 | * can be queried to get some data of an IKE_SA. | |
206 | * The connection is still owned to the IKE_SA | |
207 | * and must not be manipulated. | |
208 | * | |
209 | * @param this calling object | |
210 | * @return connection_t | |
211 | */ | |
212 | connection_t* (*get_connection) (ike_sa_t *this); | |
e314700c | 213 | |
1396815a MW |
214 | /** |
215 | * @brief Query NAT detection status for local host. | |
216 | * | |
217 | * @param this calling object | |
218 | * @return TRUE if this host is behind NAT | |
219 | */ | |
220 | bool (*is_my_host_behind_nat) (ike_sa_t *this); | |
221 | ||
222 | /** | |
223 | * @brief Query NAT detection status for remote host. | |
224 | * | |
225 | * @param this calling object | |
226 | * @return TRUE if other host is behind NAT | |
227 | */ | |
228 | bool (*is_other_host_behind_nat) (ike_sa_t *this); | |
229 | ||
230 | /** | |
231 | * @brief Query NAT detection status for any host. | |
232 | * | |
233 | * @param this calling object | |
234 | * @return TRUE if this or other host is behind NAT | |
235 | */ | |
236 | bool (*is_any_host_behind_nat) (ike_sa_t *this); | |
237 | ||
238 | /** | |
239 | * @brief Query timeval of last message sent. | |
240 | * | |
241 | * @param this calling object | |
242 | * @return time when the last message was sent | |
243 | */ | |
244 | struct timeval (*get_last_msg_tv) (ike_sa_t *this); | |
245 | ||
e314700c JH |
246 | /** |
247 | * @brief Get the state of type of associated state object. | |
248 | * | |
39b2903f | 249 | * @param this calling object |
e314700c JH |
250 | * @return state of IKE_SA |
251 | */ | |
252 | ike_sa_state_t (*get_state) (ike_sa_t *this); | |
b92eef28 | 253 | |
1396815a MW |
254 | /** |
255 | * @brief Sends a DPD request to the peer. | |
256 | * | |
257 | * @param this calling object | |
258 | */ | |
259 | status_t (*send_dpd_request) (ike_sa_t *this); | |
260 | ||
b92eef28 MW |
261 | /** |
262 | * @brief Log the status of a the ike sa to a logger. | |
263 | * | |
264 | * The status of the IKE SA and all child SAs is logged. | |
265 | * Supplying NULL as logger uses the internal child_sa logger | |
e168ee17 MW |
266 | * to do the logging. The log is only done if the supplied |
267 | * connection name is NULL or matches the connections name. | |
b92eef28 MW |
268 | * |
269 | * @param this calling object | |
270 | * @param logger logger to use for logging | |
e168ee17 | 271 | * @param name name of the connection |
b92eef28 | 272 | */ |
e168ee17 | 273 | void (*log_status) (ike_sa_t *this, logger_t *logger, char *name); |
4a5bba25 MW |
274 | |
275 | /** | |
276 | * @brief Initiates the deletion of an IKE_SA. | |
277 | * | |
278 | * Sends a delete message to the remote peer and waits for | |
32b6500f | 279 | * its response. If the response comes in, or a timeout occurs, |
4a5bba25 MW |
280 | * the IKE SA gets deleted. |
281 | * | |
282 | * @param this calling object | |
283 | * @return | |
284 | * - SUCCESS if deletion is initialized | |
285 | * - INVALID_STATE, if the IKE_SA is not in | |
286 | * an established state and can not be | |
287 | * delete (but destroyed). | |
288 | */ | |
289 | status_t (*delete) (ike_sa_t *this); | |
7ba38761 JH |
290 | |
291 | /** | |
d048df5c | 292 | * @brief Destroys a ike_sa_t object. |
c3dc6f1a | 293 | * |
39b2903f | 294 | * @param this calling object |
7ba38761 | 295 | */ |
d048df5c | 296 | void (*destroy) (ike_sa_t *this); |
7ba38761 JH |
297 | }; |
298 | ||
0fdc3c7f | 299 | |
79b8aa19 | 300 | typedef struct protected_ike_sa_t protected_ike_sa_t; |
0fdc3c7f | 301 | |
8323a9c1 | 302 | /** |
39b2903f | 303 | * @brief Protected functions of an ike_sa_t object. |
d048df5c | 304 | * |
39b2903f JH |
305 | * This members are only accessed out from |
306 | * the various state_t implementations. | |
df3c59d0 MW |
307 | * |
308 | * @ingroup sa | |
8323a9c1 | 309 | */ |
5796aa16 | 310 | struct protected_ike_sa_t { |
8323a9c1 JH |
311 | |
312 | /** | |
39b2903f | 313 | * Public interface of an ike_sa_t object. |
8323a9c1 JH |
314 | */ |
315 | ike_sa_t public; | |
316 | ||
317 | /** | |
39b2903f | 318 | * @brief Build an empty IKEv2-Message and fills in default informations. |
8323a9c1 JH |
