]>
Commit | Line | Data |
---|---|---|
7ba38761 | 1 | /* |
dec3c184 | 2 | * Copyright (C) 2006-2019 Tobias Brunner |
d5cc1758 | 3 | * Copyright (C) 2006 Daniel Roethlisberger |
a44bb934 | 4 | * Copyright (C) 2005-2009 Martin Willi |
c71d53ba | 5 | * Copyright (C) 2005 Jan Hutter |
208678e6 | 6 | * HSR Hochschule fuer Technik Rapperswil |
7ba38761 JH |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
552cc11b MW |
17 | */ |
18 | ||
19 | /** | |
20 | * @defgroup ike_sa ike_sa | |
21 | * @{ @ingroup sa | |
7ba38761 JH |
22 | */ |
23 | ||
24 | #ifndef IKE_SA_H_ | |
25 | #define IKE_SA_H_ | |
26 | ||
3b04350a | 27 | typedef enum ike_extension_t ike_extension_t; |
17d92e97 | 28 | typedef enum ike_condition_t ike_condition_t; |
382b4817 | 29 | typedef enum ike_sa_state_t ike_sa_state_t; |
ee614711 | 30 | typedef enum statistic_t statistic_t; |
382b4817 MW |
31 | typedef struct ike_sa_t ike_sa_t; |
32 | ||
db7ef624 | 33 | #include <library.h> |
58f86d0f | 34 | #include <attributes/attribute_handler.h> |
4a962238 | 35 | #include <encoding/message.h> |
b9d9f188 | 36 | #include <encoding/payloads/proposal_substructure.h> |
7f56b494 | 37 | #include <encoding/payloads/configuration_attribute.h> |
96f79ff1 | 38 | #include <sa/ike_sa_id.h> |
30b5b412 | 39 | #include <sa/child_sa.h> |
15a682f4 | 40 | #include <sa/task.h> |
ea340ee8 | 41 | #include <sa/task_manager.h> |
6a4ff35c | 42 | #include <sa/keymat.h> |
e0fe7651 MW |
43 | #include <config/peer_cfg.h> |
44 | #include <config/ike_cfg.h> | |
2ccc02a4 | 45 | #include <credentials/auth_cfg.h> |
fdee6b5f | 46 | #include <networking/packet.h> |
8323a9c1 | 47 | |
3b138b84 | 48 | /** |
6554b5e4 | 49 | * Timeout in seconds after that a half open IKE_SA gets deleted. |
3b138b84 | 50 | */ |
6554b5e4 | 51 | #define HALF_OPEN_IKE_SA_TIMEOUT 30 |
3b138b84 MW |
52 | |
53 | /** | |
54 | * Interval to send keepalives when NATed, in seconds. | |
3b138b84 MW |
55 | */ |
56 | #define KEEPALIVE_INTERVAL 20 | |
57 | ||
58 | /** | |
59 | * After which time rekeying should be retried if it failed, in seconds. | |
3b138b84 | 60 | */ |
4e2e7d4f | 61 | #define RETRY_INTERVAL 15 |
3b138b84 MW |
62 | |
63 | /** | |
64 | * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry. | |
3b138b84 | 65 | */ |
4e2e7d4f | 66 | #define RETRY_JITTER 10 |
3b138b84 | 67 | |
c6ebd033 TB |
68 | /** |
69 | * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD. | |
70 | */ | |
71 | #define MAX_REDIRECTS 5 | |
72 | ||
73 | /** | |
74 | * Time period in seconds in which at most MAX_REDIRECTS are allowed. | |
75 | */ | |
76 | #define REDIRECT_LOOP_DETECT_PERIOD 300 | |
77 | ||
3b04350a | 78 | /** |
552cc11b | 79 | * Extensions (or optional features) the peer supports |
3b04350a MW |
80 | */ |
81 | enum ike_extension_t { | |
7daf5226 | 82 | |
3b04350a | 83 | /** |
06d29be7 | 84 | * peer supports NAT traversal as specified in RFC4306 or RFC3947 |
0ff8d20a | 85 | * including some RFC3947 drafts |
3b04350a | 86 | */ |
17d92e97 | 87 | EXT_NATT = (1<<0), |
3b04350a MW |
88 | |
89 | /** | |
90 | * peer supports MOBIKE (RFC4555) | |
91 | */ | |
17d92e97 | 92 | EXT_MOBIKE = (1<<1), |
7daf5226 | 93 | |
6439267a TB |
94 | /** |
95 | * peer supports HTTP cert lookups as specified in RFC4306 | |
96 | */ | |
97 | EXT_HASH_AND_URL = (1<<2), | |
7daf5226 | 98 | |
a44bb934 MW |
99 | /** |
100 | * peer supports multiple authentication exchanges, RFC4739 | |
101 | */ | |
102 | EXT_MULTIPLE_AUTH = (1<<3), | |
a5a0bcaa MW |
103 | |
104 | /** | |
105 | * peer uses strongSwan, accept private use extensions | |
106 | */ | |
107 | EXT_STRONGSWAN = (1<<4), | |
12fca6cc MW |
108 | |
109 | /** | |
110 | * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth | |
111 | */ | |
112 | EXT_EAP_ONLY_AUTHENTICATION = (1<<5), | |
61cf9f51 MW |
113 | |
114 | /** | |
05db0f97 | 115 | * peer is probably a Windows RAS client |
61cf9f51 MW |
116 | */ |
117 | EXT_MS_WINDOWS = (1<<6), | |
23f4e4b4 CO |
118 | |
119 | /** | |
120 | * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06 | |
121 | */ | |
122 | EXT_XAUTH = (1<<7), | |
11aadd77 MW |
123 | |
124 | /** | |
125 | * peer supports DPD detection, RFC 3706 (or IKEv2) | |
126 | */ | |
127 | EXT_DPD = (1<<8), | |
554a697a AS |
128 | |
129 | /** | |
130 | * peer supports Cisco Unity configuration attributes | |
131 | */ | |
132 | EXT_CISCO_UNITY = (1<<9), | |
0ff8d20a VR |
133 | |
134 | /** | |
135 | * peer supports NAT traversal as specified in | |
136 | * draft-ietf-ipsec-nat-t-ike-02 .. -03 | |
137 | */ | |
138 | EXT_NATT_DRAFT_02_03 = (1<<10), | |
667720c8 TB |
139 | |
140 | /** | |
34dc37f3 | 141 | * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation |
667720c8 TB |
142 | */ |
143 | EXT_IKE_FRAGMENTATION = (1<<11), | |
f6329cae TB |
144 | |
145 | /** | |
146 | * Signature Authentication, RFC 7427 | |
147 | */ | |
148 | EXT_SIGNATURE_AUTH = (1<<12), | |
c6aa749c TB |
149 | |
150 | /** | |
151 | * IKEv2 Redirect Mechanism, RFC 5685 | |
152 | */ | |
153 | EXT_IKE_REDIRECTION = (1<<13), | |
d6ffa85f TB |
154 | |
155 | /** | |
156 | * IKEv2 Message ID sync, RFC 6311 | |
157 | */ | |
158 | EXT_IKE_MESSAGE_ID_SYNC = (1<<14), | |
83dcc1f4 TB |
159 | |
160 | /** | |
161 | * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2 | |
162 | */ | |
163 | EXT_PPK = (1<<15), | |
93104d0f TB |
164 | |
165 | /** | |
166 | * Responder accepts childless IKE_SAs, RFC 6023 | |
167 | */ | |
168 | EXT_IKE_CHILDLESS = (1<<16), | |
17d92e97 MW |
169 | }; |
170 | ||
171 | /** | |
552cc11b | 172 | * Conditions of an IKE_SA, change during its lifetime |
17d92e97 MW |
173 | */ |
174 | enum ike_condition_t { | |
7daf5226 | 175 | |
17d92e97 | 176 | /** |
9dae1bed | 177 | * Connection is natted (or faked) somewhere |
17d92e97 MW |
178 | */ |
179 | COND_NAT_ANY = (1<<0), | |
7daf5226 | 180 | |
17d92e97 MW |
181 | /** |
182 | * we are behind NAT | |
