]>
Commit | Line | Data |
---|---|---|
7ba38761 | 1 | /* |
dec3c184 | 2 | * Copyright (C) 2006-2019 Tobias Brunner |
d5cc1758 | 3 | * Copyright (C) 2006 Daniel Roethlisberger |
a44bb934 | 4 | * Copyright (C) 2005-2009 Martin Willi |
c71d53ba | 5 | * Copyright (C) 2005 Jan Hutter |
208678e6 | 6 | * HSR Hochschule fuer Technik Rapperswil |
7ba38761 JH |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
552cc11b MW |
17 | */ |
18 | ||
19 | /** | |
20 | * @defgroup ike_sa ike_sa | |
21 | * @{ @ingroup sa | |
7ba38761 JH |
22 | */ |
23 | ||
24 | #ifndef IKE_SA_H_ | |
25 | #define IKE_SA_H_ | |
26 | ||
3b04350a | 27 | typedef enum ike_extension_t ike_extension_t; |
17d92e97 | 28 | typedef enum ike_condition_t ike_condition_t; |
382b4817 | 29 | typedef enum ike_sa_state_t ike_sa_state_t; |
ee614711 | 30 | typedef enum statistic_t statistic_t; |
382b4817 MW |
31 | typedef struct ike_sa_t ike_sa_t; |
32 | ||
db7ef624 | 33 | #include <library.h> |
58f86d0f | 34 | #include <attributes/attribute_handler.h> |
4a962238 | 35 | #include <encoding/message.h> |
b9d9f188 | 36 | #include <encoding/payloads/proposal_substructure.h> |
7f56b494 | 37 | #include <encoding/payloads/configuration_attribute.h> |
96f79ff1 | 38 | #include <sa/ike_sa_id.h> |
30b5b412 | 39 | #include <sa/child_sa.h> |
15a682f4 | 40 | #include <sa/task.h> |
ea340ee8 | 41 | #include <sa/task_manager.h> |
6a4ff35c | 42 | #include <sa/keymat.h> |
e0fe7651 MW |
43 | #include <config/peer_cfg.h> |
44 | #include <config/ike_cfg.h> | |
2ccc02a4 | 45 | #include <credentials/auth_cfg.h> |
fdee6b5f | 46 | #include <networking/packet.h> |
8323a9c1 | 47 | |
3b138b84 | 48 | /** |
6554b5e4 | 49 | * Timeout in seconds after that a half open IKE_SA gets deleted. |
3b138b84 | 50 | */ |
6554b5e4 | 51 | #define HALF_OPEN_IKE_SA_TIMEOUT 30 |
3b138b84 MW |
52 | |
53 | /** | |
54 | * Interval to send keepalives when NATed, in seconds. | |
3b138b84 MW |
55 | */ |
56 | #define KEEPALIVE_INTERVAL 20 | |
57 | ||
58 | /** | |
59 | * After which time rekeying should be retried if it failed, in seconds. | |
3b138b84 | 60 | */ |
4e2e7d4f | 61 | #define RETRY_INTERVAL 15 |
3b138b84 MW |
62 | |
63 | /** | |
64 | * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry. | |
3b138b84 | 65 | */ |
4e2e7d4f | 66 | #define RETRY_JITTER 10 |
3b138b84 | 67 | |
c6ebd033 TB |
68 | /** |
69 | * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD. | |
70 | */ | |
71 | #define MAX_REDIRECTS 5 | |
72 | ||
73 | /** | |
74 | * Time period in seconds in which at most MAX_REDIRECTS are allowed. | |
75 | */ | |
76 | #define REDIRECT_LOOP_DETECT_PERIOD 300 | |
77 | ||
3b04350a | 78 | /** |
552cc11b | 79 | * Extensions (or optional features) the peer supports |
3b04350a MW |
80 | */ |
81 | enum ike_extension_t { | |
7daf5226 | 82 | |
3b04350a | 83 | /** |
06d29be7 | 84 | * peer supports NAT traversal as specified in RFC4306 or RFC3947 |
0ff8d20a | 85 | * including some RFC3947 drafts |
3b04350a | 86 | */ |
17d92e97 | 87 | EXT_NATT = (1<<0), |
3b04350a MW |
88 | |
89 | /** | |
90 | * peer supports MOBIKE (RFC4555) | |
91 | */ | |
17d92e97 | 92 | EXT_MOBIKE = (1<<1), |
7daf5226 | 93 | |
6439267a TB |
94 | /** |
95 | * peer supports HTTP cert lookups as specified in RFC4306 | |
96 | */ | |
97 | EXT_HASH_AND_URL = (1<<2), | |
7daf5226 | 98 | |
a44bb934 MW |
99 | /** |
100 | * peer supports multiple authentication exchanges, RFC4739 | |
101 | */ | |
102 | EXT_MULTIPLE_AUTH = (1<<3), | |
a5a0bcaa MW |
103 | |
104 | /** | |
105 | * peer uses strongSwan, accept private use extensions | |
106 | */ | |
107 | EXT_STRONGSWAN = (1<<4), | |
12fca6cc MW |
108 | |
109 | /** | |
110 | * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth | |
111 | */ | |
112 | EXT_EAP_ONLY_AUTHENTICATION = (1<<5), | |
61cf9f51 MW |
113 | |
114 | /** | |
05db0f97 | 115 | * peer is probably a Windows RAS client |
61cf9f51 MW |
116 | */ |
117 | EXT_MS_WINDOWS = (1<<6), | |
23f4e4b4 CO |
118 | |
119 | /** | |
120 | * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06 | |
121 | */ | |
122 | EXT_XAUTH = (1<<7), | |
11aadd77 MW |
123 | |
124 | /** | |
125 | * peer supports DPD detection, RFC 3706 (or IKEv2) | |
126 | */ | |
127 | EXT_DPD = (1<<8), | |
554a697a AS |
128 | |
129 | /** | |
130 | * peer supports Cisco Unity configuration attributes | |
131 | */ | |
132 | EXT_CISCO_UNITY = (1<<9), | |
0ff8d20a VR |
133 | |
134 | /** | |
135 | * peer supports NAT traversal as specified in | |
136 | * draft-ietf-ipsec-nat-t-ike-02 .. -03 | |
137 | */ | |
138 | EXT_NATT_DRAFT_02_03 = (1<<10), | |
667720c8 TB |
139 | |
140 | /** | |
34dc37f3 | 141 | * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation |
667720c8 TB |
142 | */ |
143 | EXT_IKE_FRAGMENTATION = (1<<11), | |
f6329cae TB |
144 | |
145 | /** | |
146 | * Signature Authentication, RFC 7427 | |
147 | */ | |
148 | EXT_SIGNATURE_AUTH = (1<<12), | |
c6aa749c TB |
149 | |
150 | /** | |
151 | * IKEv2 Redirect Mechanism, RFC 5685 | |
152 | */ | |
153 | EXT_IKE_REDIRECTION = (1<<13), | |
d6ffa85f TB |
154 | |
155 | /** | |
156 | * IKEv2 Message ID sync, RFC 6311 | |
157 | */ | |
158 | EXT_IKE_MESSAGE_ID_SYNC = (1<<14), | |
83dcc1f4 TB |
159 | |
160 | /** | |
161 | * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2 | |
162 | */ | |
163 | EXT_PPK = (1<<15), | |
17d92e97 MW |
164 | }; |
165 | ||
166 | /** | |
552cc11b | 167 | * Conditions of an IKE_SA, change during its lifetime |
17d92e97 MW |
168 | */ |
169 | enum ike_condition_t { | |
7daf5226 | 170 | |
17d92e97 | 171 | /** |
9dae1bed | 172 | * Connection is natted (or faked) somewhere |
17d92e97 MW |
173 | */ |
174 | COND_NAT_ANY = (1<<0), | |
7daf5226 | 175 | |
17d92e97 MW |
176 | /** |
177 | * we are behind NAT | |
178 | */ | |
179 | COND_NAT_HERE = (1<<1), | |
7daf5226 | 180 | |
17d92e97 MW |
181 | /** |
182 | * other is behind NAT | |