319 | * |
320 | * Depending on the type of message (request or response), the message id is | |
321 | * either message_id_out or message_id_in. | |
322 | * | |
39b2903f | 323 | * Used in state_t Implementation to build an empty IKEv2-Message. |
8323a9c1 | 324 | * |
d048df5c MW |
325 | * @param this calling object |
326 | * @param type exchange type of new message | |
327 | * @param request TRUE, if message has to be a request | |
328 | * @param message new message is stored at this location | |
8323a9c1 | 329 | */ |
d048df5c | 330 | void (*build_message) (protected_ike_sa_t *this, exchange_type_t type, bool request, message_t **message); |
8323a9c1 | 331 | |
a9428251 | 332 | /** |
16b9a73c | 333 | * @brief Get the internal stored connection_t object. |
a9428251 JH |
334 | * |
335 | * @param this calling object | |
16b9a73c | 336 | * @return pointer to the internal stored connection_t object |
a9428251 | 337 | */ |
16b9a73c | 338 | connection_t *(*get_connection) (protected_ike_sa_t *this); |
a9428251 JH |
339 | |
340 | /** | |
16b9a73c | 341 | * @brief Set the internal connection object. |
a9428251 JH |
342 | * |
343 | * @param this calling object | |
16b9a73c | 344 | * @param connection object of type connection_t |
a9428251 | 345 | */ |
16b9a73c | 346 | void (*set_connection) (protected_ike_sa_t *this, connection_t *connection); |
a9428251 JH |
347 | |
348 | /** | |
16b9a73c | 349 | * @brief Get the internal stored policy object. |
a9428251 JH |
350 | * |
351 | * @param this calling object | |
16b9a73c | 352 | * @return pointer to the internal stored policy_t object |
a9428251 | 353 | */ |
16b9a73c | 354 | policy_t *(*get_policy) (protected_ike_sa_t *this); |
a9428251 JH |
355 | |
356 | /** | |
16b9a73c | 357 | * @brief Set the internal policy_t object. |
8323a9c1 | 358 | * |
aad398a7 | 359 | * @param this calling object |
16b9a73c | 360 | * @param policy object of type policy_t |
8323a9c1 | 361 | */ |
16b9a73c | 362 | void (*set_policy) (protected_ike_sa_t *this,policy_t *policy); |
2c220249 JH |
363 | |
364 | /** | |
ce461bbd | 365 | * @brief Derive all keys and create the transforms for IKE communication. |
aad398a7 | 366 | * |
ce461bbd MW |
367 | * Keys are derived using the diffie hellman secret, nonces and internal |
368 | * stored SPIs. | |
7881ac14 | 369 | * Already existing objects get destroyed. |
aad398a7 JH |
370 | * |
371 | * @param this calling object | |
ce461bbd MW |
372 | * @param proposal proposal which contains algorithms to use |
373 | * @param dh diffie hellman object with shared secret | |
374 | * @param nonce_i initiators nonce | |
375 | * @param nonce_r responders nonce | |
2c220249 | 376 | */ |
ce461bbd MW |
377 | status_t (*build_transforms) (protected_ike_sa_t *this, proposal_t* proposal, |
378 | diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r); | |
2c220249 JH |
379 | |
380 | /** | |
39b2903f | 381 | * @brief Send the next request message. |
5534ee84 JH |
382 | * |
383 | * Also the first retransmit job is created. | |
aad398a7 | 384 | * |
39b2903f | 385 | * Last stored requested message gets destroyed. Object gets not cloned! |
aad398a7 JH |
386 | * |
387 | * @param this calling object | |
5534ee84 | 388 | * @param message pointer to the message which should be sent |
aad398a7 JH |
389 | * @return |
390 | * - SUCCESS | |
391 | * - FAILED if message id is not next expected one | |
2c220249 | 392 | */ |
5534ee84 | 393 | status_t (*send_request) (protected_ike_sa_t *this,message_t * message); |
8323a9c1 JH |
394 | |
395 | /** | |
39b2903f | 396 | * @brief Send the next response message. |
aad398a7 | 397 | * |
39b2903f | 398 | * Last stored responded message gets destroyed. Object gets not cloned! |
aad398a7 JH |
399 | * |
400 | * @param this calling object | |
5534ee84 | 401 | * @param message pointer to the message which should be sent |
aad398a7 JH |
402 | * return |
403 | * - SUCCESS | |
404 | * - FAILED if message id is not next expected one | |
8323a9c1 | 405 | */ |
5534ee84 | 406 | status_t (*send_response) (protected_ike_sa_t *this,message_t * message); |
283dbcc5 MW |
407 | |
408 | /** | |
409 | * @brief Send a notify reply message. | |
410 | * | |
