Annotation of embedaddon/strongswan/src/libcharon/sa/ike_sa.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2006-2019 Tobias Brunner
! 3: * Copyright (C) 2006 Daniel Roethlisberger
! 4: * Copyright (C) 2005-2009 Martin Willi
! 5: * Copyright (C) 2005 Jan Hutter
! 6: * HSR Hochschule fuer Technik Rapperswil
! 7: *
! 8: * This program is free software; you can redistribute it and/or modify it
! 9: * under the terms of the GNU General Public License as published by the
! 10: * Free Software Foundation; either version 2 of the License, or (at your
! 11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 12: *
! 13: * This program is distributed in the hope that it will be useful, but
! 14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 16: * for more details.
! 17: */
! 18:
! 19: /**
! 20: * @defgroup ike_sa ike_sa
! 21: * @{ @ingroup sa
! 22: */
! 23:
! 24: #ifndef IKE_SA_H_
! 25: #define IKE_SA_H_
! 26:
! 27: typedef enum ike_extension_t ike_extension_t;
! 28: typedef enum ike_condition_t ike_condition_t;
! 29: typedef enum ike_sa_state_t ike_sa_state_t;
! 30: typedef enum statistic_t statistic_t;
! 31: typedef struct ike_sa_t ike_sa_t;
! 32:
! 33: #include <library.h>
! 34: #include <attributes/attribute_handler.h>
! 35: #include <encoding/message.h>
! 36: #include <encoding/payloads/proposal_substructure.h>
! 37: #include <encoding/payloads/configuration_attribute.h>
! 38: #include <sa/ike_sa_id.h>
! 39: #include <sa/child_sa.h>
! 40: #include <sa/task.h>
! 41: #include <sa/task_manager.h>
! 42: #include <sa/keymat.h>
! 43: #include <config/peer_cfg.h>
! 44: #include <config/ike_cfg.h>
! 45: #include <credentials/auth_cfg.h>
! 46: #include <networking/packet.h>
! 47:
! 48: /**
! 49: * Timeout in seconds after that a half open IKE_SA gets deleted.
! 50: */
! 51: #define HALF_OPEN_IKE_SA_TIMEOUT 30
! 52:
! 53: /**
! 54: * Interval to send keepalives when NATed, in seconds.
! 55: */
! 56: #define KEEPALIVE_INTERVAL 20
! 57:
! 58: /**
! 59: * After which time rekeying should be retried if it failed, in seconds.
! 60: */
! 61: #define RETRY_INTERVAL 15
! 62:
! 63: /**
! 64: * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
! 65: */
! 66: #define RETRY_JITTER 10
! 67:
! 68: /**
! 69: * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
! 70: */
! 71: #define MAX_REDIRECTS 5
! 72:
! 73: /**
! 74: * Time period in seconds in which at most MAX_REDIRECTS are allowed.
! 75: */
! 76: #define REDIRECT_LOOP_DETECT_PERIOD 300
! 77:
! 78: /**
! 79: * Extensions (or optional features) the peer supports
! 80: */
! 81: enum ike_extension_t {
! 82:
! 83: /**
! 84: * peer supports NAT traversal as specified in RFC4306 or RFC3947
! 85: * including some RFC3947 drafts
! 86: */
! 87: EXT_NATT = (1<<0),
! 88:
! 89: /**
! 90: * peer supports MOBIKE (RFC4555)
! 91: */
! 92: EXT_MOBIKE = (1<<1),
! 93:
! 94: /**
! 95: * peer supports HTTP cert lookups as specified in RFC4306
! 96: */
! 97: EXT_HASH_AND_URL = (1<<2),
! 98:
! 99: /**
! 100: * peer supports multiple authentication exchanges, RFC4739
! 101: */
! 102: EXT_MULTIPLE_AUTH = (1<<3),
! 103:
! 104: /**
! 105: * peer uses strongSwan, accept private use extensions
! 106: */
! 107: EXT_STRONGSWAN = (1<<4),
! 108:
! 109: /**
! 110: * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
! 111: */
! 112: EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
! 113:
! 114: /**
! 115: * peer is probably a Windows RAS client
! 116: */
! 117: EXT_MS_WINDOWS = (1<<6),
! 118:
! 119: /**
! 120: * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
! 121: */
! 122: EXT_XAUTH = (1<<7),
! 123:
! 124: /**
! 125: * peer supports DPD detection, RFC 3706 (or IKEv2)
! 126: */
! 127: EXT_DPD = (1<<8),
! 128:
! 129: /**
! 130: * peer supports Cisco Unity configuration attributes
! 131: */
! 132: EXT_CISCO_UNITY = (1<<9),
! 133:
! 134: /**
! 135: * peer supports NAT traversal as specified in
! 136: * draft-ietf-ipsec-nat-t-ike-02 .. -03
! 137: */
! 138: EXT_NATT_DRAFT_02_03 = (1<<10),
! 139:
! 140: /**
! 141: * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
! 142: */