183 | */ | |
184 | COND_NAT_THERE = (1<<2), | |
7daf5226 | 185 | |
9dae1bed MW |
186 | /** |
187 | * Faking NAT to enforce UDP encapsulation | |
188 | */ | |
189 | COND_NAT_FAKE = (1<<3), | |
7daf5226 | 190 | |
17d92e97 | 191 | /** |
a44bb934 | 192 | * peer has been authenticated using EAP at least once |
17d92e97 | 193 | */ |
ee614711 | 194 | COND_EAP_AUTHENTICATED = (1<<4), |
7daf5226 | 195 | |
552cc11b MW |
196 | /** |
197 | * received a certificate request from the peer | |
198 | */ | |
96926b00 | 199 | COND_CERTREQ_SEEN = (1<<5), |
7daf5226 | 200 | |
faf9569f MW |
201 | /** |
202 | * Local peer is the "original" IKE initiator. Unaffected from rekeying. | |
203 | */ | |
204 | COND_ORIGINAL_INITIATOR = (1<<6), | |
7daf5226 | 205 | |
7afd9d66 MW |
206 | /** |
207 | * IKE_SA is stale, the peer is currently unreachable (MOBIKE) | |
208 | */ | |
209 | COND_STALE = (1<<7), | |
a064eaa8 CO |
210 | |
211 | /** | |
212 | * Initial contact received | |
213 | */ | |
214 | COND_INIT_CONTACT_SEEN = (1<<8), | |
2da3ff7a MW |
215 | |
216 | /** | |
217 | * Peer has been authenticated using XAuth | |
218 | */ | |
219 | COND_XAUTH_AUTHENTICATED = (1<<9), | |
873b63b7 TB |
220 | |
221 | /** | |
222 | * This IKE_SA is currently being reauthenticated | |
223 | */ | |
224 | COND_REAUTHENTICATING = (1<<10), | |
d68c05d2 TB |
225 | |
226 | /** | |
227 | * This IKE_SA has been redirected | |
228 | */ | |
229 | COND_REDIRECTED = (1<<11), | |
e19162a5 TB |
230 | |
231 | /** | |
232 | * Online certificate revocation checking is suspended for this IKE_SA | |
233 | */ | |
234 | COND_ONLINE_VALIDATION_SUSPENDED = (1<<12), | |
e4d85011 TB |
235 | |
236 | /** | |
237 | * A Postquantum Preshared Key was used when this IKE_SA was created | |
238 | */ | |
239 | COND_PPK = (1<<13), | |
ee614711 MW |
240 | }; |
241 | ||
242 | /** | |
85ac2fa5 | 243 | * Timing information and statistics to query from an SA |
ee614711 MW |
244 | */ |
245 | enum statistic_t { | |
85ac2fa5 MW |
246 | /** Timestamp of SA establishement */ |
247 | STAT_ESTABLISHED = 0, | |
0ceb2888 | 248 | /** Timestamp of scheduled rekeying */ |
85ac2fa5 | 249 | STAT_REKEY, |
0ceb2888 | 250 | /** Timestamp of scheduled reauthentication */ |
85ac2fa5 | 251 | STAT_REAUTH, |
0ceb2888 | 252 | /** Timestamp of scheduled delete */ |
85ac2fa5 MW |
253 | STAT_DELETE, |
254 | /** Timestamp of last inbound IKE packet */ | |
255 | STAT_INBOUND, | |
256 | /** Timestamp of last outbound IKE packet */ | |
257 | STAT_OUTBOUND, | |
7daf5226 | 258 | |
85ac2fa5 | 259 | STAT_MAX |
3b04350a | 260 | }; |
3b138b84 | 261 | |
8323a9c1 | 262 | /** |
552cc11b | 263 | * State of an IKE_SA. |
cb5c41cd MW |
264 | * |
265 | * An IKE_SA passes various states in its lifetime. A newly created | |
266 | * SA is in the state CREATED. | |
267 | * @verbatim | |
268 | +----------------+ | |
3183006d | 269 | ¦ SA_CREATED ¦ |
cb5c41cd | 270 | +----------------+ |
3183006d | 271 | ¦ |
484a06bc | 272 | on initiate()---> ¦ <----- on IKE_SA_INIT received |
3183006d | 273 | V |
cb5c41cd | 274 | +----------------+ |
3183006d | 275 | ¦ SA_CONNECTING ¦ |
cb5c41cd | 276 | +----------------+ |
3183006d MW |
277 | ¦ |
278 | ¦ <----- on IKE_AUTH successfully completed | |
279 | V | |
cb5c41cd | 280 | +----------------+ |
3183006d MW |
281 | ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying |
282 | +----------------+ ¦ | |
283 | ¦ V | |
284 | on delete()---> ¦ <----- on IKE_SA +-------------+ | |
285 | ¦ delete request ¦ SA_REKEYING ¦ | |
286 | ¦ received +-------------+ | |
287 | V ¦ | |
288 | +----------------+ ¦ | |
289 | ¦ SA_DELETING ¦<------------------------+ <-- after rekeying | |
cb5c41cd | 290 | +----------------+ |
3183006d MW |
291 | ¦ |
292 | ¦ <----- after delete() acknowledged | |
293 | ¦ | |
294 | \V/ | |
cb5c41cd MW |
295 | X |
296 | / \ | |
297 | @endverbatim | |
8323a9c1 | 298 | */ |
3dd3c5f3 | 299 | enum ike_sa_state_t { |
7daf5226 | 300 | |
3dd3c5f3 MW |
301 | /** |
302 | * IKE_SA just got created, but is not initiating nor responding yet. | |
303 | */ | |
bcb95ced | 304 | IKE_CREATED, |
7daf5226 | 305 | |
3dd3c5f3 MW |
306 | /** |
307 | * IKE_SA gets initiated actively or passively | |
308 | */ | |
bcb95ced | 309 | IKE_CONNECTING, |
7daf5226 | 310 | |
3dd3c5f3 MW |
311 | /** |
312 | * IKE_SA is fully established | |
313 | */ | |
bcb95ced | 314 | IKE_ESTABLISHED, |
7daf5226 | 315 | |
c610f424 MW |
316 | /** |
317 | * IKE_SA is managed externally and does not process messages | |
318 | */ | |
319 | IKE_PASSIVE, | |
7daf5226 | 320 | |
3183006d MW |
321 | /** |
322 | * IKE_SA rekeying in progress | |
323 | */ | |
324 | IKE_REKEYING, | |
7daf5226 | 325 | |
bb389973 TB |
326 | /** |
327 | * IKE_SA has been rekeyed (or is redundant) | |
328 | */ | |
329 | IKE_REKEYED, | |
330 | ||
3dd3c5f3 MW |
331 | /** |
332 | * IKE_SA is in progress of deletion | |
333 | */ | |
bcb95ced | 334 | IKE_DELETING, |
7daf5226 | 335 | |
a985db3f MW |
336 | /** |
337 | * IKE_SA object gets destroyed | |
338 | */ | |
339 | IKE_DESTROYING, | |
3dd3c5f3 MW |
340 | }; |
341 | ||
342 | /** | |
60356f33 | 343 | * enum names for ike_sa_state_t. |
3dd3c5f3 | 344 | */ |
60356f33 | 345 | extern enum_name_t *ike_sa_state_names; |
7ba38761 JH |
346 | |
347 | /** | |
552cc11b | 348 | * Class ike_sa_t representing an IKE_SA. |
3dd3c5f3 MW |
349 | * |
350 | * An IKE_SA contains crypto information related to a connection | |
351 | * with a peer. It contains multiple IPsec CHILD_SA, for which | |
352 | * it is responsible. All traffic is handled by an IKE_SA, using | |
c60c7694 | 353 | * the task manager and its tasks. |
7ba38761 | 354 | */ |
5796aa16 | 355 | struct ike_sa_t { |
7ba38761 JH |
356 | |
357 | /** | |
552cc11b | 358 | * Get the id of the SA. |
484a06bc | 359 | * |
3dd3c5f3 | 360 | * Returned ike_sa_id_t object is not getting cloned! |