411 | * @param this calling object | |
412 | * @param exchange_type type of exchange in which the notify should be wrapped | |
413 | * @param type type of the notify message to send | |
414 | * @param data notification data | |
415 | */ | |
416 | void (*send_notify) (protected_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data); | |
8323a9c1 JH |
417 | |
418 | /** | |
39b2903f | 419 | * @brief Get the internal stored randomizer_t object. |
aad398a7 JH |
420 | * |
421 | * @param this calling object | |
422 | * @return pointer to the internal randomizer_t object | |
8323a9c1 | 423 | */ |
aad398a7 | 424 | randomizer_t *(*get_randomizer) (protected_ike_sa_t *this); |
8323a9c1 JH |
425 | |
426 | /** | |
39b2903f | 427 | * @brief Set the new state_t object of the IKE_SA object. |
aad398a7 JH |
428 | * |
429 | * The old state_t object gets not destroyed. It's the callers duty to | |
39b2903f | 430 | * make sure old state is destroyed (Normally the old state is the caller). |
aad398a7 JH |
431 | * |
432 | * @param this calling object | |
433 | * @param state pointer to the new state_t object | |
8323a9c1 | 434 | */ |
aad398a7 | 435 | void (*set_new_state) (protected_ike_sa_t *this,state_t *state); |
f890d8fe | 436 | |
0df63d6b | 437 | /** |
39b2903f | 438 | * @brief Set the last replied message id. |
0df63d6b JH |
439 | * |
440 | * @param this calling object | |
441 | * @param message_id message id | |
442 | */ | |
443 | void (*set_last_replied_message_id) (protected_ike_sa_t *this,u_int32_t message_id); | |
444 | ||
f890d8fe | 445 | /** |
39b2903f | 446 | * @brief Get the internal stored initiator crypter_t object. |
f890d8fe JH |
447 | * |
448 | * @param this calling object | |
449 | * @return pointer to crypter_t object | |
450 | */ | |
451 | crypter_t *(*get_crypter_initiator) (protected_ike_sa_t *this); | |
452 | ||
453 | /** | |
39b2903f | 454 | * @brief Get the internal stored initiator signer_t object. |
f890d8fe JH |
455 | * |
456 | * @param this calling object | |
457 | * @return pointer to signer_t object | |
458 | */ | |
459 | signer_t *(*get_signer_initiator) (protected_ike_sa_t *this); | |
ccf783d2 MW |
460 | |
461 | /** | |
39b2903f | 462 | * @brief Get the internal stored responder crypter_t object. |
ccf783d2 MW |
463 | * |
464 | * @param this calling object | |
465 | * @return pointer to crypter_t object | |
466 | */ | |
467 | crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this); | |
468 | ||
469 | /** | |
39b2903f | 470 | * @brief Get the internal stored responder signer object. |
ccf783d2 MW |
471 | * |
472 | * @param this calling object | |
473 | * @return pointer to signer_t object | |
474 | */ | |
475 | signer_t *(*get_signer_responder) (protected_ike_sa_t *this); | |
0fdc3c7f JH |
476 | |
477 | /** | |
ce461bbd | 478 | * @brief Get the multi purpose prf. |
0fdc3c7f JH |
479 | * |
480 | * @param this calling object | |
481 | * @return pointer to prf_t object | |
482 | */ | |
483 | prf_t *(*get_prf) (protected_ike_sa_t *this); | |
484 | ||
5b97779f MW |
485 | /** |
486 | * @brief Get the prf-object, which is used to derive keys for child SAs. | |
487 | * | |
488 | * @param this calling object | |
489 | * @return pointer to prf_t object | |
490 | */ | |
491 | prf_t *(*get_child_prf) (protected_ike_sa_t *this); | |
492 | ||
ce461bbd MW |
493 | /** |
494 | * @brief Get the prf used for authentication of initiator. | |
495 | * | |
496 | * @param this calling object | |
497 | * @return pointer to prf_t object | |
498 | */ | |
499 | prf_t *(*get_prf_auth_i) (protected_ike_sa_t *this); | |
500 | ||
501 | /** | |
502 | * @brief Get the prf used for authentication of responder. | |
503 | * | |
504 | * @param this calling object | |
505 | * @return pointer to prf_t object | |
506 | */ | |
507 | prf_t *(*get_prf_auth_r) (protected_ike_sa_t *this); | |
508 | ||
30b5b412 MW |
509 | /** |
510 | * @brief Associates a child SA to this IKE SA | |
511 | * | |
512 | * @param this calling object | |
513 | * @param child_sa child_sa to add | |
514 | */ | |
515 | void (*add_child_sa) (protected_ike_sa_t *this, child_sa_t *child_sa); | |
516 | ||
695723d4 MW |
517 | /** |