! 143: EXT_IKE_FRAGMENTATION = (1<<11),
! 144:
! 145: /**
! 146: * Signature Authentication, RFC 7427
! 147: */
! 148: EXT_SIGNATURE_AUTH = (1<<12),
! 149:
! 150: /**
! 151: * IKEv2 Redirect Mechanism, RFC 5685
! 152: */
! 153: EXT_IKE_REDIRECTION = (1<<13),
! 154:
! 155: /**
! 156: * IKEv2 Message ID sync, RFC 6311
! 157: */
! 158: EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
! 159:
! 160: /**
! 161: * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2
! 162: */
! 163: EXT_PPK = (1<<15),
! 164:
! 165: /**
! 166: * Responder accepts childless IKE_SAs, RFC 6023
! 167: */
! 168: EXT_IKE_CHILDLESS = (1<<16),
! 169: };
! 170:
! 171: /**
! 172: * Conditions of an IKE_SA, change during its lifetime
! 173: */
! 174: enum ike_condition_t {
! 175:
! 176: /**
! 177: * Connection is natted (or faked) somewhere
! 178: */
! 179: COND_NAT_ANY = (1<<0),
! 180:
! 181: /**
! 182: * we are behind NAT
! 183: */
! 184: COND_NAT_HERE = (1<<1),
! 185:
! 186: /**
! 187: * other is behind NAT
! 188: */
! 189: COND_NAT_THERE = (1<<2),
! 190:
! 191: /**
! 192: * Faking NAT to enforce UDP encapsulation
! 193: */
! 194: COND_NAT_FAKE = (1<<3),
! 195:
! 196: /**
! 197: * peer has been authenticated using EAP at least once
! 198: */
! 199: COND_EAP_AUTHENTICATED = (1<<4),
! 200:
! 201: /**
! 202: * received a certificate request from the peer
! 203: */
! 204: COND_CERTREQ_SEEN = (1<<5),
! 205:
! 206: /**
! 207: * Local peer is the "original" IKE initiator. Unaffected from rekeying.
! 208: */
! 209: COND_ORIGINAL_INITIATOR = (1<<6),
! 210:
! 211: /**
! 212: * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
! 213: */
! 214: COND_STALE = (1<<7),
! 215:
! 216: /**
! 217: * Initial contact received
! 218: */
! 219: COND_INIT_CONTACT_SEEN = (1<<8),
! 220:
! 221: /**
! 222: * Peer has been authenticated using XAuth
! 223: */
! 224: COND_XAUTH_AUTHENTICATED = (1<<9),
! 225:
! 226: /**
! 227: * This IKE_SA is currently being reauthenticated
! 228: */
! 229: COND_REAUTHENTICATING = (1<<10),
! 230:
! 231: /**
! 232: * This IKE_SA has been redirected
! 233: */
! 234: COND_REDIRECTED = (1<<11),
! 235:
! 236: /**
! 237: * Online certificate revocation checking is suspended for this IKE_SA
! 238: */
! 239: COND_ONLINE_VALIDATION_SUSPENDED = (1<<12),
! 240:
! 241: /**
! 242: * A Postquantum Preshared Key was used when this IKE_SA was created
! 243: */
! 244: COND_PPK = (1<<13),
! 245: };
! 246:
! 247: /**
! 248: * Timing information and statistics to query from an SA
! 249: */
! 250: enum statistic_t {
! 251: /** Timestamp of SA establishment */
! 252: STAT_ESTABLISHED = 0,
! 253: /** Timestamp of scheduled rekeying */
! 254: STAT_REKEY,
! 255: /** Timestamp of scheduled reauthentication */
! 256: STAT_REAUTH,
! 257: /** Timestamp of scheduled delete */
! 258: STAT_DELETE,
! 259: /** Timestamp of last inbound IKE packet */
! 260: STAT_INBOUND,
! 261: /** Timestamp of last outbound IKE packet */
! 262: STAT_OUTBOUND,
! 263:
! 264: STAT_MAX
! 265: };
! 266:
! 267: /**
! 268: * State of an IKE_SA.
! 269: *
! 270: * An IKE_SA passes various states in its lifetime. A newly created
! 271: * SA is in the state CREATED.
! 272: * @verbatim
! 273: +----------------+
! 274: ¦ SA_CREATED ¦
! 275: +----------------+
! 276: ¦
! 277: on initiate()---> ¦ <----- on IKE_SA_INIT received
! 278: V
! 279: +----------------+
! 280: ¦ SA_CONNECTING ¦
! 281: +----------------+
! 282: ¦
! 283: ¦ <----- on IKE_AUTH successfully completed
! 284: V
! 285: +----------------+
! 286: ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
! 287: +----------------+ ¦
! 288: ¦ V
! 289: on delete()---> ¦ <----- on IKE_SA +-------------+
! 290: ¦ delete request ¦ SA_REKEYING ¦
! 291: ¦ received +-------------+
! 292: V ¦
! 293: +----------------+ ¦
! 294: ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
! 295: +----------------+
! 296: ¦
! 297: ¦ <----- after delete() acknowledged
! 298: ¦
! 299: \V/
! 300: X
! 301: / \
! 302: @endverbatim
! 303: */
! 304: enum ike_sa_state_t {
! 305:
! 306: /**
! 307: * IKE_SA just got created, but is not initiating nor responding yet.