c3dc6f1a | 361 | * |
4bbce1ef | 362 | * @return ike_sa's ike_sa_id_t |
7ba38761 | 363 | */ |
3dd3c5f3 | 364 | ike_sa_id_t* (*get_id) (ike_sa_t *this); |
7daf5226 | 365 | |
0b611540 TB |
366 | /** |
367 | * Gets the IKE version of the SA | |
368 | */ | |
369 | ike_version_t (*get_version)(ike_sa_t *this); | |
370 | ||
c60c7694 | 371 | /** |
552cc11b | 372 | * Get the numerical ID uniquely defining this IKE_SA. |
c60c7694 | 373 | * |
4bbce1ef | 374 | * @return unique ID |
c60c7694 | 375 | */ |
b12c53ce | 376 | uint32_t (*get_unique_id) (ike_sa_t *this); |
7daf5226 | 377 | |
3dd3c5f3 | 378 | /** |
552cc11b | 379 | * Get the state of the IKE_SA. |
3dd3c5f3 | 380 | * |
3dd3c5f3 MW |
381 | * @return state of the IKE_SA |
382 | */ | |
383 | ike_sa_state_t (*get_state) (ike_sa_t *this); | |
7daf5226 | 384 | |
3dd3c5f3 | 385 | /** |
552cc11b | 386 | * Set the state of the IKE_SA. |
3dd3c5f3 | 387 | * |
3dd3c5f3 MW |
388 | * @param state state to set for the IKE_SA |
389 | */ | |
0b611540 | 390 | void (*set_state) (ike_sa_t *this, ike_sa_state_t state); |
7daf5226 | 391 | |
8dfbe71b | 392 | /** |
552cc11b | 393 | * Get the name of the connection this IKE_SA uses. |
8dfbe71b | 394 | * |
8dfbe71b MW |
395 | * @return name |
396 | */ | |
397 | char* (*get_name) (ike_sa_t *this); | |
7daf5226 | 398 | |
ee614711 | 399 | /** |
552cc11b | 400 | * Get statistic values from the IKE_SA. |
ee614711 | 401 | * |
ee614711 MW |
402 | * @param kind kind of requested value |
403 | * @return value as integer | |
404 | */ | |
b12c53ce | 405 | uint32_t (*get_statistic)(ike_sa_t *this, statistic_t kind); |
7daf5226 | 406 | |
44ff1153 TB |
407 | /** |
408 | * Set statistic value of the IKE_SA. | |
409 | * | |
410 | * @param kind kind of value to update | |
411 | * @param value value as integer | |
412 | */ | |
b12c53ce | 413 | void (*set_statistic)(ike_sa_t *this, statistic_t kind, uint32_t value); |
44ff1153 | 414 | |
8dfbe71b | 415 | /** |
552cc11b | 416 | * Get the own host address. |
484a06bc | 417 | * |
8dfbe71b MW |
418 | * @return host address |
419 | */ | |
420 | host_t* (*get_my_host) (ike_sa_t *this); | |
7daf5226 | 421 | |
fe04e93a | 422 | /** |
552cc11b | 423 | * Set the own host address. |
484a06bc | 424 | * |
fe04e93a MW |
425 | * @param me host address |
426 | */ | |
427 | void (*set_my_host) (ike_sa_t *this, host_t *me); | |
7daf5226 | 428 | |
8dfbe71b | 429 | /** |
552cc11b | 430 | * Get the other peers host address. |
484a06bc | 431 | * |
8dfbe71b MW |
432 | * @return host address |
433 | */ | |
434 | host_t* (*get_other_host) (ike_sa_t *this); | |
7daf5226 | 435 | |
fe04e93a | 436 | /** |
552cc11b | 437 | * Set the others host address. |
484a06bc | 438 | * |
fe04e93a MW |
439 | * @param other host address |
440 | */ | |
441 | void (*set_other_host) (ike_sa_t *this, host_t *other); | |
7daf5226 | 442 | |
277f02ce TB |
443 | /** |
444 | * Float to port 4500 (e.g. if a NAT is detected). | |
445 | * | |
446 | * The port of either endpoint is changed only if it is currently | |
447 | * set to the default value of 500. | |
448 | */ | |
449 | void (*float_ports)(ike_sa_t *this); | |
450 | ||
2b3100b5 | 451 | /** |
552cc11b | 452 | * Update the IKE_SAs host. |
2b3100b5 MW |
453 | * |
454 | * Hosts may be NULL to use current host. | |
455 | * | |
2b3100b5 MW |
456 | * @param me new local host address, or NULL |
457 | * @param other new remote host address, or NULL | |
2082417d | 458 | * @param force force update |
2b3100b5 | 459 | */ |
2082417d | 460 | void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force); |
7daf5226 | 461 | |
8dfbe71b | 462 | /** |
552cc11b | 463 | * Get the own identification. |
484a06bc | 464 | * |
8dfbe71b MW |
465 | * @return identification |
466 | */ | |
467 | identification_t* (*get_my_id) (ike_sa_t *this); | |
7daf5226 | 468 | |
8dfbe71b | 469 | /** |
552cc11b | 470 | * Set the own identification. |
484a06bc | 471 | * |
8dfbe71b MW |
472 | * @param me identification |
473 | */ | |
474 | void (*set_my_id) (ike_sa_t *this, identification_t *me); | |
7daf5226 | 475 | |
8dfbe71b | 476 | /** |
552cc11b | 477 | * Get the other peer's identification. |
484a06bc | 478 | * |
8dfbe71b MW |
479 | * @return identification |
480 | */ | |
481 | identification_t* (*get_other_id) (ike_sa_t *this); | |
7daf5226 | 482 | |
045833c7 MW |
483 | /** |
484 | * Get the others peer identity, but prefer an EAP-Identity. | |
485 | * | |
486 | * @return EAP or IKEv2 identity | |
487 | */ | |
488 | identification_t* (*get_other_eap_id)(ike_sa_t *this); | |
489 | ||
8dfbe71b | 490 | /** |
552cc11b | 491 | * Set the other peer's identification. |
484a06bc | 492 | * |
8dfbe71b MW |
493 | * @param other identification |
494 | */ | |
495 | void (*set_other_id) (ike_sa_t *this, identification_t *other); | |
7daf5226 | 496 | |
7d26a0ee | 497 | /** |
552cc11b | 498 | * Get the config used to setup this IKE_SA. |
484a06bc | 499 | * |
e0fe7651 | 500 | * @return ike_config |
c60c7694 | 501 | */ |
e0fe7651 | 502 | ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this); |
7daf5226 | 503 | |
c60c7694 | 504 | /** |
552cc11b | 505 | * Set the config to setup this IKE_SA. |
484a06bc | 506 | * |
e0fe7651 | 507 | * @param config ike_config to use |
c60c7694 | 508 | */ |
e0fe7651 | 509 | void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config); |
c60c7694 MW |
510 | |
511 | /** | |
552cc11b | 512 | * Get the peer config used by this IKE_SA. |
484a06bc | 513 | * |
e0fe7651 | 514 | * @return peer_config |
c60c7694 | 515 | */ |
e0fe7651 | 516 | peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this); |
7daf5226 | 517 | |
c60c7694 | 518 | /** |
552cc11b | 519 | * Set the peer config to use with this IKE_SA. |
484a06bc | 520 | * |
e0fe7651 | 521 | * @param config peer_config to use |
c60c7694 | 522 | */ |
