![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ike_sa.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa|
Return to ike_sa.h CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa |
1.1 misho 1: /*
2: * Copyright (C) 2006-2019 Tobias Brunner
3: * Copyright (C) 2006 Daniel Roethlisberger
4: * Copyright (C) 2005-2009 Martin Willi
5: * Copyright (C) 2005 Jan Hutter
6: * HSR Hochschule fuer Technik Rapperswil
7: *
8: * This program is free software; you can redistribute it and/or modify it
9: * under the terms of the GNU General Public License as published by the
10: * Free Software Foundation; either version 2 of the License, or (at your
11: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12: *
13: * This program is distributed in the hope that it will be useful, but
14: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16: * for more details.
17: */
18:
19: /**
20: * @defgroup ike_sa ike_sa
21: * @{ @ingroup sa
22: */
23:
24: #ifndef IKE_SA_H_
25: #define IKE_SA_H_
26:
27: typedef enum ike_extension_t ike_extension_t;
28: typedef enum ike_condition_t ike_condition_t;
29: typedef enum ike_sa_state_t ike_sa_state_t;
30: typedef enum statistic_t statistic_t;
31: typedef struct ike_sa_t ike_sa_t;
32:
33: #include <library.h>
34: #include <attributes/attribute_handler.h>
35: #include <encoding/message.h>
36: #include <encoding/payloads/proposal_substructure.h>
37: #include <encoding/payloads/configuration_attribute.h>
38: #include <sa/ike_sa_id.h>
39: #include <sa/child_sa.h>
40: #include <sa/task.h>
41: #include <sa/task_manager.h>
42: #include <sa/keymat.h>
43: #include <config/peer_cfg.h>
44: #include <config/ike_cfg.h>
45: #include <credentials/auth_cfg.h>
46: #include <networking/packet.h>
47:
48: /**
49: * Timeout in seconds after that a half open IKE_SA gets deleted.
50: */
51: #define HALF_OPEN_IKE_SA_TIMEOUT 30
52:
53: /**
54: * Interval to send keepalives when NATed, in seconds.
55: */
56: #define KEEPALIVE_INTERVAL 20
57:
58: /**
59: * After which time rekeying should be retried if it failed, in seconds.
60: */
61: #define RETRY_INTERVAL 15
62:
63: /**
64: * Jitter to subtract from RETRY_INTERVAL to randomize rekey retry.
65: */
66: #define RETRY_JITTER 10
67:
68: /**
69: * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
70: */
71: #define MAX_REDIRECTS 5
72:
73: /**
74: * Time period in seconds in which at most MAX_REDIRECTS are allowed.
75: */
76: #define REDIRECT_LOOP_DETECT_PERIOD 300
77:
78: /**
79: * Extensions (or optional features) the peer supports
80: */
81: enum ike_extension_t {
82:
83: /**
84: * peer supports NAT traversal as specified in RFC4306 or RFC3947
85: * including some RFC3947 drafts
86: */
87: EXT_NATT = (1<<0),
88:
89: /**
90: * peer supports MOBIKE (RFC4555)
91: */
92: EXT_MOBIKE = (1<<1),
93:
94: /**
95: * peer supports HTTP cert lookups as specified in RFC4306
96: */
97: EXT_HASH_AND_URL = (1<<2),
98:
99: /**
100: * peer supports multiple authentication exchanges, RFC4739
101: */
102: EXT_MULTIPLE_AUTH = (1<<3),
103:
104: /**
105: * peer uses strongSwan, accept private use extensions
106: */
107: EXT_STRONGSWAN = (1<<4),
108:
109: /**
110: * peer supports EAP-only authentication, draft-eronen-ipsec-ikev2-eap-auth
111: */
112: EXT_EAP_ONLY_AUTHENTICATION = (1<<5),
113:
114: /**
115: * peer is probably a Windows RAS client
116: */
117: EXT_MS_WINDOWS = (1<<6),
118:
119: /**