! 308: */
! 309: IKE_CREATED,
! 310:
! 311: /**
! 312: * IKE_SA gets initiated actively or passively
! 313: */
! 314: IKE_CONNECTING,
! 315:
! 316: /**
! 317: * IKE_SA is fully established
! 318: */
! 319: IKE_ESTABLISHED,
! 320:
! 321: /**
! 322: * IKE_SA is managed externally and does not process messages
! 323: */
! 324: IKE_PASSIVE,
! 325:
! 326: /**
! 327: * IKE_SA rekeying in progress
! 328: */
! 329: IKE_REKEYING,
! 330:
! 331: /**
! 332: * IKE_SA has been rekeyed (or is redundant)
! 333: */
! 334: IKE_REKEYED,
! 335:
! 336: /**
! 337: * IKE_SA is in progress of deletion
! 338: */
! 339: IKE_DELETING,
! 340:
! 341: /**
! 342: * IKE_SA object gets destroyed
! 343: */
! 344: IKE_DESTROYING,
! 345: };
! 346:
! 347: /**
! 348: * enum names for ike_sa_state_t.
! 349: */
! 350: extern enum_name_t *ike_sa_state_names;
! 351:
! 352: /**
! 353: * Class ike_sa_t representing an IKE_SA.
! 354: *
! 355: * An IKE_SA contains crypto information related to a connection
! 356: * with a peer. It contains multiple IPsec CHILD_SA, for which
! 357: * it is responsible. All traffic is handled by an IKE_SA, using
! 358: * the task manager and its tasks.
! 359: */
! 360: struct ike_sa_t {
! 361:
! 362: /**
! 363: * Get the id of the SA.
! 364: *
! 365: * Returned ike_sa_id_t object is not getting cloned!
! 366: *
! 367: * @return ike_sa's ike_sa_id_t
! 368: */
! 369: ike_sa_id_t* (*get_id) (ike_sa_t *this);
! 370:
! 371: /**
! 372: * Gets the IKE version of the SA
! 373: */
! 374: ike_version_t (*get_version)(ike_sa_t *this);
! 375:
! 376: /**
! 377: * Get the numerical ID uniquely defining this IKE_SA.
! 378: *
! 379: * @return unique ID
! 380: */
! 381: uint32_t (*get_unique_id) (ike_sa_t *this);
! 382:
! 383: /**
! 384: * Get the state of the IKE_SA.
! 385: *
! 386: * @return state of the IKE_SA
! 387: */
! 388: ike_sa_state_t (*get_state) (ike_sa_t *this);
! 389:
! 390: /**
! 391: * Set the state of the IKE_SA.
! 392: *
! 393: * @param state state to set for the IKE_SA
! 394: */
! 395: void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
! 396:
! 397: /**
! 398: * Get the name of the connection this IKE_SA uses.
! 399: *
! 400: * @return name
! 401: */
! 402: char* (*get_name) (ike_sa_t *this);
! 403:
! 404: /**
! 405: * Get statistic values from the IKE_SA.
! 406: *
! 407: * @param kind kind of requested value
! 408: * @return value as integer
! 409: */
! 410: uint32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
! 411:
! 412: /**
! 413: * Set statistic value of the IKE_SA.
! 414: *
! 415: * @param kind kind of value to update
! 416: * @param value value as integer
! 417: */
! 418: void (*set_statistic)(ike_sa_t *this, statistic_t kind, uint32_t value);
! 419:
! 420: /**
! 421: * Get the own host address.
! 422: *
! 423: * @return host address
! 424: */
! 425: host_t* (*get_my_host) (ike_sa_t *this);
! 426:
! 427: /**
! 428: * Set the own host address.
! 429: *
! 430: * @param me host address
! 431: */
! 432: void (*set_my_host) (ike_sa_t *this, host_t *me);
! 433:
! 434: /**
! 435: * Get the other peers host address.
! 436: *
! 437: * @return host address
! 438: */
! 439: host_t* (*get_other_host) (ike_sa_t *this);
! 440:
! 441: /**
! 442: * Set the others host address.
! 443: *
! 444: * @param other host address
! 445: */
! 446: void (*set_other_host) (ike_sa_t *this, host_t *other);
! 447:
! 448: /**
! 449: * Float to port 4500 (e.g. if a NAT is detected).
! 450: *
! 451: * The port of either endpoint is changed only if it is currently
! 452: * set to the default value of 500.
! 453: */
! 454: void (*float_ports)(ike_sa_t *this);
! 455:
! 456: /**
! 457: * Update the IKE_SAs host.
! 458: *
! 459: * Hosts may be NULL to use current host.
! 460: *
! 461: * @param me new local host address, or NULL
! 462: * @param other new remote host address, or NULL
! 463: * @param force force update
! 464: */
! 465: void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
! 466:
! 467: /**
! 468: * Get the own identification.
! 469: *
! 470: * @return identification
! 471: */
! 472: identification_t* (*get_my_id) (ike_sa_t *this);
! 473:
! 474: /**
! 475: * Set the own identification.
! 476: *
! 477: * @param me identification
! 478: */
! 479: void (*set_my_id) (ike_sa_t *this, identification_t *me);
! 480:
! 481: /**
! 482: * Get the other peer's identification.