e0fe7651 | 523 | void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config); |
7daf5226 | 524 | |
3b04350a | 525 | /** |
a44bb934 | 526 | * Get the authentication config with rules of the current auth round. |
552cc11b | 527 | * |
a44bb934 MW |
528 | * @param local TRUE for local rules, FALSE for remote constraints |
529 | * @return current cfg | |
552cc11b | 530 | */ |
a44bb934 | 531 | auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local); |
7daf5226 | 532 | |
44ce7493 MW |
533 | /** |
534 | * Insert a completed authentication round. | |
535 | * | |
536 | * @param local TRUE for own rules, FALSE for others constraints | |
537 | * @param cfg auth config to append | |
538 | */ | |
539 | void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg); | |
540 | ||
541 | /** | |
542 | * Create an enumerator over added authentication rounds. | |
543 | * | |
544 | * @param local TRUE for own rules, FALSE for others constraints | |
545 | * @return enumerator over auth_cfg_t | |
546 | */ | |
547 | enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local); | |
548 | ||
1b9c1ae0 TB |
549 | /** |
550 | * Verify the trustchains (validity, revocation) in completed public key | |
551 | * auth rounds. | |
552 | * | |
553 | * @return TRUE if certificates were valid, FALSE otherwise | |
554 | */ | |
555 | bool (*verify_peer_certificate)(ike_sa_t *this); | |
556 | ||
5dffdea1 MW |
557 | /** |
558 | * Get the selected proposal of this IKE_SA. | |
559 | * | |
560 | * @return selected proposal | |
561 | */ | |
562 | proposal_t* (*get_proposal)(ike_sa_t *this); | |
7daf5226 | 563 | |
5dffdea1 MW |
564 | /** |
565 | * Set the proposal selected for this IKE_SA. | |
566 | * | |
567 | * @param selected proposal | |
568 | */ | |
569 | void (*set_proposal)(ike_sa_t *this, proposal_t *proposal); | |
7daf5226 | 570 | |
b09ca747 | 571 | /** |
347c403c | 572 | * Set the message ID of the IKE_SA. |
b09ca747 MW |
573 | * |
574 | * The IKE_SA stores two message IDs, one for initiating exchanges (send) | |
575 | * and one to respond to exchanges (expect). | |
576 | * | |
577 | * @param initiate TRUE to set message ID for initiating | |
578 | * @param mid message id to set | |
579 | */ | |
b12c53ce | 580 | void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid); |
7daf5226 | 581 | |
347c403c TB |
582 | /** |
583 | * Get the message ID of the IKE_SA. | |
584 | * | |
585 | * The IKE_SA stores two message IDs, one for initiating exchanges (send) | |
586 | * and one to respond to exchanges (expect). | |
587 | * | |
588 | * @param initiate TRUE to get message ID for initiating | |
589 | * @return current message | |
590 | */ | |
591 | uint32_t (*get_message_id)(ike_sa_t *this, bool initiate); | |
592 | ||
552cc11b MW |
593 | /** |
594 | * Add an additional address for the peer. | |
17d92e97 MW |
595 | * |
596 | * In MOBIKE, a peer may transmit additional addresses where it is | |
597 | * reachable. These are stored in the IKE_SA. | |
598 | * The own list of addresses is not stored, they are queried from | |
599 | * the kernel when required. | |
3b04350a | 600 | * |
17d92e97 | 601 | * @param host host to add to list |
3b04350a | 602 | */ |
94bbc602 | 603 | void (*add_peer_address)(ike_sa_t *this, host_t *host); |
7daf5226 | 604 | |
17d92e97 | 605 | /** |
94bbc602 | 606 | * Create an enumerator over all known addresses of the peer. |
17d92e97 | 607 | * |
572abc6c | 608 | * @return enumerator over addresses |
17d92e97 | 609 | */ |
94bbc602 | 610 | enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this); |
572abc6c TB |
611 | |
612 | /** | |
94bbc602 | 613 | * Remove all known addresses of the peer. |
572abc6c | 614 | */ |
94bbc602 | 615 | void (*clear_peer_addresses)(ike_sa_t *this); |
7daf5226 | 616 | |
9d9a772e MW |
617 | /** |
618 | * Check if mappings have changed on a NAT for our source address. | |
619 | * | |
620 | * @param hash received DESTINATION_IP hash | |
621 | * @return TRUE if mappings have changed | |
622 | */ | |
623 | bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash); | |
7daf5226 | 624 | |
3b04350a | 625 | /** |
552cc11b | 626 | * Enable an extension the peer supports. |
3b04350a MW |
627 | * |
628 | * If support for an IKE extension is detected, this method is called | |
629 | * to enable that extension and behave accordingly. | |
630 | * | |
3b04350a MW |
631 | * @param extension extension to enable |
632 | */ | |
633 | void (*enable_extension)(ike_sa_t *this, ike_extension_t extension); | |
7daf5226 | 634 | |
17d92e97 | 635 | /** |
552cc11b | 636 | * Check if the peer supports an extension. |
17d92e97 | 637 | * |
17d92e97 MW |
638 | * @param extension extension to check for support |
639 | * @return TRUE if peer supports it, FALSE otherwise | |
640 | */ | |
641 | bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension); | |
7daf5226 | 642 | |
17d92e97 | 643 | /** |
552cc11b | 644 | * Enable/disable a condition flag for this IKE_SA. |
17d92e97 | 645 | * |
17d92e97 MW |
646 | * @param condition condition to enable/disable |
647 | * @param enable TRUE to enable condition, FALSE to disable | |
648 | */ | |
649 | void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable); | |
650 | ||
651 | /** | |
552cc11b | 652 | * Check if a condition flag is set. |
17d92e97 | 653 | * |
17d92e97 MW |
654 | * @param condition condition to check |
655 | * @return TRUE if condition flag set, FALSE otherwise | |
656 | */ | |
657 | bool (*has_condition) (ike_sa_t *this, ike_condition_t condition); | |
7daf5226 | 658 | |
dc04b7c7 | 659 | #ifdef ME |
22452f70 TB |
660 | /** |
661 | * Activate mediation server functionality for this IKE_SA. | |
662 | */ | |
663 | void (*act_as_mediation_server) (ike_sa_t *this); | |
7daf5226 | 664 | |
d5cc1758 | 665 | /** |
552cc11b | 666 | * Get the server reflexive host. |
484a06bc | 667 | * |
d5cc1758 TB |