183 | */ | |
184 | COND_NAT_HERE = (1<<1), | |
7daf5226 | 185 | |
17d92e97 MW |
186 | /** |
187 | * other is behind NAT | |
188 | */ | |
189 | COND_NAT_THERE = (1<<2), | |
7daf5226 | 190 | |
9dae1bed MW |
191 | /** |
192 | * Faking NAT to enforce UDP encapsulation | |
193 | */ | |
194 | COND_NAT_FAKE = (1<<3), | |
7daf5226 | 195 | |
17d92e97 | 196 | /** |
a44bb934 | 197 | * peer has been authenticated using EAP at least once |
17d92e97 | 198 | */ |
ee614711 | 199 | COND_EAP_AUTHENTICATED = (1<<4), |
7daf5226 | 200 | |
552cc11b MW |
201 | /** |
202 | * received a certificate request from the peer | |
203 | */ | |
96926b00 | 204 | COND_CERTREQ_SEEN = (1<<5), |
7daf5226 | 205 | |
faf9569f MW |
206 | /** |
207 | * Local peer is the "original" IKE initiator. Unaffected from rekeying. | |
208 | */ | |
209 | COND_ORIGINAL_INITIATOR = (1<<6), | |
7daf5226 | 210 | |
7afd9d66 MW |
211 | /** |
212 | * IKE_SA is stale, the peer is currently unreachable (MOBIKE) | |
213 | */ | |
214 | COND_STALE = (1<<7), | |
a064eaa8 CO |
215 | |
216 | /** | |
217 | * Initial contact received | |
218 | */ | |
219 | COND_INIT_CONTACT_SEEN = (1<<8), | |
2da3ff7a MW |
220 | |
221 | /** | |
222 | * Peer has been authenticated using XAuth | |
223 | */ | |
224 | COND_XAUTH_AUTHENTICATED = (1<<9), | |
873b63b7 TB |
225 | |
226 | /** | |
227 | * This IKE_SA is currently being reauthenticated | |
228 | */ | |
229 | COND_REAUTHENTICATING = (1<<10), | |
d68c05d2 TB |
230 | |
231 | /** | |
232 | * This IKE_SA has been redirected | |
233 | */ | |
234 | COND_REDIRECTED = (1<<11), | |
e19162a5 TB |
235 | |
236 | /** | |
237 | * Online certificate revocation checking is suspended for this IKE_SA | |
238 | */ | |
239 | COND_ONLINE_VALIDATION_SUSPENDED = (1<<12), | |
e4d85011 TB |
240 | |
241 | /** | |
242 | * A Postquantum Preshared Key was used when this IKE_SA was created | |
243 | */ | |
244 | COND_PPK = (1<<13), | |
ee614711 MW |
245 | }; |
246 | ||
247 | /** | |
85ac2fa5 | 248 | * Timing information and statistics to query from an SA |
ee614711 MW |
249 | */ |
250 | enum statistic_t { | |
85ac2fa5 MW |
251 | /** Timestamp of SA establishement */ |
252 | STAT_ESTABLISHED = 0, | |
0ceb2888 | 253 | /** Timestamp of scheduled rekeying */ |
85ac2fa5 | 254 | STAT_REKEY, |
0ceb2888 | 255 | /** Timestamp of scheduled reauthentication */ |
85ac2fa5 | 256 | STAT_REAUTH, |
0ceb2888 | 257 | /** Timestamp of scheduled delete */ |
85ac2fa5 MW |
258 | STAT_DELETE, |
259 | /** Timestamp of last inbound IKE packet */ | |
260 | STAT_INBOUND, | |
261 | /** Timestamp of last outbound IKE packet */ | |
262 | STAT_OUTBOUND, | |
7daf5226 | 263 | |
85ac2fa5 | 264 | STAT_MAX |
3b04350a | 265 | }; |
3b138b84 | 266 | |
8323a9c1 | 267 | /** |
552cc11b | 268 | * State of an IKE_SA. |
cb5c41cd MW |
269 | * |
270 | * An IKE_SA passes various states in its lifetime. A newly created | |
271 | * SA is in the state CREATED. | |
272 | * @verbatim | |
273 | +----------------+ | |
3183006d | 274 | ¦ SA_CREATED ¦ |
cb5c41cd | 275 | +----------------+ |
3183006d | 276 | ¦ |
484a06bc | 277 | on initiate()---> ¦ <----- on IKE_SA_INIT received |
3183006d | 278 | V |
cb5c41cd | 279 | +----------------+ |
3183006d | 280 | ¦ SA_CONNECTING ¦ |
cb5c41cd | 281 | +----------------+ |
3183006d MW |
282 | ¦ |
283 | ¦ <----- on IKE_AUTH successfully completed | |
284 | V | |
cb5c41cd | 285 | +----------------+ |
3183006d MW |
286 | ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying |
287 | +----------------+ ¦ | |
288 | ¦ V | |
289 | on delete()---> ¦ <----- on IKE_SA +-------------+ | |
290 | ¦ delete request ¦ SA_REKEYING ¦ | |
291 | ¦ received +-------------+ | |
292 | V ¦ | |
293 | +----------------+ ¦ | |
294 | ¦ SA_DELETING ¦<------------------------+ <-- after rekeying | |
cb5c41cd | 295 | +----------------+ |
3183006d MW |
296 | ¦ |
297 | ¦ <----- after delete() acknowledged | |
298 | ¦ | |
299 | \V/ | |
cb5c41cd MW |
300 | X |
301 | / \ | |
302 | @endverbatim | |
8323a9c1 | 303 | */ |
3dd3c5f3 | 304 | enum ike_sa_state_t { |
7daf5226 | 305 | |
3dd3c5f3 MW |
306 | /** |
307 | * IKE_SA just got created, but is not initiating nor responding yet. | |
308 | */ | |
bcb95ced | 309 | IKE_CREATED, |
7daf5226 | 310 | |
3dd3c5f3 MW |
311 | /** |
312 | * IKE_SA gets initiated actively or passively | |
313 | */ | |
bcb95ced | 314 | IKE_CONNECTING, |
7daf5226 | 315 | |
3dd3c5f3 MW |
316 | /** |
317 | * IKE_SA is fully established | |
318 | */ | |
bcb95ced | 319 | IKE_ESTABLISHED, |
7daf5226 | 320 | |
c610f424 MW |
321 | /** |
322 | * IKE_SA is managed externally and does not process messages | |
323 | */ | |
324 | IKE_PASSIVE, | |
7daf5226 | 325 | |
3183006d MW |
326 | /** |
327 | * IKE_SA rekeying in progress | |
328 | */ | |
329 | IKE_REKEYING, | |
7daf5226 | 330 | |
bb389973 TB |
331 | /** |
332 | * IKE_SA has been rekeyed (or is redundant) | |
333 | */ | |
334 | IKE_REKEYED, | |
335 | ||
3dd3c5f3 MW |
336 | /** |
337 | * IKE_SA is in progress of deletion | |
338 | */ | |
bcb95ced | 339 | IKE_DELETING, |
7daf5226 | 340 | |
a985db3f MW |
341 | /** |
342 | * IKE_SA object gets destroyed | |
343 | */ | |
344 | IKE_DESTROYING, | |
3dd3c5f3 MW |
345 | }; |
346 | ||
347 | /** | |
60356f33 | 348 | * enum names for ike_sa_state_t. |
3dd3c5f3 | 349 | */ |
60356f33 | 350 | extern enum_name_t *ike_sa_state_names; |
7ba38761 JH |
351 | |
352 | /** | |
552cc11b | 353 | * Class ike_sa_t representing an IKE_SA. |
3dd3c5f3 MW |
354 | * |
355 | * An IKE_SA contains crypto information related to a connection | |
356 | * with a peer. It contains multiple IPsec CHILD_SA, for which | |
357 | * it is responsible. All traffic is handled by an IKE_SA, using | |
c60c7694 | 358 | * the task manager and its tasks. |
7ba38761 | 359 | */ |
5796aa16 | 360 | struct ike_sa_t { |
7ba38761 JH |
361 | |
362 | /** | |
552cc11b | 363 | * Get the id of the SA. |