518 | * @brief Destroys a CHILD_SA upon request from the other peer. | |
519 | * | |
520 | * @param this calling object | |
521 | * @param spi inbound spi of the CHILD_SA to destroy | |
522 | * @return outbound spi of the destroyed CHILD_SA | |
523 | */ | |
524 | u_int32_t (*destroy_child_sa) (protected_ike_sa_t *this, u_int32_t spi); | |
525 | ||
526 | /** | |
527 | * @brief Get a CHILD_SA upon request from the other peer. | |
528 | * | |
529 | * @param this calling object | |
530 | * @param spi spi of the CHILD_SA | |
531 | * @return child_sa, or NULL if none found | |
532 | */ | |
533 | child_sa_t* (*get_child_sa) (protected_ike_sa_t *this, u_int32_t spi); | |
534 | ||
0fdc3c7f | 535 | /** |
39b2903f | 536 | * @brief Get the last responded message. |
8d68033e | 537 | * |
0fdc3c7f | 538 | * @param this calling object |
8d68033e JH |
539 | * @return |
540 | * - last received as message_t object | |
541 | * - NULL if no last request available | |
0fdc3c7f | 542 | */ |
8d68033e | 543 | message_t *(*get_last_responded_message) (protected_ike_sa_t *this); |
0fdc3c7f | 544 | |
8d68033e | 545 | /** |
39b2903f | 546 | * @brief Get the last requested message. |
8d68033e JH |
547 | * |
548 | * @param this calling object | |
549 | * @return | |
550 | * - last sent as message_t object | |
551 | * - NULL if no last request available | |
552 | */ | |
553 | message_t *(*get_last_requested_message) (protected_ike_sa_t *this); | |
554 | ||
ae3012a0 | 555 | /** |
39b2903f | 556 | * @brief Resets message counters and does destroy stored received and sent messages. |
ae3012a0 JH |
557 | * |
558 | * @param this calling object | |
559 | */ | |
560 | void (*reset_message_buffers) (protected_ike_sa_t *this); | |
1396815a MW |
561 | |
562 | /** | |
563 | * @brief Set NAT detection status for local host. | |
564 | * | |
565 | * @param this calling object | |
566 | * @param nat if TRUE, local host is behing NAT | |
567 | */ | |
568 | void (*set_my_host_behind_nat) (protected_ike_sa_t *this, bool nat); | |
569 | ||
570 | /** | |
571 | * @brief Set NAT detection status for remote host. | |
572 | * | |
573 | * @param this calling object | |
574 | * @param nat if TRUE, remote host is behing NAT | |
575 | */ | |
576 | void (*set_other_host_behind_nat) (protected_ike_sa_t *this, bool nat); | |
577 | ||
578 | /** | |
579 | * @brief Generate NAT-D payload hash. | |
580 | * | |
581 | * @param this calling object | |
582 | * @param spi_i IKE SPI of initiator | |
583 | * @param spi_r IKE SPI of responder | |
584 | * @param host address and port of the host/interface | |
585 | * @return chunk containing calculated NAT-D hash | |
586 | */ | |
587 | chunk_t (*generate_natd_hash) (protected_ike_sa_t *this, u_int64_t spi_i, u_int64_t spi_r, host_t *host); | |
588 | ||
589 | /** | |
590 | * @brief Dynamically update hosts on the associated connection. | |
591 | * | |
592 | * Warning: me and other host are cloned. | |
593 | * | |
594 | * @param this calling object | |
595 | * @param me local address and port | |
596 | * @param other remote address and port | |
597 | */ | |
598 | status_t (*update_connection_hosts) (protected_ike_sa_t *this, host_t *me, host_t *other); | |
599 | ||
600 | /** | |
601 | * @brief Return the message id of the last DPD message | |
602 | * | |
603 | * @param this calling object | |
604 | * @return the messages id | |
605 | */ | |
606 | u_int32_t (*get_last_dpd_message_id) (protected_ike_sa_t *this); | |
8323a9c1 JH |
607 | }; |
608 | ||
609 | ||
7ba38761 | 610 | /** |
39b2903f JH |
611 | * @brief Creates an ike_sa_t object with a specific ID. |
612 | * | |
613 | * @warning the Content of internal ike_sa_id_t object can change over time | |
614 | * e.g. when a IKE_SA_INIT has been finished. | |
c3dc6f1a | 615 | * |
d048df5c MW |
616 | * @param[in] ike_sa_id ike_sa_id_t object to associate with new IKE_SA. |
617 | * The object is internal getting cloned | |
618 | * and so has to be destroyed by the caller. | |
79b8aa19 | 619 | * @return ike_sa_t object |
df3c59d0 MW |
620 | * |
621 | * @ingroup sa | |
7ba38761 JH |
622 | */ |
623 | ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id); | |
624 | ||
625 | #endif /*IKE_SA_H_*/ |