668 | * @return server reflexive host |
669 | */ | |
670 | host_t* (*get_server_reflexive_host) (ike_sa_t *this); | |
7daf5226 | 671 | |
d5cc1758 | 672 | /** |
552cc11b | 673 | * Set the server reflexive host. |
484a06bc | 674 | * |
d5cc1758 TB |
675 | * @param host server reflexive host |
676 | */ | |
677 | void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host); | |
7daf5226 | 678 | |
9c2a905d TB |
679 | /** |
680 | * Get the connect ID. | |
484a06bc | 681 | * |
9c2a905d TB |
682 | * @return connect ID |
683 | */ | |
684 | chunk_t (*get_connect_id) (ike_sa_t *this); | |
7daf5226 | 685 | |
d5cc1758 | 686 | /** |
552cc11b | 687 | * Initiate the mediation of a mediated connection (i.e. initiate a |
484a06bc TB |
688 | * ME_CONNECT exchange to a mediation server). |
689 | * | |
690 | * @param mediated_cfg peer_cfg of the mediated connection | |
691 | * @return | |
4bbce1ef TB |
692 | * - SUCCESS if initialization started |
693 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
694 | */ |
695 | status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg); | |
7daf5226 | 696 | |
d5cc1758 | 697 | /** |
552cc11b | 698 | * Initiate the mediated connection |
484a06bc TB |
699 | * |
700 | * @param me local endpoint (gets cloned) | |
701 | * @param other remote endpoint (gets cloned) | |
702 | * @param connect_id connect ID (gets cloned) | |
703 | * @return | |
4bbce1ef TB |
704 | * - SUCCESS if initialization started |
705 | * - DESTROY_ME if initialization failed | |
d5cc1758 TB |
706 | */ |
707 | status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other, | |
484a06bc | 708 | chunk_t connect_id); |
7daf5226 | 709 | |
d5cc1758 | 710 | /** |
484a06bc TB |
711 | * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange |
712 | * to a peer). | |
d5cc1758 TB |
713 | * |
714 | * Data is cloned. | |
484a06bc TB |
715 | * |
716 | * @param requester ID of the requesting peer | |
717 | * @param connect_id data of the ME_CONNECTID payload | |
718 | * @param connect_key data of the ME_CONNECTKEY payload | |
719 | * @param endpoints endpoints | |
720 | * @param response TRUE if this is a response | |
721 | * @return | |
4bbce1ef TB |
722 | * - SUCCESS if relay started |
723 | * - DESTROY_ME if relay failed | |
d5cc1758 | 724 | */ |
484a06bc TB |
725 | status_t (*relay) (ike_sa_t *this, identification_t *requester, |
726 | chunk_t connect_id, chunk_t connect_key, | |
727 | linked_list_t *endpoints, bool response); | |
7daf5226 | 728 | |
d5cc1758 | 729 | /** |
552cc11b | 730 | * Send a callback to a peer. |
484a06bc | 731 | * |
d5cc1758 | 732 | * Data is cloned. |
484a06bc TB |
733 | * |
734 | * @param peer_id ID of the other peer | |
d5cc1758 | 735 | * @return |
4bbce1ef TB |
736 | * - SUCCESS if response started |
737 | * - DESTROY_ME if response failed | |
d5cc1758 TB |
738 | */ |
739 | status_t (*callback) (ike_sa_t *this, identification_t *peer_id); | |
7daf5226 | 740 | |
d5cc1758 | 741 | /** |
dc04b7c7 | 742 | * Respond to a ME_CONNECT request. |
484a06bc | 743 | * |
d5cc1758 | 744 | * Data is cloned. |
484a06bc TB |
745 | * |
746 | * @param peer_id ID of the other peer | |
747 | * @param connect_id the connect ID supplied by the initiator | |
d5cc1758 | 748 | * @return |
4bbce1ef TB |
749 | * - SUCCESS if response started |
750 | * - DESTROY_ME if response failed | |
d5cc1758 | 751 | */ |
484a06bc TB |
752 | status_t (*respond) (ike_sa_t *this, identification_t *peer_id, |
753 | chunk_t connect_id); | |
dc04b7c7 | 754 | #endif /* ME */ |
7daf5226 | 755 | |
2c220249 | 756 | /** |
552cc11b | 757 | * Initiate a new connection. |
3dd3c5f3 | 758 | * |
a13c013b MW |
759 | * The configs are owned by the IKE_SA after the call. If the initiate |
760 | * is triggered by a packet, traffic selectors of the packet can be added | |
761 | * to the CHILD_SA. | |
484a06bc | 762 | * |
e0fe7651 | 763 | * @param child_cfg child config to create CHILD from |
c3626c2c | 764 | * @param reqid reqid to use for CHILD_SA, 0 assigne uniquely |
a13c013b MW |
765 | * @param tsi source of triggering packet |
766 | * @param tsr destination of triggering packet. | |
484a06bc | 767 | * @return |
4bbce1ef TB |
768 | * - SUCCESS if initialization started |
769 | * - DESTROY_ME if initialization failed | |
8dfbe71b | 770 | */ |
c3626c2c | 771 | status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg, |
b12c53ce | 772 | uint32_t reqid, traffic_selector_t *tsi, |
a13c013b | 773 | traffic_selector_t *tsr); |
7daf5226 | 774 | |
77e42826 TB |
775 | /** |
776 | * Retry initiation of this IKE_SA after it got deferred previously. | |
777 | * | |
778 | * @return | |
779 | * - SUCCESS if initiation deferred or started | |
780 | * - DESTROY_ME if initiation failed | |
781 | */ | |
782 | status_t (*retry_initiate) (ike_sa_t *this); | |
783 | ||
1396815a | 784 | /** |
552cc11b | 785 | * Initiates the deletion of an IKE_SA. |
484a06bc | 786 | * |
3dd3c5f3 MW |
787 | * Sends a delete message to the remote peer and waits for |
788 | * its response. If the response comes in, or a timeout occurs, | |
a79d5103 TB |
789 | * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is |
790 | * destroyed immediately without waiting for a response. | |
484a06bc | 791 | * |
a79d5103 TB |
792 | * @param force whether to immediately destroy the IKE_SA afterwards |
793 | * without waiting for a response | |
1396815a | 794 | * @return |
4bbce1ef | 795 | * - SUCCESS if deletion is initialized |
a79d5103 TB |
796 | * - DESTROY_ME, if destroying is forced, or the IKE_SA |
797 | * is not in an established state and can not be | |
798 | * deleted (but destroyed) | |
1396815a | 799 | */ |
a79d5103 | 800 | status_t (*delete) (ike_sa_t *this, bool force); |
7daf5226 | 801 | |
17d92e97 | 802 | /** |
552cc11b | 803 | * Update IKE_SAs after network interfaces have changed. |