! 483: *
! 484: * @return identification
! 485: */
! 486: identification_t* (*get_other_id) (ike_sa_t *this);
! 487:
! 488: /**
! 489: * Get the others peer identity, but prefer an EAP-Identity.
! 490: *
! 491: * @return EAP or IKEv2 identity
! 492: */
! 493: identification_t* (*get_other_eap_id)(ike_sa_t *this);
! 494:
! 495: /**
! 496: * Set the other peer's identification.
! 497: *
! 498: * @param other identification
! 499: */
! 500: void (*set_other_id) (ike_sa_t *this, identification_t *other);
! 501:
! 502: /**
! 503: * Get the config used to setup this IKE_SA.
! 504: *
! 505: * @return ike_config
! 506: */
! 507: ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
! 508:
! 509: /**
! 510: * Set the config to setup this IKE_SA.
! 511: *
! 512: * @param config ike_config to use
! 513: */
! 514: void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
! 515:
! 516: /**
! 517: * Get the peer config used by this IKE_SA.
! 518: *
! 519: * @return peer_config
! 520: */
! 521: peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
! 522:
! 523: /**
! 524: * Set the peer config to use with this IKE_SA.
! 525: *
! 526: * @param config peer_config to use
! 527: */
! 528: void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
! 529:
! 530: /**
! 531: * Get the authentication config with rules of the current auth round.
! 532: *
! 533: * @param local TRUE for local rules, FALSE for remote constraints
! 534: * @return current cfg
! 535: */
! 536: auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
! 537:
! 538: /**
! 539: * Insert a completed authentication round.
! 540: *
! 541: * @param local TRUE for own rules, FALSE for others constraints
! 542: * @param cfg auth config to append
! 543: */
! 544: void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
! 545:
! 546: /**
! 547: * Create an enumerator over added authentication rounds.
! 548: *
! 549: * @param local TRUE for own rules, FALSE for others constraints
! 550: * @return enumerator over auth_cfg_t
! 551: */
! 552: enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
! 553:
! 554: /**
! 555: * Verify the trustchains (validity, revocation) in completed public key
! 556: * auth rounds.
! 557: *
! 558: * @return TRUE if certificates were valid, FALSE otherwise
! 559: */
! 560: bool (*verify_peer_certificate)(ike_sa_t *this);
! 561:
! 562: /**
! 563: * Get the selected proposal of this IKE_SA.
! 564: *
! 565: * @return selected proposal
! 566: */
! 567: proposal_t* (*get_proposal)(ike_sa_t *this);
! 568:
! 569: /**
! 570: * Set the proposal selected for this IKE_SA.
! 571: *
! 572: * @param selected proposal
! 573: */
! 574: void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
! 575:
! 576: /**
! 577: * Set the message ID of the IKE_SA.
! 578: *
! 579: * The IKE_SA stores two message IDs, one for initiating exchanges (send)
! 580: * and one to respond to exchanges (expect).
! 581: *
! 582: * @param initiate TRUE to set message ID for initiating
! 583: * @param mid message id to set
! 584: */
! 585: void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid);
! 586:
! 587: /**
! 588: * Get the message ID of the IKE_SA.
! 589: *
! 590: * The IKE_SA stores two message IDs, one for initiating exchanges (send)
! 591: * and one to respond to exchanges (expect).
! 592: *
! 593: * @param initiate TRUE to get message ID for initiating
! 594: * @return current message
! 595: */
! 596: uint32_t (*get_message_id)(ike_sa_t *this, bool initiate);
! 597:
! 598: /**
! 599: * Add an additional address for the peer.
! 600: *
! 601: * In MOBIKE, a peer may transmit additional addresses where it is
! 602: * reachable. These are stored in the IKE_SA.
! 603: * The own list of addresses is not stored, they are queried from
! 604: * the kernel when required.
! 605: *
! 606: * @param host host to add to list
! 607: */
! 608: void (*add_peer_address)(ike_sa_t *this, host_t *host);
! 609:
! 610: /**
! 611: * Create an enumerator over all known addresses of the peer.
! 612: *
! 613: * @return enumerator over addresses
! 614: */
! 615: enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this);
! 616:
! 617: /**
! 618: * Remove all known addresses of the peer.
! 619: */
! 620: void (*clear_peer_addresses)(ike_sa_t *this);
! 621:
! 622: /**
! 623: * Check if mappings have changed on a NAT for our source address.
! 624: *
! 625: * @param hash received DESTINATION_IP hash
! 626: * @return TRUE if mappings have changed
! 627: */
! 628: bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
! 629:
! 630: /**
! 631: * Enable an extension the peer supports.
! 632: *
! 633: * If support for an IKE extension is detected, this method is called
! 634: * to enable that extension and behave accordingly.
! 635: *
! 636: * @param extension extension to enable
! 637: */
! 638: void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
! 639:
! 640: /**
! 641: * Check if the peer supports an extension.
! 642: *
! 643: * @param extension extension to check for support
! 644: * @return TRUE if peer supports it, FALSE otherwise
! 645: */
! 646: bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
! 647:
! 648: /**
! 649: * Enable/disable a condition flag for this IKE_SA.