120: * peer supports XAuth authentication, draft-ietf-ipsec-isakmp-xauth-06
121: */
122: EXT_XAUTH = (1<<7),
123:
124: /**
125: * peer supports DPD detection, RFC 3706 (or IKEv2)
126: */
127: EXT_DPD = (1<<8),
128:
129: /**
130: * peer supports Cisco Unity configuration attributes
131: */
132: EXT_CISCO_UNITY = (1<<9),
133:
134: /**
135: * peer supports NAT traversal as specified in
136: * draft-ietf-ipsec-nat-t-ike-02 .. -03
137: */
138: EXT_NATT_DRAFT_02_03 = (1<<10),
139:
140: /**
141: * peer supports proprietary IKEv1 or standardized IKEv2 fragmentation
142: */
143: EXT_IKE_FRAGMENTATION = (1<<11),
144:
145: /**
146: * Signature Authentication, RFC 7427
147: */
148: EXT_SIGNATURE_AUTH = (1<<12),
149:
150: /**
151: * IKEv2 Redirect Mechanism, RFC 5685
152: */
153: EXT_IKE_REDIRECTION = (1<<13),
154:
155: /**
156: * IKEv2 Message ID sync, RFC 6311
157: */
158: EXT_IKE_MESSAGE_ID_SYNC = (1<<14),
159:
160: /**
161: * Postquantum Preshared Keys, draft-ietf-ipsecme-qr-ikev2
162: */
163: EXT_PPK = (1<<15),
164:
165: /**
166: * Responder accepts childless IKE_SAs, RFC 6023
167: */
168: EXT_IKE_CHILDLESS = (1<<16),
169: };
170:
171: /**
172: * Conditions of an IKE_SA, change during its lifetime
173: */
174: enum ike_condition_t {
175:
176: /**
177: * Connection is natted (or faked) somewhere
178: */
179: COND_NAT_ANY = (1<<0),
180:
181: /**
182: * we are behind NAT
183: */
184: COND_NAT_HERE = (1<<1),
185:
186: /**
187: * other is behind NAT
188: */
189: COND_NAT_THERE = (1<<2),
190:
191: /**
192: * Faking NAT to enforce UDP encapsulation
193: */
194: COND_NAT_FAKE = (1<<3),
195:
196: /**
197: * peer has been authenticated using EAP at least once
198: */
199: COND_EAP_AUTHENTICATED = (1<<4),
200:
201: /**
202: * received a certificate request from the peer
203: */
204: COND_CERTREQ_SEEN = (1<<5),
205:
206: /**
207: * Local peer is the "original" IKE initiator. Unaffected from rekeying.
208: */
209: COND_ORIGINAL_INITIATOR = (1<<6),
210:
211: /**
212: * IKE_SA is stale, the peer is currently unreachable (MOBIKE)
213: */
214: COND_STALE = (1<<7),
215:
216: /**
217: * Initial contact received
218: */
219: COND_INIT_CONTACT_SEEN = (1<<8),
220:
221: /**
222: * Peer has been authenticated using XAuth
223: */
224: COND_XAUTH_AUTHENTICATED = (1<<9),
225:
226: /**
227: * This IKE_SA is currently being reauthenticated
228: */
229: COND_REAUTHENTICATING = (1<<10),
230:
231: /**
232: * This IKE_SA has been redirected
233: */
234: COND_REDIRECTED = (1<<11),
235:
236: /**
237: * Online certificate revocation checking is suspended for this IKE_SA
238: */
239: COND_ONLINE_VALIDATION_SUSPENDED = (1<<12),
240:
241: /**
242: * A Postquantum Preshared Key was used when this IKE_SA was created
243: */
244: COND_PPK = (1<<13),
245: };
246:
247: /**
248: * Timing information and statistics to query from an SA
249: */
250: enum statistic_t {
251: /** Timestamp of SA establishment */
252: STAT_ESTABLISHED = 0,
253: /** Timestamp of scheduled rekeying */
254: STAT_REKEY,
255: /** Timestamp of scheduled reauthentication */
256: STAT_REAUTH,
257: /** Timestamp of scheduled delete */
258: STAT_DELETE,
259: /** Timestamp of last inbound IKE packet */
260: STAT_INBOUND,
261: /** Timestamp of last outbound IKE packet */
262: STAT_OUTBOUND,
263:
264: STAT_MAX
265: };
266:
267: /**
268: * State of an IKE_SA.
269: *
270: * An IKE_SA passes various states in its lifetime. A newly created
271: * SA is in the state CREATED.