17d92e97 MW |
804 | * |
805 | * Whenever the network interface configuration changes, the kernel | |
806 | * interface calls roam() on each IKE_SA. The IKE_SA then checks if | |
807 | * the new network config requires changes, and handles appropriate. | |
808 | * If MOBIKE is supported, addresses are updated; If not, the tunnel is | |
809 | * restarted. | |
810 | * | |
3bc62fe7 MW |
811 | * @param address TRUE if address list changed, FALSE otherwise |
812 | * @return SUCCESS, FAILED, DESTROY_ME | |
17d92e97 | 813 | */ |
3bc62fe7 | 814 | status_t (*roam)(ike_sa_t *this, bool address); |
7daf5226 | 815 | |
13e4a62f | 816 | /** |
40bab9a1 | 817 | * Processes an incoming IKE message. |
13e4a62f | 818 | * |
484a06bc TB |
819 | * Message processing may fail. If a critical failure occurs, |
820 | * process_message() return DESTROY_ME. Then the caller must | |
f3bb1bd0 | 821 | * destroy the IKE_SA immediately, as it is unusable. |
484a06bc | 822 | * |
4bbce1ef | 823 | * @param message message to process |
484a06bc | 824 | * @return |
4bbce1ef TB |
825 | * - SUCCESS |
826 | * - FAILED | |
827 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
e168ee17 | 828 | */ |
40bab9a1 | 829 | status_t (*process_message)(ike_sa_t *this, message_t *message); |
7daf5226 | 830 | |
bcb95ced | 831 | /** |
40bab9a1 | 832 | * Generate an IKE message to send it to the peer. |
484a06bc | 833 | * |
c60c7694 MW |
834 | * This method generates all payloads in the message and encrypts/signs |
835 | * the packet. | |
484a06bc | 836 | * |
4bbce1ef | 837 | * @param message message to generate |
c60c7694 | 838 | * @param packet generated output packet |
484a06bc | 839 | * @return |
4bbce1ef TB |
840 | * - SUCCESS |
841 | * - FAILED | |
842 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
bcb95ced | 843 | */ |
40bab9a1 TB |
844 | status_t (*generate_message)(ike_sa_t *this, message_t *message, |
845 | packet_t **packet); | |
846 | ||
847 | /** | |
848 | * Generate an IKE message to send it to the peer. If enabled and supported | |
849 | * it will be fragmented. | |
850 | * | |
851 | * This method generates all payloads in the message and encrypts/signs | |
852 | * the packet/fragments. | |
853 | * | |
854 | * @param message message to generate | |
855 | * @param packets enumerator of generated packet_t* (are not destroyed | |
856 | * with the enumerator) | |
857 | * @return | |
858 | * - SUCCESS | |
859 | * - FAILED | |
860 | * - DESTROY_ME if this IKE_SA MUST be deleted | |
861 | */ | |
862 | status_t (*generate_message_fragmented)(ike_sa_t *this, message_t *message, | |
863 | enumerator_t **packets); | |
7daf5226 | 864 | |
1396815a | 865 | /** |
552cc11b | 866 | * Retransmits a request. |
484a06bc | 867 | * |
c60c7694 MW |
868 | * @param message_id ID of the request to retransmit |
869 | * @return | |
4bbce1ef | 870 | * - SUCCESS |
2db6d5b8 | 871 | * - NOT_FOUND if request doesn't have to be retransmitted |
397f3448 | 872 | */ |
b12c53ce | 873 | status_t (*retransmit) (ike_sa_t *this, uint32_t message_id); |
7daf5226 | 874 | |
1396815a | 875 | /** |
552cc11b | 876 | * Sends a DPD request to the peer. |
1396815a | 877 | * |
3dd3c5f3 MW |
878 | * To check if a peer is still alive, periodic |
879 | * empty INFORMATIONAL messages are sent if no | |
880 | * other traffic was received. | |
484a06bc | 881 | * |
3dd3c5f3 | 882 | * @return |
4bbce1ef TB |
883 | * - SUCCESS |
884 | * - DESTROY_ME, if peer did not respond | |
2f89902d | 885 | */ |
3dd3c5f3 | 886 | status_t (*send_dpd) (ike_sa_t *this); |
7daf5226 | 887 | |
2f89902d | 888 | /** |
552cc11b | 889 | * Sends a keep alive packet. |
2f89902d | 890 | * |
0ceb2888 TB |
891 | * To refresh NAT tables in a NAT router between the peers, periodic empty |
892 | * UDP packets are sent if no other traffic was sent. | |
efd7fa7b TB |
893 | * |
894 | * @param scheduled if this is a scheduled keepalive | |
1396815a | 895 | */ |
efd7fa7b | 896 | void (*send_keepalive) (ike_sa_t *this, bool scheduled); |
7daf5226 | 897 | |
71c70705 TB |
898 | /** |
899 | * Redirect an active IKE_SA. | |
900 | * | |
901 | * @param gateway gateway ID (IP or FQDN) of the target | |
902 | * @return state, including DESTROY_ME, if this IKE_SA MUST be | |
903 | * destroyed | |
904 | */ | |
905 | status_t (*redirect)(ike_sa_t *this, identification_t *gateway); | |
906 | ||
c126ddd0 TB |
907 | /** |
908 | * Handle a redirect request. | |
909 | * | |
910 | * The behavior is different depending on the state of the IKE_SA. | |
911 | * | |
912 | * @param gateway gateway ID (IP or FQDN) of the target | |
913 | * @return FALSE if redirect not possible, TRUE otherwise | |
914 | */ | |
915 | bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway); | |
916 | ||
e4af6e6b TB |
917 | /** |
918 | * Get the address of the gateway that redirected us. | |
919 | * | |
920 | * @return original gateway address | |
921 | */ | |
922 | host_t *(*get_redirected_from)(ike_sa_t *this); | |
923 | ||
bc997f65 | 924 | /** |
6a4ff35c | 925 | * Get the keying material of this IKE_SA. |
bc997f65 | 926 | * |
6a4ff35c | 927 | * @return per IKE_SA keymat instance |
695723d4 | 928 | */ |
6a4ff35c | 929 | keymat_t* (*get_keymat)(ike_sa_t *this); |
7daf5226 | 930 | |
695723d4 | 931 | /** |
552cc11b | 932 | * Associates a child SA to this IKE SA |
484a06bc | 933 | * |
698d7749 | 934 | * @param child_sa child_sa to add |
695723d4 | 935 | */ |
698d7749 | 936 | void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa); |
7daf5226 | 937 | |
971218c3 | 938 | /** |
552cc11b | 939 | * Get a CHILD_SA identified by protocol and SPI. |
484a06bc | 940 | * |
698d7749 MW |
941 | * @param protocol protocol of the SA |
942 | * @param spi SPI of the CHILD_SA | |
943 | * @param inbound TRUE if SPI is inbound, FALSE if outbound | |
944 | * @return child_sa, or NULL if none found | |