! 650: *
! 651: * @param condition condition to enable/disable
! 652: * @param enable TRUE to enable condition, FALSE to disable
! 653: */
! 654: void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
! 655:
! 656: /**
! 657: * Check if a condition flag is set.
! 658: *
! 659: * @param condition condition to check
! 660: * @return TRUE if condition flag set, FALSE otherwise
! 661: */
! 662: bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
! 663:
! 664: #ifdef ME
! 665: /**
! 666: * Activate mediation server functionality for this IKE_SA.
! 667: */
! 668: void (*act_as_mediation_server) (ike_sa_t *this);
! 669:
! 670: /**
! 671: * Get the server reflexive host.
! 672: *
! 673: * @return server reflexive host
! 674: */
! 675: host_t* (*get_server_reflexive_host) (ike_sa_t *this);
! 676:
! 677: /**
! 678: * Set the server reflexive host.
! 679: *
! 680: * @param host server reflexive host
! 681: */
! 682: void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
! 683:
! 684: /**
! 685: * Get the connect ID.
! 686: *
! 687: * @return connect ID
! 688: */
! 689: chunk_t (*get_connect_id) (ike_sa_t *this);
! 690:
! 691: /**
! 692: * Initiate the mediation of a mediated connection (i.e. initiate a
! 693: * ME_CONNECT exchange to a mediation server).
! 694: *
! 695: * @param mediated_cfg peer_cfg of the mediated connection
! 696: * @return
! 697: * - SUCCESS if initialization started
! 698: * - DESTROY_ME if initialization failed
! 699: */
! 700: status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
! 701:
! 702: /**
! 703: * Initiate the mediated connection
! 704: *
! 705: * @param me local endpoint (gets cloned)
! 706: * @param other remote endpoint (gets cloned)
! 707: * @param connect_id connect ID (gets cloned)
! 708: * @return
! 709: * - SUCCESS if initialization started
! 710: * - DESTROY_ME if initialization failed
! 711: */
! 712: status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
! 713: chunk_t connect_id);
! 714:
! 715: /**
! 716: * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
! 717: * to a peer).
! 718: *
! 719: * Data is cloned.
! 720: *
! 721: * @param requester ID of the requesting peer
! 722: * @param connect_id data of the ME_CONNECTID payload
! 723: * @param connect_key data of the ME_CONNECTKEY payload
! 724: * @param endpoints endpoints
! 725: * @param response TRUE if this is a response
! 726: * @return
! 727: * - SUCCESS if relay started
! 728: * - DESTROY_ME if relay failed
! 729: */
! 730: status_t (*relay) (ike_sa_t *this, identification_t *requester,
! 731: chunk_t connect_id, chunk_t connect_key,
! 732: linked_list_t *endpoints, bool response);
! 733:
! 734: /**
! 735: * Send a callback to a peer.
! 736: *
! 737: * Data is cloned.
! 738: *
! 739: * @param peer_id ID of the other peer
! 740: * @return
! 741: * - SUCCESS if response started
! 742: * - DESTROY_ME if response failed
! 743: */
! 744: status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
! 745:
! 746: /**
! 747: * Respond to a ME_CONNECT request.
! 748: *
! 749: * Data is cloned.
! 750: *
! 751: * @param peer_id ID of the other peer
! 752: * @param connect_id the connect ID supplied by the initiator
! 753: * @return
! 754: * - SUCCESS if response started
! 755: * - DESTROY_ME if response failed
! 756: */
! 757: status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
! 758: chunk_t connect_id);
! 759: #endif /* ME */
! 760:
! 761: /**
! 762: * Initiate a new connection.
! 763: *
! 764: * The configs are owned by the IKE_SA after the call. If the initiate
! 765: * is triggered by a packet, traffic selectors of the packet can be added
! 766: * to the CHILD_SA.
! 767: *
! 768: * @param child_cfg child config to create CHILD from
! 769: * @param reqid reqid to use for CHILD_SA, 0 assign uniquely
! 770: * @param tsi source of triggering packet
! 771: * @param tsr destination of triggering packet.
! 772: * @return
! 773: * - SUCCESS if initialization started
! 774: * - DESTROY_ME if initialization failed
! 775: */
! 776: status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
! 777: uint32_t reqid, traffic_selector_t *tsi,
! 778: traffic_selector_t *tsr);
! 779:
! 780: /**
! 781: * Retry initiation of this IKE_SA after it got deferred previously.
! 782: *
! 783: * @return
! 784: * - SUCCESS if initiation deferred or started
! 785: * - DESTROY_ME if initiation failed
! 786: */
! 787: status_t (*retry_initiate) (ike_sa_t *this);
! 788:
! 789: /**
! 790: * Initiates the deletion of an IKE_SA.
! 791: *
! 792: * Sends a delete message to the remote peer and waits for
! 793: * its response. If the response comes in, or a timeout occurs,
! 794: * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is
! 795: * destroyed immediately without waiting for a response.
! 796: *
! 797: * @param force whether to immediately destroy the IKE_SA afterwards
! 798: * without waiting for a response
! 799: * @return
! 800: * - SUCCESS if deletion is initialized
! 801: * - DESTROY_ME, if destroying is forced, or the IKE_SA
! 802: * is not in an established state and can not be
! 803: * deleted (but destroyed)
! 804: */
! 805: status_t (*delete) (ike_sa_t *this, bool force);
! 806:
! 807: /**
! 808: * Update IKE_SAs after network interfaces have changed.