484a06bc | 364 | * |
3dd3c5f3 | 365 | * Returned ike_sa_id_t object is not getting cloned! |
c3dc6f1a | 366 | * |
4bbce1ef | 367 | * @return ike_sa's ike_sa_id_t |
7ba38761 | 368 | */ |
3dd3c5f3 | 369 | ike_sa_id_t* (*get_id) (ike_sa_t *this); |
7daf5226 | 370 | |
0b611540 TB |
371 | /** |
372 | * Gets the IKE version of the SA | |
373 | */ | |
374 | ike_version_t (*get_version)(ike_sa_t *this); | |
375 | ||
c60c7694 | 376 | /** |
552cc11b | 377 | * Get the numerical ID uniquely defining this IKE_SA. |
c60c7694 | 378 | * |
4bbce1ef | 379 | * @return unique ID |
c60c7694 | 380 | */ |
b12c53ce | 381 | uint32_t (*get_unique_id) (ike_sa_t *this); |
7daf5226 | 382 | |
3dd3c5f3 | 383 | /** |
552cc11b | 384 | * Get the state of the IKE_SA. |
3dd3c5f3 | 385 | * |
3dd3c5f3 MW |
386 | * @return state of the IKE_SA |
387 | */ | |
388 | ike_sa_state_t (*get_state) (ike_sa_t *this); | |
7daf5226 | 389 | |
3dd3c5f3 | 390 | /** |
552cc11b | 391 | * Set the state of the IKE_SA. |
3dd3c5f3 | 392 | * |
3dd3c5f3 MW |
393 | * @param state state to set for the IKE_SA |
394 | */ | |
0b611540 | 395 | void (*set_state) (ike_sa_t *this, ike_sa_state_t state); |
7daf5226 | 396 | |
8dfbe71b | 397 | /** |
552cc11b | 398 | * Get the name of the connection this IKE_SA uses. |
8dfbe71b | 399 | * |
8dfbe71b MW |
400 | * @return name |
401 | */ | |
402 | char* (*get_name) (ike_sa_t *this); | |
7daf5226 | 403 | |
ee614711 | 404 | /** |
552cc11b | 405 | * Get statistic values from the IKE_SA. |
ee614711 | 406 | * |
ee614711 MW |
407 | * @param kind kind of requested value |
408 | * @return value as integer | |
409 | */ | |
b12c53ce | 410 | uint32_t (*get_statistic)(ike_sa_t *this, statistic_t kind); |
7daf5226 | 411 | |
44ff1153 TB |
412 | /** |
413 | * Set statistic value of the IKE_SA. | |
414 | * | |
415 | * @param kind kind of value to update | |
416 | * @param value value as integer | |
417 | */ | |
b12c53ce | 418 | void (*set_statistic)(ike_sa_t *this, statistic_t kind, uint32_t value); |
44ff1153 | 419 | |
8dfbe71b | 420 | /** |
552cc11b | 421 | * Get the own host address. |
484a06bc | 422 | * |
8dfbe71b MW |
423 | * @return host address |
424 | */ | |
425 | host_t* (*get_my_host) (ike_sa_t *this); | |
7daf5226 | 426 | |
fe04e93a | 427 | /** |
552cc11b | 428 | * Set the own host address. |
484a06bc | 429 | * |
fe04e93a MW |
430 | * @param me host address |
431 | */ | |
432 | void (*set_my_host) (ike_sa_t *this, host_t *me); | |
7daf5226 | 433 | |
8dfbe71b | 434 | /** |
552cc11b | 435 | * Get the other peers host address. |
484a06bc | 436 | * |
8dfbe71b MW |
437 | * @return host address |
438 | */ | |
439 | host_t* (*get_other_host) (ike_sa_t *this); | |
7daf5226 | 440 | |
fe04e93a | 441 | /** |
552cc11b | 442 | * Set the others host address. |
484a06bc | 443 | * |
fe04e93a MW |
444 | * @param other host address |
445 | */ | |
446 | void (*set_other_host) (ike_sa_t *this, host_t *other); | |
7daf5226 | 447 | |
277f02ce TB |
448 | /** |
449 | * Float to port 4500 (e.g. if a NAT is detected). | |
450 | * | |
451 | * The port of either endpoint is changed only if it is currently | |
452 | * set to the default value of 500. | |
453 | */ | |
454 | void (*float_ports)(ike_sa_t *this); | |
455 | ||
2b3100b5 | 456 | /** |
552cc11b | 457 | * Update the IKE_SAs host. |
2b3100b5 MW |
458 | * |
459 | * Hosts may be NULL to use current host. | |
460 | * | |
2b3100b5 MW |
461 | * @param me new local host address, or NULL |
462 | * @param other new remote host address, or NULL | |
2082417d | 463 | * @param force force update |
2b3100b5 | 464 | */ |
2082417d | 465 | void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force); |
7daf5226 | 466 | |
8dfbe71b | 467 | /** |
552cc11b | 468 | * Get the own identification. |
484a06bc | 469 | * |
8dfbe71b MW |
470 | * @return identification |
471 | */ | |
472 | identification_t* (*get_my_id) (ike_sa_t *this); | |
7daf5226 | 473 | |
8dfbe71b | 474 | /** |
552cc11b | 475 | * Set the own identification. |
484a06bc | 476 | * |
8dfbe71b MW |
477 | * @param me identification |
478 | */ | |
479 | void (*set_my_id) (ike_sa_t *this, identification_t *me); | |
7daf5226 | 480 | |
8dfbe71b | 481 | /** |
552cc11b | 482 | * Get the other peer's identification. |
484a06bc | 483 | * |
8dfbe71b MW |
484 | * @return identification |
485 | */ | |
486 | identification_t* (*get_other_id) (ike_sa_t *this); | |
7daf5226 | 487 | |
045833c7 MW |
488 | /** |
489 | * Get the others peer identity, but prefer an EAP-Identity. | |
490 | * | |
491 | * @return EAP or IKEv2 identity | |
492 | */ | |
493 | identification_t* (*get_other_eap_id)(ike_sa_t *this); | |
494 | ||
8dfbe71b | 495 | /** |
552cc11b | 496 | * Set the other peer's identification. |
484a06bc | 497 | * |
8dfbe71b MW |
498 | * @param other identification |
499 | */ | |
500 | void (*set_other_id) (ike_sa_t *this, identification_t *other); | |
7daf5226 | 501 | |
7d26a0ee | 502 | /** |
552cc11b | 503 | * Get the config used to setup this IKE_SA. |
484a06bc | 504 | * |
e0fe7651 | 505 | * @return ike_config |
c60c7694 | 506 | */ |
e0fe7651 | 507 | ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this); |
7daf5226 | 508 | |
c60c7694 | 509 | /** |
552cc11b | 510 | * Set the config to setup this IKE_SA. |
484a06bc | 511 | * |
e0fe7651 | 512 | * @param config ike_config to use |
c60c7694 | 513 | */ |
e0fe7651 | 514 | void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config); |
c60c7694 MW |
515 | |
516 | /** | |
552cc11b | 517 | * Get the peer config used by this IKE_SA. |
484a06bc | 518 | * |
e0fe7651 | 519 | * @return peer_config |
c60c7694 | 520 | */ |
e0fe7651 | 521 | peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this); |
7daf5226 | 522 | |
c60c7694 | 523 | /** |
552cc11b | 524 | * Set the peer config to use with this IKE_SA. |
484a06bc | 525 | * |