3dd3c5f3 | 945 | */ |
484a06bc | 946 | child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol, |
b12c53ce | 947 | uint32_t spi, bool inbound); |
7daf5226 | 948 | |
3183006d | 949 | /** |
4bbce1ef | 950 | * Get the number of CHILD_SAs. |
484a06bc | 951 | * |
4bbce1ef | 952 | * @return number of CHILD_SAs |
3183006d | 953 | */ |
4bbce1ef TB |
954 | int (*get_child_count) (ike_sa_t *this); |
955 | ||
956 | /** | |
957 | * Create an enumerator over all CHILD_SAs. | |
958 | * | |
959 | * @return enumerator | |
960 | */ | |
961 | enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this); | |
962 | ||
963 | /** | |
964 | * Remove the CHILD_SA the given enumerator points to from this IKE_SA. | |
965 | * | |
966 | * @param enumerator enumerator pointing to CHILD_SA | |
967 | */ | |
968 | void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator); | |
7daf5226 | 969 | |
1396815a | 970 | /** |
552cc11b | 971 | * Rekey the CHILD SA with the specified reqid. |
1396815a | 972 | * |
3dd3c5f3 | 973 | * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing. |
1396815a | 974 | * |
698d7749 MW |
975 | * @param protocol protocol of the SA |
976 | * @param spi inbound SPI of the CHILD_SA | |
3dd3c5f3 | 977 | * @return |
4bbce1ef TB |
978 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA |
979 | * - SUCCESS, if rekeying initiated | |
1396815a | 980 | */ |
b12c53ce | 981 | status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi); |
698d7749 | 982 | |
1396815a | 983 | /** |
552cc11b | 984 | * Close the CHILD SA with the specified protocol/SPI. |
698d7749 MW |
985 | * |
986 | * Looks for a CHILD SA owned by this IKE_SA, deletes it and | |
987 | * notify's the remote peer about the delete. The associated | |
988 | * states and policies in the kernel get deleted, if they exist. | |
989 | * | |
698d7749 MW |
990 | * @param protocol protocol of the SA |
991 | * @param spi inbound SPI of the CHILD_SA | |
3a925f74 | 992 | * @param expired TRUE if CHILD_SA is expired |
698d7749 | 993 | * @return |
4bbce1ef TB |
994 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA |
995 | * - SUCCESS, if delete message sent | |
1396815a | 996 | */ |
3a925f74 | 997 | status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol, |
b12c53ce | 998 | uint32_t spi, bool expired); |
698d7749 | 999 | |
1396815a | 1000 | /** |
552cc11b | 1001 | * Destroy a CHILD SA with the specified protocol/SPI. |
698d7749 MW |
1002 | * |
1003 | * Looks for a CHILD SA owned by this IKE_SA and destroys it. | |
1004 | * | |
698d7749 MW |
1005 | * @param protocol protocol of the SA |
1006 | * @param spi inbound SPI of the CHILD_SA | |
1007 | * @return | |
4bbce1ef TB |
1008 | * - NOT_FOUND, if IKE_SA has no such CHILD_SA |
1009 | * - SUCCESS | |
1396815a | 1010 | */ |
b12c53ce | 1011 | status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi); |
fe04e93a | 1012 | |
fe04e93a | 1013 | /** |
552cc11b | 1014 | * Rekey the IKE_SA. |
fe04e93a | 1015 | * |
527b3f0c | 1016 | * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA. |
fe04e93a | 1017 | * |
fe04e93a MW |
1018 | * @return - SUCCESS, if IKE_SA rekeying initiated |
1019 | */ | |
1020 | status_t (*rekey) (ike_sa_t *this); | |
1021 | ||
6fe03b0a | 1022 | /** |
96926b00 | 1023 | * Reauthenticate the IKE_SA. |
6fe03b0a | 1024 | * |
349f7f24 MW |
1025 | * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits |
1026 | * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs | |
1027 | * in the new IKE_SA. | |
6fe03b0a | 1028 | * |
26424f03 | 1029 | * @return DESTROY_ME to destroy the IKE_SA |
6fe03b0a | 1030 | */ |
96926b00 MW |
1031 | status_t (*reauth) (ike_sa_t *this); |
1032 | ||
1033 | /** | |
1034 | * Restablish the IKE_SA. | |
1035 | * | |
1036 | * Reestablish an IKE_SA after it has been closed. | |
1037 | * | |
1038 | * @return DESTROY_ME to destroy the IKE_SA | |
1039 | */ | |
26424f03 | 1040 | status_t (*reestablish) (ike_sa_t *this); |
7daf5226 | 1041 | |
ee614711 | 1042 | /** |
a07b6973 MW |
1043 | * Set the lifetime limit received/to send in a AUTH_LIFETIME notify. |
1044 | * | |
1045 | * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with | |
1046 | * an AUTH_LIFETIME notify. The call never fails on unestablished SAs. | |
ee614711 | 1047 | * |
ee614711 | 1048 | * @param lifetime lifetime in seconds |
a07b6973 | 1049 | * @return DESTROY_ME to destroy the IKE_SA |
ee614711 | 1050 | */ |
b12c53ce | 1051 | status_t (*set_auth_lifetime)(ike_sa_t *this, uint32_t lifetime); |
7daf5226 | 1052 | |
3183006d | 1053 | /** |
101d26ba | 1054 | * Add a virtual IP to use for this IKE_SA and its children. |
c60c7694 MW |
1055 | * |
1056 | * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same | |
1057 | * lifetime as the IKE_SA. | |
3183006d | 1058 | * |
552cc11b MW |
1059 | * @param local TRUE to set local address, FALSE for remote |
1060 | * @param ip IP to set as virtual IP | |
3183006d | 1061 | */ |
101d26ba | 1062 | void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip); |
7daf5226 | 1063 | |
d2e8f20d TB |
1064 | /** |
1065 | * Clear all virtual IPs stored on this IKE_SA. | |
1066 | * | |
1067 | * @param local TRUE to clear local addresses, FALSE for remote | |
1068 | */ | |
1069 | void (*clear_virtual_ips) (ike_sa_t *this, bool local); | |
1070 | ||
dec3c184 TB |
1071 | /** |
1072 | * Get interface ID to use as default for children of this IKE_SA. | |
1073 | * | |
1074 | * @param inbound TRUE for inbound interface ID | |
1075 | * @return interface ID | |
1076 | */ | |
1077 | uint32_t (*get_if_id)(ike_sa_t *this, bool inbound); | |
1078 | ||
3183006d | 1079 | /** |
101d26ba | 1080 | * Create an enumerator over virtual IPs. |
3183006d | 1081 | * |
c60c7694 | 1082 | * @param local TRUE to get local virtual IP, FALSE for remote |
101d26ba | 1083 | * @return enumerator over host_t* |