! 809: *
! 810: * Whenever the network interface configuration changes, the kernel
! 811: * interface calls roam() on each IKE_SA. The IKE_SA then checks if
! 812: * the new network config requires changes, and handles appropriate.
! 813: * If MOBIKE is supported, addresses are updated; If not, the tunnel is
! 814: * restarted.
! 815: *
! 816: * @param address TRUE if address list changed, FALSE otherwise
! 817: * @return SUCCESS, FAILED, DESTROY_ME
! 818: */
! 819: status_t (*roam)(ike_sa_t *this, bool address);
! 820:
! 821: /**
! 822: * Processes an incoming IKE message.
! 823: *
! 824: * Message processing may fail. If a critical failure occurs,
! 825: * process_message() return DESTROY_ME. Then the caller must
! 826: * destroy the IKE_SA immediately, as it is unusable.
! 827: *
! 828: * @param message message to process
! 829: * @return
! 830: * - SUCCESS
! 831: * - FAILED
! 832: * - DESTROY_ME if this IKE_SA MUST be deleted
! 833: */
! 834: status_t (*process_message)(ike_sa_t *this, message_t *message);
! 835:
! 836: /**
! 837: * Generate an IKE message to send it to the peer.
! 838: *
! 839: * This method generates all payloads in the message and encrypts/signs
! 840: * the packet.
! 841: *
! 842: * @param message message to generate
! 843: * @param packet generated output packet
! 844: * @return
! 845: * - SUCCESS
! 846: * - FAILED
! 847: * - DESTROY_ME if this IKE_SA MUST be deleted
! 848: */
! 849: status_t (*generate_message)(ike_sa_t *this, message_t *message,
! 850: packet_t **packet);
! 851:
! 852: /**
! 853: * Generate an IKE message to send it to the peer. If enabled and supported
! 854: * it will be fragmented.
! 855: *
! 856: * This method generates all payloads in the message and encrypts/signs
! 857: * the packet/fragments.
! 858: *
! 859: * @param message message to generate
! 860: * @param packets enumerator of generated packet_t* (are not destroyed
! 861: * with the enumerator)
! 862: * @return
! 863: * - SUCCESS
! 864: * - FAILED
! 865: * - DESTROY_ME if this IKE_SA MUST be deleted
! 866: */
! 867: status_t (*generate_message_fragmented)(ike_sa_t *this, message_t *message,
! 868: enumerator_t **packets);
! 869:
! 870: /**
! 871: * Retransmits a request.
! 872: *
! 873: * @param message_id ID of the request to retransmit
! 874: * @return
! 875: * - SUCCESS
! 876: * - NOT_FOUND if request doesn't have to be retransmitted
! 877: */
! 878: status_t (*retransmit) (ike_sa_t *this, uint32_t message_id);
! 879:
! 880: /**
! 881: * Sends a DPD request to the peer.
! 882: *
! 883: * To check if a peer is still alive, periodic
! 884: * empty INFORMATIONAL messages are sent if no
! 885: * other traffic was received.
! 886: *
! 887: * @return
! 888: * - SUCCESS
! 889: * - DESTROY_ME, if peer did not respond
! 890: */
! 891: status_t (*send_dpd) (ike_sa_t *this);
! 892:
! 893: /**
! 894: * Sends a keep alive packet.
! 895: *
! 896: * To refresh NAT tables in a NAT router between the peers, periodic empty
! 897: * UDP packets are sent if no other traffic was sent.
! 898: *
! 899: * @param scheduled if this is a scheduled keepalive
! 900: */
! 901: void (*send_keepalive) (ike_sa_t *this, bool scheduled);
! 902:
! 903: /**
! 904: * Redirect an active IKE_SA.
! 905: *
! 906: * @param gateway gateway ID (IP or FQDN) of the target
! 907: * @return state, including DESTROY_ME, if this IKE_SA MUST be
! 908: * destroyed
! 909: */
! 910: status_t (*redirect)(ike_sa_t *this, identification_t *gateway);
! 911:
! 912: /**
! 913: * Handle a redirect request.
! 914: *
! 915: * The behavior is different depending on the state of the IKE_SA.
! 916: *
! 917: * @param gateway gateway ID (IP or FQDN) of the target
! 918: * @return FALSE if redirect not possible, TRUE otherwise
! 919: */
! 920: bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway);
! 921:
! 922: /**
! 923: * Get the address of the gateway that redirected us.
! 924: *
! 925: * @return original gateway address
! 926: */
! 927: host_t *(*get_redirected_from)(ike_sa_t *this);
! 928:
! 929: /**
! 930: * Get the keying material of this IKE_SA.
! 931: *
! 932: * @return per IKE_SA keymat instance
! 933: */
! 934: keymat_t* (*get_keymat)(ike_sa_t *this);
! 935:
! 936: /**
! 937: * Associates a child SA to this IKE SA
! 938: *
! 939: * @param child_sa child_sa to add
! 940: */
! 941: void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
! 942:
! 943: /**
! 944: * Get a CHILD_SA identified by protocol and SPI.