e0fe7651 | 526 | * @param config peer_config to use |
c60c7694 | 527 | */ |
e0fe7651 | 528 | void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config); |
7daf5226 | 529 | |
3b04350a | 530 | /** |
a44bb934 | 531 | * Get the authentication config with rules of the current auth round. |
552cc11b | 532 | * |
a44bb934 MW |
533 | * @param local TRUE for local rules, FALSE for remote constraints |
534 | * @return current cfg | |
552cc11b | 535 | */ |
a44bb934 | 536 | auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local); |
7daf5226 | 537 | |
44ce7493 MW |
538 | /** |
539 | * Insert a completed authentication round. | |
540 | * | |
541 | * @param local TRUE for own rules, FALSE for others constraints | |
542 | * @param cfg auth config to append | |
543 | */ | |
544 | void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg); | |
545 | ||
546 | /** | |
547 | * Create an enumerator over added authentication rounds. | |
548 | * | |
549 | * @param local TRUE for own rules, FALSE for others constraints | |
550 | * @return enumerator over auth_cfg_t | |
551 | */ | |
552 | enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local); | |
553 | ||
1b9c1ae0 TB |
554 | /** |
555 | * Verify the trustchains (validity, revocation) in completed public key | |
556 | * auth rounds. | |
557 | * | |
558 | * @return TRUE if certificates were valid, FALSE otherwise | |
559 | */ | |
560 | bool (*verify_peer_certificate)(ike_sa_t *this); | |
561 | ||
5dffdea1 MW |
562 | /** |
563 | * Get the selected proposal of this IKE_SA. | |
564 | * | |
565 | * @return selected proposal | |
566 | */ | |
567 | proposal_t* (*get_proposal)(ike_sa_t *this); | |
7daf5226 | 568 | |
5dffdea1 MW |
569 | /** |
570 | * Set the proposal selected for this IKE_SA. | |
571 | * | |
572 | * @param selected proposal | |
573 | */ | |
574 | void (*set_proposal)(ike_sa_t *this, proposal_t *proposal); | |
7daf5226 | 575 | |
b09ca747 | 576 | /** |
347c403c | 577 | * Set the message ID of the IKE_SA. |
b09ca747 MW |
578 | * |
579 | * The IKE_SA stores two message IDs, one for initiating exchanges (send) | |
580 | * and one to respond to exchanges (expect). | |
581 | * | |
582 | * @param initiate TRUE to set message ID for initiating | |
583 | * @param mid message id to set | |
584 | */ | |
b12c53ce | 585 | void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid); |
7daf5226 | 586 | |
347c403c TB |
587 | /** |
588 | * Get the message ID of the IKE_SA. | |
589 | * | |
590 | * The IKE_SA stores two message IDs, one for initiating exchanges (send) | |
591 | * and one to respond to exchanges (expect). | |
592 | * | |
593 | * @param initiate TRUE to get message ID for initiating | |
594 | * @return current message | |
595 | */ | |
596 | uint32_t (*get_message_id)(ike_sa_t *this, bool initiate); | |
597 | ||
552cc11b MW |
598 | /** |
599 | * Add an additional address for the peer. | |
17d92e97 MW |
600 | * |
601 | * In MOBIKE, a peer may transmit additional addresses where it is | |
602 | * reachable. These are stored in the IKE_SA. | |
603 | * The own list of addresses is not stored, they are queried from | |
604 | * the kernel when required. | |
3b04350a | 605 | * |
17d92e97 | 606 | * @param host host to add to list |
3b04350a | 607 | */ |
94bbc602 | 608 | void (*add_peer_address)(ike_sa_t *this, host_t *host); |
7daf5226 | 609 | |
17d92e97 | 610 | /** |
94bbc602 | 611 | * Create an enumerator over all known addresses of the peer. |
17d92e97 | 612 | * |
572abc6c | 613 | * @return enumerator over addresses |
17d92e97 | 614 | */ |
94bbc602 | 615 | enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this); |
572abc6c TB |
616 | |
617 | /** | |
94bbc602 | 618 | * Remove all known addresses of the peer. |
572abc6c | 619 | */ |
94bbc602 | 620 | void (*clear_peer_addresses)(ike_sa_t *this); |
7daf5226 | 621 | |
9d9a772e MW |
622 | /** |
623 | * Check if mappings have changed on a NAT for our source address. | |
624 | * | |
625 | * @param hash received DESTINATION_IP hash | |
626 | * @return TRUE if mappings have changed | |
627 | */ | |
628 | bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash); | |
7daf5226 | 629 | |
3b04350a | 630 | /** |
552cc11b | 631 | * Enable an extension the peer supports. |
3b04350a MW |
632 | * |
633 | * If support for an IKE extension is detected, this method is called | |
634 | * to enable that extension and behave accordingly. | |
635 | * | |
3b04350a MW |
636 | * @param extension extension to enable |
637 | */ | |
638 | void (*enable_extension)(ike_sa_t *this, ike_extension_t extension); | |
7daf5226 | 639 | |
17d92e97 | 640 | /** |
552cc11b | 641 | * Check if the peer supports an extension. |
17d92e97 | 642 | * |
17d92e97 MW |
643 | * @param extension extension to check for support |
644 | * @return TRUE if peer supports it, FALSE otherwise | |
645 | */ | |
646 | bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension); | |
7daf5226 | 647 | |
17d92e97 | 648 | /** |
552cc11b | 649 | * Enable/disable a condition flag for this IKE_SA. |
17d92e97 | 650 | * |
17d92e97 MW |
651 | * @param condition condition to enable/disable |
652 | * @param enable TRUE to enable condition, FALSE to disable | |
653 | */ | |
654 | void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable); | |
655 | ||
656 | /** | |
552cc11b | 657 | * Check if a condition flag is set. |
17d92e97 | 658 | * |
17d92e97 MW |
659 | * @param condition condition to check |
660 | * @return TRUE if condition flag set, FALSE otherwise | |
661 | */ | |
662 | bool (*has_condition) (ike_sa_t *this, ike_condition_t condition); | |
7daf5226 | 663 | |
dc04b7c7 | 664 | #ifdef ME |
22452f70 TB |
665 | /** |
666 | * Activate mediation server functionality for this IKE_SA. | |
667 | */ | |
668 | void (*act_as_mediation_server) (ike_sa_t *this); | |
7daf5226 | 669 | |
d5cc1758 | 670 | /** |