3183006d | 1084 | */ |
101d26ba | 1085 | enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local); |
7daf5226 | 1086 | |
c60c7694 | 1087 | /** |
7f56b494 | 1088 | * Register a configuration attribute to the IKE_SA. |
c60c7694 | 1089 | * |
7f56b494 MW |
1090 | * If an IRAS sends a configuration attribute it is installed and |
1091 | * registered at the IKE_SA. Attributes are inherit()ed and get released | |
1092 | * when the IKE_SA is closed. | |
c60c7694 | 1093 | * |
5ae32210 MW |
1094 | * Unhandled attributes are passed as well, but with a NULL handler. They |
1095 | * do not get released. | |
1096 | * | |
7f56b494 MW |
1097 | * @param handler handler installed the attribute, use for release() |
1098 | * @param type configuration attribute type | |
1099 | * @param data associated attribute data | |
c60c7694 | 1100 | */ |
7f56b494 | 1101 | void (*add_configuration_attribute)(ike_sa_t *this, |
b5a2055f | 1102 | attribute_handler_t *handler, |
7f56b494 | 1103 | configuration_attribute_type_t type, chunk_t data); |
7daf5226 | 1104 | |
9d257034 MW |
1105 | /** |
1106 | * Create an enumerator over received configuration attributes. | |
1107 | * | |
1108 | * The resulting enumerator is over the configuration_attribute_type_t type, | |
1109 | * a value chunk_t followed by a bool flag. The boolean flag indicates if | |
1110 | * the attribute has been handled by an attribute handler. | |
1111 | * | |
1112 | * @return enumerator over type, value and the "handled" flag. | |
1113 | */ | |
1114 | enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this); | |
1115 | ||
d487b4b7 AS |
1116 | /** |
1117 | * Set local and remote host addresses to be used for IKE. | |
1118 | * | |
1119 | * These addresses are communicated via the KMADDRESS field of a MIGRATE | |
1120 | * message sent via the NETLINK or PF _KEY kernel socket interface. | |
1121 | * | |
1122 | * @param local local kmaddress | |
1123 | * @param remote remote kmaddress | |
1124 | */ | |
1125 | void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote); | |
7daf5226 | 1126 | |
ea340ee8 MW |
1127 | /** |
1128 | * Create enumerator over a task queue of this IKE_SA. | |
1129 | * | |
1130 | * @param queue type to enumerate | |
1131 | * @return enumerator over task_t | |
1132 | */ | |
1133 | enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue); | |
1134 | ||
b7160401 TB |
1135 | /** |
1136 | * Remove the task the given enumerator points to. | |
1137 | * | |
1138 | * @note This should be used with caution, in partciular, for tasks in the | |
1139 | * active and passive queues. | |
1140 | * | |
1141 | * @param enumerator enumerator created with the method above | |
1142 | */ | |
1143 | void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator); | |
1144 | ||
cbc1a20f MW |
1145 | /** |
1146 | * Flush a task queue, cancelling all tasks in it. | |
1147 | * | |
1148 | * @param queue queue type to flush | |
1149 | */ | |
1150 | void (*flush_queue)(ike_sa_t *this, task_queue_t queue); | |
1151 | ||
69adeb5b MW |
1152 | /** |
1153 | * Queue a task for initiaton to the task manager. | |
1154 | * | |
1155 | * @param task task to queue | |
1156 | */ | |
1157 | void (*queue_task)(ike_sa_t *this, task_t *task); | |
1158 | ||
208678e6 TB |
1159 | /** |
1160 | * Queue a task in the manager, but delay its initiation for at least the | |
1161 | * given number of seconds. | |
1162 | * | |
1163 | * @param task task to queue | |
1164 | * @param delay minimum delay in s before initiating the task | |
1165 | */ | |
1166 | void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay); | |
1167 | ||
00c889f4 TB |
1168 | /** |
1169 | * Adopt child creating tasks from the given IKE_SA. | |
1170 | * | |
1171 | * @param other other IKE_SA to adopt tasks from | |
1172 | */ | |
1173 | void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other); | |
1174 | ||
713a1122 MW |
1175 | /** |
1176 | * Inherit required attributes to new SA before rekeying. | |
1177 | * | |
1178 | * Some properties of the SA must be applied before starting IKE_SA | |
1179 | * rekeying, such as the configuration or support extensions. | |
1180 | * | |
1181 | * @param other other IKE_SA to inherit from | |
1182 | */ | |
1183 | void (*inherit_pre)(ike_sa_t *this, ike_sa_t *other); | |
1184 | ||
fe04e93a | 1185 | /** |
552cc11b | 1186 | * Inherit all attributes of other to this after rekeying. |
fe04e93a | 1187 | * |
c60c7694 MW |
1188 | * When rekeying is completed, all CHILD_SAs, the virtual IP and all |
1189 | * outstanding tasks are moved from other to this. | |
1190 | * | |
cf3c72c4 | 1191 | * @param other other IKE SA to inherit from |
c60c7694 | 1192 | */ |
713a1122 | 1193 | void (*inherit_post) (ike_sa_t *this, ike_sa_t *other); |
7daf5226 | 1194 | |
c60c7694 | 1195 | /** |
2db6d5b8 | 1196 | * Reset the IKE_SA, usable when initiating fails. |
c3539961 TB |
1197 | * |
1198 | * @param new_spi TRUE to allocate a new initiator SPI | |
fe04e93a | 1199 | */ |
c3539961 | 1200 | void (*reset) (ike_sa_t *this, bool new_spi); |
7daf5226 | 1201 | |
1396815a | 1202 | /** |
552cc11b | 1203 | * Destroys a ike_sa_t object. |
1396815a | 1204 | */ |
3dd3c5f3 | 1205 | void (*destroy) (ike_sa_t *this); |
8323a9c1 JH |
1206 | }; |
1207 | ||
7ba38761 | 1208 | /** |
0b611540 | 1209 | * Creates an ike_sa_t object with a specific ID and IKE version. |
c3dc6f1a | 1210 | * |
0b611540 | 1211 | * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA |
17ec1c74 | 1212 | * @param initiator TRUE to create this IKE_SA as initiator |
0b611540 | 1213 | * @param version IKE version of this SA |
4bbce1ef | 1214 | * @return ike_sa_t object |
7ba38761 | 1215 | */ |
17ec1c74 MW |
1216 | ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator, |
1217 | ike_version_t version); | |
7ba38761 | 1218 | |
1490ff4d | 1219 | #endif /** IKE_SA_H_ @}*/ |