! 945: *
! 946: * @param protocol protocol of the SA
! 947: * @param spi SPI of the CHILD_SA
! 948: * @param inbound TRUE if SPI is inbound, FALSE if outbound
! 949: * @return child_sa, or NULL if none found
! 950: */
! 951: child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
! 952: uint32_t spi, bool inbound);
! 953:
! 954: /**
! 955: * Get the number of CHILD_SAs.
! 956: *
! 957: * @return number of CHILD_SAs
! 958: */
! 959: int (*get_child_count) (ike_sa_t *this);
! 960:
! 961: /**
! 962: * Create an enumerator over all CHILD_SAs.
! 963: *
! 964: * @return enumerator
! 965: */
! 966: enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this);
! 967:
! 968: /**
! 969: * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
! 970: *
! 971: * @param enumerator enumerator pointing to CHILD_SA
! 972: */
! 973: void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator);
! 974:
! 975: /**
! 976: * Rekey the CHILD SA with the specified reqid.
! 977: *
! 978: * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
! 979: *
! 980: * @param protocol protocol of the SA
! 981: * @param spi inbound SPI of the CHILD_SA
! 982: * @return
! 983: * - NOT_FOUND, if IKE_SA has no such CHILD_SA
! 984: * - SUCCESS, if rekeying initiated
! 985: */
! 986: status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
! 987:
! 988: /**
! 989: * Close the CHILD SA with the specified protocol/SPI.
! 990: *
! 991: * Looks for a CHILD SA owned by this IKE_SA, deletes it and
! 992: * notify's the remote peer about the delete. The associated
! 993: * states and policies in the kernel get deleted, if they exist.
! 994: *
! 995: * @param protocol protocol of the SA
! 996: * @param spi inbound SPI of the CHILD_SA
! 997: * @param expired TRUE if CHILD_SA is expired
! 998: * @return
! 999: * - NOT_FOUND, if IKE_SA has no such CHILD_SA
! 1000: * - SUCCESS, if delete message sent
! 1001: */
! 1002: status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
! 1003: uint32_t spi, bool expired);
! 1004:
! 1005: /**
! 1006: * Destroy a CHILD SA with the specified protocol/SPI.
! 1007: *
! 1008: * Looks for a CHILD SA owned by this IKE_SA and destroys it.
! 1009: *
! 1010: * @param protocol protocol of the SA
! 1011: * @param spi inbound SPI of the CHILD_SA
! 1012: * @return
! 1013: * - NOT_FOUND, if IKE_SA has no such CHILD_SA
! 1014: * - SUCCESS
! 1015: */
! 1016: status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
! 1017:
! 1018: /**
! 1019: * Rekey the IKE_SA.
! 1020: *
! 1021: * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA.
! 1022: *
! 1023: * @return - SUCCESS, if IKE_SA rekeying initiated
! 1024: */
! 1025: status_t (*rekey) (ike_sa_t *this);
! 1026:
! 1027: /**
! 1028: * Reauthenticate the IKE_SA.
! 1029: *
! 1030: * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits
! 1031: * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs
! 1032: * in the new IKE_SA.
! 1033: *
! 1034: * @return DESTROY_ME to destroy the IKE_SA
! 1035: */
! 1036: status_t (*reauth) (ike_sa_t *this);
! 1037:
! 1038: /**
! 1039: * Reestablish the IKE_SA.
! 1040: *
! 1041: * Reestablish an IKE_SA after it has been closed.
! 1042: *
! 1043: * @return DESTROY_ME to destroy the IKE_SA
! 1044: */
! 1045: status_t (*reestablish) (ike_sa_t *this);
! 1046:
! 1047: /**
! 1048: * Set the lifetime limit received/to send in a AUTH_LIFETIME notify.
! 1049: *
! 1050: * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with
! 1051: * an AUTH_LIFETIME notify. The call never fails on unestablished SAs.
! 1052: *
! 1053: * @param lifetime lifetime in seconds
! 1054: * @return DESTROY_ME to destroy the IKE_SA
! 1055: */
! 1056: status_t (*set_auth_lifetime)(ike_sa_t *this, uint32_t lifetime);
! 1057:
! 1058: /**
! 1059: * Add a virtual IP to use for this IKE_SA and its children.
! 1060: *
! 1061: * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
! 1062: * lifetime as the IKE_SA.
! 1063: *
! 1064: * @param local TRUE to set local address, FALSE for remote
! 1065: * @param ip IP to set as virtual IP
! 1066: */
! 1067: void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
! 1068:
! 1069: /**
! 1070: * Clear all virtual IPs stored on this IKE_SA.
! 1071: *
! 1072: * @param local TRUE to clear local addresses, FALSE for remote
! 1073: */
! 1074: void (*clear_virtual_ips) (ike_sa_t *this, bool local);
! 1075:
! 1076: /**
! 1077: * Get interface ID to use as default for children of this IKE_SA.
! 1078: *
! 1079: * @param inbound TRUE for inbound interface ID
! 1080: * @return interface ID
! 1081: */
! 1082: uint32_t (*get_if_id)(ike_sa_t *this, bool inbound);
! 1083:
! 1084: /**
! 1085: * Create an enumerator over virtual IPs.