552cc11b | 671 | * Get the server reflexive host. |
484a06bc | 672 | * |
d5cc1758 TB |
673 | * @return server reflexive host |
674 | */ | |
675 | host_t* (*get_server_reflexive_host) (ike_sa_t *this); | |
7daf5226 | 676 | |
d5cc1758 | 677 | /** |
552cc11b | 678 | * Set the server reflexive host. |
484a06bc | 679 | * |
d5cc1758 TB |
680 | * @param host server reflexive host |
681 | */ | |
682 | void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host); | |
7daf5226 | 683 | |
9c2a905d TB |
684 | /** |
685 | * Get the connect ID. | |
484a06bc | 686 | * |
9c2a905d TB |
687 | * @return connect ID |
688 | */ | |
689 | chunk_t (*get_connect_id) (ike_sa_t *this); | |
7daf5226 | 690 | |
d5cc1758 | 691 | /** |
552cc11b | 692 | * Initiate the mediation of a mediated connection (i.e. initiate a |
484a06bc TB |
693 | * ME_CONNECT exchange to a mediation server). |
694 | * | |
695 | * @param mediated_cfg peer_cfg of the mediated connection | |
696 | * @return | |
4bbce1ef TB |
697 | * - SUCCESS if initialization started |
698 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
699 | */ |
700 | status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg); | |
7daf5226 | 701 | |
d5cc1758 | 702 | /** |
552cc11b | 703 | * Initiate the mediated connection |
484a06bc TB |
704 | * |
705 | * @param me local endpoint (gets cloned) | |
706 | * @param other remote endpoint (gets cloned) | |
707 | * @param connect_id connect ID (gets cloned) | |
708 | * @return | |
4bbce1ef TB |
709 | * - SUCCESS if initialization started |
710 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
711 | */ |
712 | status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other, | |
484a06bc | 713 | chunk_t connect_id); |
7daf5226 | 714 | |
d5cc1758 | 715 | /** |
484a06bc TB |
716 | * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange |
717 | * to a peer). | |
d5cc1758 TB |
718 | * |
719 | * Data is cloned. | |
484a06bc TB |
720 | * |
721 | * @param requester ID of the requesting peer | |
722 | * @param connect_id data of the ME_CONNECTID payload | |
723 | * @param connect_key data of the ME_CONNECTKEY payload | |
724 | * @param endpoints endpoints | |
725 | * @param response TRUE if this is a response | |
726 | * @return | |
4bbce1ef TB |
727 | * - SUCCESS if relay started |
728 | * - DESTROY_ME if relay failed | |
d5cc1758 | 729 | */ |
484a06bc TB |
730 | status_t (*relay) (ike_sa_t *this, identification_t *requester, |
731 | chunk_t connect_id, chunk_t connect_key, | |
732 | linked_list_t *endpoints, bool response); | |
7daf5226 | 733 | |
d5cc1758 | 734 | /** |
552cc11b | 735 | * Send a callback to a peer. |
484a06bc | 736 | * |
d5cc1758 | 737 | * Data is cloned. |
484a06bc TB |
738 | * |
739 | * @param peer_id ID of the other peer | |
d5cc1758 | 740 | * @return |
4bbce1ef TB |
741 | * - SUCCESS if response started |
742 | * - DESTROY_ME if response failed | |
d5cc1758 TB |
743 | */ |
744 | status_t (*callback) (ike_sa_t *this, identification_t *peer_id); | |
7daf5226 | 745 | |
d5cc1758 | 746 | /** |
dc04b7c7 | 747 | * Respond to a ME_CONNECT request. |
484a06bc | 748 | * |
d5cc1758 | 749 | * Data is cloned. |
484a06bc TB |
750 | * |
751 | * @param peer_id ID of the other peer | |
752 | * @param connect_id the connect ID supplied by the initiator | |
d5cc1758 | 753 | * @return |
4bbce1ef TB |
754 | * - SUCCESS if response started |
755 | * - DESTROY_ME if response failed | |
d5cc1758 | 756 | */ |
484a06bc TB |
757 | status_t (*respond) (ike_sa_t *this, identification_t *peer_id, |
758 | chunk_t connect_id); | |
dc04b7c7 | 759 | #endif /* ME */ |
7daf5226 | 760 | |
2c220249 | 761 | /** |
552cc11b | 762 | * Initiate a new connection. |
3dd3c5f3 | 763 | * |
a13c013b MW |
764 | * The configs are owned by the IKE_SA after the call. If the initiate |
765 | * is triggered by a packet, traffic selectors of the packet can be added | |
766 | * to the CHILD_SA. | |
484a06bc | 767 | * |
e0fe7651 | 768 | * @param child_cfg child config to create CHILD from |
c3626c2c | 769 | * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely |
a13c013b MW |
770 | * @param tsi source of triggering packet |
771 | * @param tsr destination of triggering packet. | |
484a06bc | 772 | * @return |
4bbce1ef TB |
773 | * - SUCCESS if initialization started |
774 | * - DESTROY_ME if initialization failed | |
8dfbe71b | 775 | */ |
c3626c2c | 776 | status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg, |
b12c53ce | 777 | uint32_t reqid, traffic_selector_t *tsi, |
a13c013b | 778 | traffic_selector_t *tsr); |
7daf5226 | 779 | |
77e42826 TB |
780 | /** |
781 | * Retry initiation of this IKE_SA after it got deferred previously. | |
782 | * | |
783 | * @return | |
784 | * - SUCCESS if initiation deferred or started | |
785 | * - DESTROY_ME if initiation failed | |
786 | */ | |
787 | status_t (*retry_initiate) (ike_sa_t *this); | |
788 | ||
1396815a | 789 | /** |
552cc11b | 790 | * Initiates the deletion of an IKE_SA. |
484a06bc | 791 | * |
3dd3c5f3 MW |
792 | * Sends a delete message to the remote peer and waits for |
793 | * its response. If the response comes in, or a timeout occurs, | |
a79d5103 TB |
794 | * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is |
795 | * destroyed immediately without waiting for a response. | |
484a06bc | 796 | * |
a79d5103 TB |
797 | * @param force whether to immediately destroy the IKE_SA afterwards |
798 | * without waiting for a response | |
1396815a | 799 | * @return |
4bbce1ef | 800 | * - SUCCESS if deletion is initialized |
a79d5103 TB |
801 | * - DESTROY_ME, if destroying is forced, or the IKE_SA |
802 | * is not in an established state and can not be | |
803 | * deleted (but destroyed) | |
1396815a | 804 | */ |
a79d5103 | 805 | status_t (*delete) (ike_sa_t *this, bool force); |
7daf5226 | 806 | |
17d92e97 | 807 | /** |
552cc11b | 808 | * Update IKE_SAs after network interfaces have changed. |
17d92e97 MW |
809 | * |
810 | * Whenever the network interface configuration changes, the kernel | |
811 | * interface calls roam() on each IKE_SA. The IKE_SA then checks if | |
812 | * the new network config requires changes, and handles appropriate. | |
813 | * If MOBIKE is supported, addresses are updated; If not, the tunnel is | |
814 | * restarted. | |
815 | * | |
3bc62fe7 MW |
816 | * @param address TRUE if address list changed, FALSE otherwise |
817 | * @return SUCCESS, FAILED, DESTROY_ME | |
17d92e97 | 818 | */ |
3bc62fe7 | 819 | status_t (*roam)(ike_sa_t *this, bool address); |
7daf5226 | 820 | |
13e4a62f | 821 | /** |
40bab9a1 | 822 | * Processes an incoming IKE message. |
13e4a62f | 823 | * |
484a06bc TB |
824 | * Message processing may fail. If a critical failure occurs, |
825 | * process_message() return DESTROY_ME. Then the caller must | |
f3bb1bd0 | 826 | * destroy the IKE_SA immediately, as it is unusable. |
484a06bc | 827 | * |
4bbce1ef | 828 | * @param message message to process |
484a06bc | 829 | * @return |
4bbce1ef TB |
830 | * - SUCCESS |
831 | * - FAILED | |
832 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
e168ee17 | 833 | */ |
40bab9a1 | 834 | status_t (*process_message)(ike_sa_t *this, message_t *message); |
7daf5226 | 835 | |
bcb95ced | 836 | /** |
40bab9a1 | 837 | * Generate an IKE message to send it to the peer. |
484a06bc | 838 | * |
c60c7694 MW |
839 | * This method generates all payloads in the message and encrypts/signs |
840 | * the packet. | |
484a06bc | 841 | * |
4bbce1ef | 842 | * @param message message to generate |
c60c7694 | 843 | * @param packet generated output packet |
484a06bc | 844 | * @return |
4bbce1ef TB |
845 | * - SUCCESS |
846 | * - FAILED | |
847 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
bcb95ced | 848 | */ |
40bab9a1 TB |
849 | status_t (*generate_message)(ike_sa_t *this, message_t *message, |
850 | packet_t **packet); | |
851 | ||
852 | /** | |
853 | * Generate an IKE message to send it to the peer. If enabled and supported | |
854 | * it will be fragmented. | |
855 | * | |
856 | * This method generates all payloads in the message and encrypts/signs | |
857 | * the packet/fragments. | |
858 | * | |
859 | * @param message message to generate | |
860 | * @param packets enumerator of generated packet_t* (are not destroyed | |
861 | * with the enumerator) | |
862 | * @return | |
863 | * - SUCCESS | |
864 | * - FAILED | |
865 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
866 | */ | |
867 | status_t (*generate_message_fragmented)(ike_sa_t *this, message_t *message, | |
868 | enumerator_t **packets); | |
7daf5226 | 869 | |
1396815a | 870 | /** |
552cc11b | 871 | * Retransmits a request. |
484a06bc | 872 | * |
c60c7694 MW |
873 | * @param message_id ID of the request to retransmit |
874 | * @return | |
4bbce1ef | 875 | * - SUCCESS |
2db6d5b8 | 876 | * - NOT_FOUND if request doesn't have to be retransmitted |
397f3448 | 877 | */ |
b12c53ce | 878 | status_t (*retransmit) (ike_sa_t *this, uint32_t message_id); |
7daf5226 | 879 | |
1396815a | 880 | /** |
552cc11b | 881 | * Sends a DPD request to the peer. |
1396815a | 882 | * |
3dd3c5f3 MW |
883 | * To check if a peer is still alive, periodic |
884 | * empty INFORMATIONAL messages are sent if no | |
885 | * other traffic was received. | |
484a06bc | 886 | * |
3dd3c5f3 | 887 | * @return |
4bbce1ef TB |
888 | * - SUCCESS |
889 | * - DESTROY_ME, if peer did not respond | |
2f89902d | 890 | */ |
3dd3c5f3 | 891 | status_t (*send_dpd) (ike_sa_t *this); |
7daf5226 | 892 | |
2f89902d | 893 | /** |
552cc11b | 894 | * Sends a keep alive packet. |
2f89902d | 895 | * |
0ceb2888 TB |
896 | * To refresh NAT tables in a NAT router between the peers, periodic empty |
897 | * UDP packets are sent if no other traffic was sent. | |
efd7fa7b TB |
898 | * |
899 | * @param scheduled if this is a scheduled keepalive | |
1396815a | 900 | */ |
efd7fa7b | 901 | void (*send_keepalive) (ike_sa_t *this, bool scheduled); |
7daf5226 | 902 | |
71c70705 TB |
903 | /** |
904 | * Redirect an active IKE_SA. | |
905 | * | |
906 | * @param gateway gateway ID (IP or FQDN) of the target | |
907 | * @return state, including DESTROY_ME, if this IKE_SA MUST be | |
908 | * destroyed | |
909 | */ | |
910 | status_t (*redirect)(ike_sa_t *this, identification_t *gateway); | |
911 | ||
c126ddd0 TB |
912 | /** |
913 | * Handle a redirect request. | |
914 | * | |
915 | * The behavior is different depending on the state of the IKE_SA. | |
916 | * | |
917 | * @param gateway gateway ID (IP or FQDN) of the target | |
918 | * @return FALSE if redirect not possible, TRUE otherwise | |
919 | */ | |
920 | bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway); | |
921 | ||
e4af6e6b TB |
922 | /** |
923 | * Get the address of the gateway that redirected us. | |
924 | * | |
925 | * @return original gateway address | |
926 | */ | |
927 | host_t *(*get_redirected_from)(ike_sa_t *this); | |
928 | ||
bc997f65 | 929 | /** |
6a4ff35c | 930 | * Get the keying material of this IKE_SA. |
bc997f65 | 931 | * |
6a4ff35c | 932 | * @return per IKE_SA keymat instance |
695723d4 | 933 | */ |
6a4ff35c | 934 | keymat_t* (*get_keymat)(ike_sa_t *this); |
7daf5226 | 935 | |
695723d4 | 936 | /** |
552cc11b | 937 | * Associates a child SA to this IKE SA |
484a06bc | 938 | * |
698d7749 | 939 | * @param child_sa child_sa to add |
695723d4 | 940 | */ |
698d7749 | 941 | void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa); |
7daf5226 | 942 | |
971218c3 | 943 | /** |
552cc11b | 944 | * Get a CHILD_SA identified by protocol and SPI. |
484a06bc | 945 | * |
698d7749 MW |
946 | * @param protocol protocol of the SA |
947 | * @param spi SPI of the CHILD_SA | |
948 | * @param inbound TRUE if SPI is inbound, FALSE if outbound | |