! 1086: *
! 1087: * @param local TRUE to get local virtual IP, FALSE for remote
! 1088: * @return enumerator over host_t*
! 1089: */
! 1090: enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local);
! 1091:
! 1092: /**
! 1093: * Register a configuration attribute to the IKE_SA.
! 1094: *
! 1095: * If an IRAS sends a configuration attribute it is installed and
! 1096: * registered at the IKE_SA. Attributes are inherit()ed and get released
! 1097: * when the IKE_SA is closed.
! 1098: *
! 1099: * Unhandled attributes are passed as well, but with a NULL handler. They
! 1100: * do not get released.
! 1101: *
! 1102: * @param handler handler installed the attribute, use for release()
! 1103: * @param type configuration attribute type
! 1104: * @param data associated attribute data
! 1105: */
! 1106: void (*add_configuration_attribute)(ike_sa_t *this,
! 1107: attribute_handler_t *handler,
! 1108: configuration_attribute_type_t type, chunk_t data);
! 1109:
! 1110: /**
! 1111: * Create an enumerator over received configuration attributes.
! 1112: *
! 1113: * The resulting enumerator is over the configuration_attribute_type_t type,
! 1114: * a value chunk_t followed by a bool flag. The boolean flag indicates if
! 1115: * the attribute has been handled by an attribute handler.
! 1116: *
! 1117: * @return enumerator over type, value and the "handled" flag.
! 1118: */
! 1119: enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this);
! 1120:
! 1121: /**
! 1122: * Set local and remote host addresses to be used for IKE.
! 1123: *
! 1124: * These addresses are communicated via the KMADDRESS field of a MIGRATE
! 1125: * message sent via the NETLINK or PF _KEY kernel socket interface.
! 1126: *
! 1127: * @param local local kmaddress
! 1128: * @param remote remote kmaddress
! 1129: */
! 1130: void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
! 1131:
! 1132: /**
! 1133: * Create enumerator over a task queue of this IKE_SA.
! 1134: *
! 1135: * @param queue type to enumerate
! 1136: * @return enumerator over task_t
! 1137: */
! 1138: enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
! 1139:
! 1140: /**
! 1141: * Remove the task the given enumerator points to.
! 1142: *
! 1143: * @note This should be used with caution, in particular, for tasks in the
! 1144: * active and passive queues.
! 1145: *
! 1146: * @param enumerator enumerator created with the method above
! 1147: */
! 1148: void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
! 1149:
! 1150: /**
! 1151: * Flush a task queue, cancelling all tasks in it.
! 1152: *
! 1153: * @param queue queue type to flush
! 1154: */
! 1155: void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
! 1156:
! 1157: /**
! 1158: * Queue a task for initiation to the task manager.
! 1159: *
! 1160: * @param task task to queue
! 1161: */
! 1162: void (*queue_task)(ike_sa_t *this, task_t *task);
! 1163:
! 1164: /**
! 1165: * Queue a task in the manager, but delay its initiation for at least the
! 1166: * given number of seconds.
! 1167: *
! 1168: * @param task task to queue
! 1169: * @param delay minimum delay in s before initiating the task
! 1170: */
! 1171: void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay);
! 1172:
! 1173: /**
! 1174: * Adopt child creating tasks from the given IKE_SA.
! 1175: *
! 1176: * @param other other IKE_SA to adopt tasks from
! 1177: */
! 1178: void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other);
! 1179:
! 1180: /**
! 1181: * Inherit required attributes to new SA before rekeying.
! 1182: *
! 1183: * Some properties of the SA must be applied before starting IKE_SA
! 1184: * rekeying, such as the configuration or support extensions.
! 1185: *
! 1186: * @param other other IKE_SA to inherit from
! 1187: */
! 1188: void (*inherit_pre)(ike_sa_t *this, ike_sa_t *other);
! 1189:
! 1190: /**
! 1191: * Inherit all attributes of other to this after rekeying.
! 1192: *
! 1193: * When rekeying is completed, all CHILD_SAs, the virtual IP and all
! 1194: * outstanding tasks are moved from other to this.
! 1195: *
! 1196: * @param other other IKE SA to inherit from
! 1197: */
! 1198: void (*inherit_post) (ike_sa_t *this, ike_sa_t *other);
! 1199:
! 1200: /**
! 1201: * Reset the IKE_SA, usable when initiating fails.
! 1202: *
! 1203: * @param new_spi TRUE to allocate a new initiator SPI
! 1204: */
! 1205: void (*reset) (ike_sa_t *this, bool new_spi);
! 1206:
! 1207: /**
! 1208: * Destroys a ike_sa_t object.
! 1209: */
! 1210: void (*destroy) (ike_sa_t *this);
! 1211: };
! 1212:
! 1213: /**
! 1214: * Creates an ike_sa_t object with a specific ID and IKE version.
! 1215: *
! 1216: * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
! 1217: * @param initiator TRUE to create this IKE_SA as initiator
! 1218: * @param version IKE version of this SA
! 1219: * @return ike_sa_t object
! 1220: */
! 1221: ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
! 1222: ike_version_t version);
! 1223:
! 1224: #endif /** IKE_SA_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>