949 | * @return child_sa, or NULL if none found | |
3dd3c5f3 | 950 | */ |
484a06bc | 951 | child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, |
b12c53ce | 952 | uint32_t spi, bool inbound); |
7daf5226 | 953 | |
3183006d | 954 | /** |
4bbce1ef | 955 | * Get the number of CHILD_SAs. |
484a06bc | 956 | * |
4bbce1ef | 957 | * @return number of CHILD_SAs |
3183006d | 958 | */ |
4bbce1ef TB |
959 | int (*get_child_count) (ike_sa_t *this); |
960 | ||
961 | /** | |
962 | * Create an enumerator over all CHILD_SAs. | |
963 | * | |
964 | * @return enumerator | |
965 | */ | |
966 | enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this); | |
967 | ||
968 | /** | |
969 | * Remove the CHILD_SA the given enumerator points to from this IKE_SA. | |
970 | * | |
971 | * @param enumerator enumerator pointing to CHILD_SA | |
972 | */ | |
973 | void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator); | |
7daf5226 | 974 | |
1396815a | 975 | /** |
552cc11b | 976 | * Rekey the CHILD SA with the specified reqid. |
1396815a | 977 | * |
3dd3c5f3 | 978 | * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing. |
1396815a | 979 | * |
698d7749 MW |
980 | * @param protocol protocol of the SA |
981 | * @param spi inbound SPI of the CHILD_SA | |
3dd3c5f3 | 982 | * @return |
4bbce1ef TB |
983 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA |
984 | * - SUCCESS, if rekeying initiated | |
1396815a | 985 | */ |
b12c53ce | 986 | status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi); |
698d7749 | 987 | |
1396815a | 988 | /** |
552cc11b | 989 | * Close the CHILD SA with the specified protocol/SPI. |
698d7749 MW |
990 | * |
991 | * Looks for a CHILD SA owned by this IKE_SA, deletes it and | |
992 | * notify's the remote peer about the delete. The associated | |
993 | * states and policies in the kernel get deleted, if they exist. | |
994 | * | |
698d7749 MW |
995 | * @param protocol protocol of the SA |
996 | * @param spi inbound SPI of the CHILD_SA | |
3a925f74 | 997 | * @param expired TRUE if CHILD_SA is expired |
698d7749 | 998 | * @return |
4bbce1ef TB |
999 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA |
1000 | * - SUCCESS, if delete message sent | |
1396815a | 1001 | */ |
3a925f74 | 1002 | status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol, |
b12c53ce | 1003 | uint32_t spi, bool expired); |
698d7749 | 1004 | |
1396815a | 1005 | /** |
552cc11b | 1006 | * Destroy a CHILD SA with the specified protocol/SPI. |
698d7749 MW |
1007 | * |
1008 | * Looks for a CHILD SA owned by this IKE_SA and destroys it. | |
1009 | * | |
698d7749 MW |
1010 | * @param protocol protocol of the SA |
1011 | * @param spi inbound SPI of the CHILD_SA | |
1012 | * @return | |
4bbce1ef TB |
1013 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA |
1014 | * - SUCCESS | |
1396815a | 1015 | */ |
b12c53ce | 1016 | status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi); |
fe04e93a | 1017 | |
fe04e93a | 1018 | /** |
552cc11b | 1019 | * Rekey the IKE_SA. |
fe04e93a | 1020 | * |
527b3f0c | 1021 | * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA. |
fe04e93a | 1022 | * |
fe04e93a MW |
1023 | * @return - SUCCESS, if IKE_SA rekeying initiated |
1024 | */ | |
1025 | status_t (*rekey) (ike_sa_t *this); | |
1026 | ||
6fe03b0a | 1027 | /** |
96926b00 | 1028 | * Reauthenticate the IKE_SA. |
6fe03b0a | 1029 | * |
349f7f24 MW |
1030 | * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits |
1031 | * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs | |
1032 | * in the new IKE_SA. | |
6fe03b0a | 1033 | * |
26424f03 | 1034 | * @return DESTROY_ME to destroy the IKE_SA |
6fe03b0a | 1035 | */ |
96926b00 MW |
1036 | status_t (*reauth) (ike_sa_t *this); |
1037 | ||
1038 | /** | |
1039 | * Restablish the IKE_SA. | |
1040 | * | |
1041 | * Reestablish an IKE_SA after it has been closed. | |
1042 | * | |
1043 | * @return DESTROY_ME to destroy the IKE_SA | |
1044 | */ | |
26424f03 | 1045 | status_t (*reestablish) (ike_sa_t *this); |
7daf5226 | 1046 | |
ee614711 | 1047 | /** |
a07b6973 MW |
1048 | * Set the lifetime limit received/to send in a AUTH_LIFETIME notify. |
1049 | * | |
1050 | * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with | |
1051 | * an AUTH_LIFETIME notify. The call never fails on unestablished SAs. | |
ee614711 | 1052 | * |
ee614711 | 1053 | * @param lifetime lifetime in seconds |
a07b6973 | 1054 | * @return DESTROY_ME to destroy the IKE_SA |
ee614711 | 1055 | */ |
b12c53ce | 1056 | status_t (*set_auth_lifetime)(ike_sa_t *this, uint32_t lifetime); |
7daf5226 | 1057 | |
3183006d | 1058 | /** |
101d26ba | 1059 | * Add a virtual IP to use for this IKE_SA and its children. |
c60c7694 MW |
1060 | * |
1061 | * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same | |
1062 | * lifetime as the IKE_SA. | |
3183006d | 1063 | * |
552cc11b MW |
1064 | * @param local TRUE to set local address, FALSE for remote |
1065 | * @param ip IP to set as virtual IP | |
3183006d | 1066 | */ |
101d26ba | 1067 | void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip); |
7daf5226 | 1068 | |
d2e8f20d TB |
1069 | /** |
1070 | * Clear all virtual IPs stored on this IKE_SA. | |
1071 | * | |
1072 | * @param local TRUE to clear local addresses, FALSE for remote | |
1073 | */ | |
1074 | void (*clear_virtual_ips) (ike_sa_t *this, bool local); | |
1075 | ||
dec3c184 TB |
1076 | /** |
1077 | * Get interface ID to use as default for children of this IKE_SA. | |
1078 | * | |
1079 | * @param inbound TRUE for inbound interface ID | |
1080 | * @return interface ID | |
1081 | */ | |
1082 | uint32_t (*get_if_id)(ike_sa_t *this, bool inbound); | |
1083 | ||
3183006d | 1084 | /** |
101d26ba | 1085 | * Create an enumerator over virtual IPs. |
3183006d | 1086 | * |
c60c7694 | 1087 | * @param local TRUE to get local virtual IP, FALSE for remote |
101d26ba | 1088 | * @return enumerator over host_t* |
3183006d | 1089 | */ |
101d26ba | 1090 | enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local); |
7daf5226 | 1091 | |
c60c7694 | 1092 | /** |
7f56b494 | 1093 | * Register a configuration attribute to the IKE_SA. |
c60c7694 | 1094 | * |
7f56b494 MW |
1095 | * If an IRAS sends a configuration attribute it is installed and |
1096 | * registered at the IKE_SA. Attributes are inherit()ed and get released | |
1097 | * when the IKE_SA is closed. | |
c60c7694 | 1098 | * |
5ae32210 MW |
1099 | * Unhandled attributes are passed as well, but with a NULL handler. They |
1100 | * do not get released. | |
1101 | * | |
7f56b494 MW |
1102 | * @param handler handler installed the attribute, use for release() |
1103 | * @param type configuration attribute type | |
1104 | * @param data associated attribute data | |
c60c7694 | 1105 | */ |
7f56b494 | 1106 | void (*add_configuration_attribute)(ike_sa_t *this, |
b5a2055f | 1107 | attribute_handler_t *handler, |
7f56b494 | 1108 | configuration_attribute_type_t type, chunk_t data); |
7daf5226 | 1109 | |
9d257034 MW |
1110 | /** |
1111 | * Create an enumerator over received configuration attributes. | |
1112 | * | |
1113 | * The resulting enumerator is over the configuration_attribute_type_t type, | |
1114 | * a value chunk_t followed by a bool flag. The boolean flag indicates if | |
1115 | * the attribute has been handled by an attribute handler. | |
1116 | * | |
1117 | * @return enumerator over type, value and the "handled" flag. | |
1118 | */ | |
1119 | enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this); | |
1120 | ||
d487b4b7 AS |
1121 | /** |
1122 | * Set local and remote host addresses to be used for IKE. | |
1123 | * | |
1124 | * These addresses are communicated via the KMADDRESS field of a MIGRATE | |
1125 | * message sent via the NETLINK or PF _KEY kernel socket interface. | |
1126 | * | |
1127 | * @param local local kmaddress | |
1128 | * @param remote remote kmaddress | |
1129 | */ | |
1130 | void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote); | |
7daf5226 | 1131 | |
ea340ee8 MW |
1132 | /** |
1133 | * Create enumerator over a task queue of this IKE_SA. | |
1134 | * | |
1135 | * @param queue type to enumerate | |
1136 | * @return enumerator over task_t | |
1137 | */ | |
1138 | enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue); | |
1139 | ||
b7160401 TB |
1140 | /** |
1141 | * Remove the task the given enumerator points to. | |
1142 | * | |
1143 | * @note This should be used with caution, in partciular, for tasks in the | |
1144 | * active and passive queues. | |
1145 | * | |
1146 | * @param enumerator enumerator created with the method above | |
1147 | */ | |
1148 | void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator); | |
1149 | ||
cbc1a20f MW |
1150 | /** |
1151 | * Flush a task queue, cancelling all tasks in it. | |
1152 | * | |
1153 | * @param queue queue type to flush | |
1154 | */ | |
1155 | void (*flush_queue)(ike_sa_t *this, task_queue_t queue); | |
1156 | ||
69adeb5b MW |
1157 | /** |
1158 | * Queue a task for initiaton to the task manager. | |
1159 | * | |
1160 | * @param task task to queue | |
1161 | */ | |
1162 | void (*queue_task)(ike_sa_t *this, task_t *task); | |
1163 | ||
208678e6 TB |
1164 | /** |
1165 | * Queue a task in the manager, but delay its initiation for at least the | |
1166 | * given number of seconds. | |
1167 | * | |
1168 | * @param task task to queue | |
1169 | * @param delay minimum delay in s before initiating the task | |
1170 | */ | |
1171 | void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay); | |
1172 | ||
00c889f4 TB |
1173 | /** |
1174 | * Adopt child creating tasks from the given IKE_SA. | |
1175 | * | |
1176 | * @param other other IKE_SA to adopt tasks from | |
1177 | */ | |
1178 | void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other); | |
1179 | ||
713a1122 MW |
1180 | /** |
1181 | * Inherit required attributes to new SA before rekeying. | |
1182 | * | |
1183 | * Some properties of the SA must be applied before starting IKE_SA | |
1184 | * rekeying, such as the configuration or support extensions. | |
1185 | * | |
1186 | * @param other other IKE_SA to inherit from | |
1187 | */ | |
1188 | void (*inherit_pre)(ike_sa_t *this, ike_sa_t *other); | |
1189 | ||
fe04e93a | 1190 | /** |
552cc11b | 1191 | * Inherit all attributes of other to this after rekeying. |
fe04e93a | 1192 | * |
c60c7694 MW |
1193 | * When rekeying is completed, all CHILD_SAs, the virtual IP and all |
1194 | * outstanding tasks are moved from other to this. | |
1195 | * | |
cf3c72c4 | 1196 | * @param other other IKE SA to inherit from |
c60c7694 | 1197 | */ |
713a1122 | 1198 | void (*inherit_post) (ike_sa_t *this, ike_sa_t *other); |
7daf5226 | 1199 | |
c60c7694 | 1200 | /** |
2db6d5b8 | 1201 | * Reset the IKE_SA, usable when initiating fails. |
c3539961 TB |
1202 | * |
1203 | * @param new_spi TRUE to allocate a new initiator SPI | |
fe04e93a | 1204 | */ |
c3539961 | 1205 | void (*reset) (ike_sa_t *this, bool new_spi); |
7daf5226 | 1206 | |
1396815a | 1207 | /** |
552cc11b | 1208 | * Destroys a ike_sa_t object. |
1396815a | 1209 | */ |
3dd3c5f3 | 1210 | void (*destroy) (ike_sa_t *this); |
8323a9c1 JH |
1211 | }; |
1212 | ||
7ba38761 | 1213 | /** |
0b611540 | 1214 | * Creates an ike_sa_t object with a specific ID and IKE version. |
c3dc6f1a | 1215 | * |
0b611540 | 1216 | * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA |
17ec1c74 | 1217 | * @param initiator TRUE to create this IKE_SA as initiator |
0b611540 | 1218 | * @param version IKE version of this SA |
4bbce1ef | 1219 | * @return ike_sa_t object |
7ba38761 | 1220 | */ |
17ec1c74 MW |
1221 | ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, |
1222 | ike_version_t version); | |
7ba38761 | 1223 | |
1490ff4d | 1224 | #endif /** IKE_SA_H_ @}*/ |