272: * @verbatim
273: +----------------+
274: ¦ SA_CREATED ¦
275: +----------------+
276: ¦
277: on initiate()---> ¦ <----- on IKE_SA_INIT received
278: V
279: +----------------+
280: ¦ SA_CONNECTING ¦
281: +----------------+
282: ¦
283: ¦ <----- on IKE_AUTH successfully completed
284: V
285: +----------------+
286: ¦ SA_ESTABLISHED ¦-------------------------+ <-- on rekeying
287: +----------------+ ¦
288: ¦ V
289: on delete()---> ¦ <----- on IKE_SA +-------------+
290: ¦ delete request ¦ SA_REKEYING ¦
291: ¦ received +-------------+
292: V ¦
293: +----------------+ ¦
294: ¦ SA_DELETING ¦<------------------------+ <-- after rekeying
295: +----------------+
296: ¦
297: ¦ <----- after delete() acknowledged
298: ¦
299: \V/
300: X
301: / \
302: @endverbatim
303: */
304: enum ike_sa_state_t {
305:
306: /**
307: * IKE_SA just got created, but is not initiating nor responding yet.
308: */
309: IKE_CREATED,
310:
311: /**
312: * IKE_SA gets initiated actively or passively
313: */
314: IKE_CONNECTING,
315:
316: /**
317: * IKE_SA is fully established
318: */
319: IKE_ESTABLISHED,
320:
321: /**
322: * IKE_SA is managed externally and does not process messages
323: */
324: IKE_PASSIVE,
325:
326: /**
327: * IKE_SA rekeying in progress
328: */
329: IKE_REKEYING,
330:
331: /**
332: * IKE_SA has been rekeyed (or is redundant)
333: */
334: IKE_REKEYED,
335:
336: /**
337: * IKE_SA is in progress of deletion
338: */
339: IKE_DELETING,
340:
341: /**
342: * IKE_SA object gets destroyed
343: */
344: IKE_DESTROYING,
345: };
346:
347: /**
348: * enum names for ike_sa_state_t.
349: */
350: extern enum_name_t *ike_sa_state_names;
351:
352: /**
353: * Class ike_sa_t representing an IKE_SA.
354: *
355: * An IKE_SA contains crypto information related to a connection
356: * with a peer. It contains multiple IPsec CHILD_SA, for which
357: * it is responsible. All traffic is handled by an IKE_SA, using
358: * the task manager and its tasks.
359: */
360: struct ike_sa_t {
361:
362: /**
363: * Get the id of the SA.
364: *
365: * Returned ike_sa_id_t object is not getting cloned!
366: *
367: * @return ike_sa's ike_sa_id_t
368: */
369: ike_sa_id_t* (*get_id) (ike_sa_t *this);
370:
371: /**
372: * Gets the IKE version of the SA
373: */
374: ike_version_t (*get_version)(ike_sa_t *this);
375:
376: /**
377: * Get the numerical ID uniquely defining this IKE_SA.
378: *
379: * @return unique ID
380: */
381: uint32_t (*get_unique_id) (ike_sa_t *this);
382:
383: /**
384: * Get the state of the IKE_SA.
385: *
386: * @return state of the IKE_SA
387: */
388: ike_sa_state_t (*get_state) (ike_sa_t *this);
389:
390: /**
391: * Set the state of the IKE_SA.
392: *
393: * @param state state to set for the IKE_SA
394: */
395: void (*set_state) (ike_sa_t *this, ike_sa_state_t state);
396:
397: /**
398: * Get the name of the connection this IKE_SA uses.
399: *
400: * @return name
401: */
402: char* (*get_name) (ike_sa_t *this);
403:
404: /**
405: * Get statistic values from the IKE_SA.
406: *
407: * @param kind kind of requested value
408: * @return value as integer
409: */
410: uint32_t (*get_statistic)(ike_sa_t *this, statistic_t kind);
411:
412: /**
413: * Set statistic value of the IKE_SA.
414: *
415: * @param kind kind of value to update
416: * @param value value as integer
417: */
418: void (*set_statistic)(ike_sa_t *this, statistic_t kind, uint32_t value);
419:
420: /**
421: * Get the own host address.
422: *
423: * @return host address
424: */
425: host_t* (*get_my_host) (ike_sa_t *this);
426:
427: /**
428: * Set the own host address.
429: *
430: * @param me host address
431: */
432: void (*set_my_host) (ike_sa_t *this, host_t *me);
433:
434: /**
435: * Get the other peers host address.
436: *
437: * @return host address
438: */
439: host_t* (*get_other_host) (ike_sa_t *this);
440:
441: /**
442: * Set the others host address.
443: *
444: * @param other host address
445: */
446: void (*set_other_host) (ike_sa_t *this, host_t *other);
447:
448: /**
449: * Float to port 4500 (e.g. if a NAT is detected).
450: *
451: * The port of either endpoint is changed only if it is currently
452: * set to the default value of 500.
453: */
454: void (*float_ports)(ike_sa_t *this);
455:
456: /**
457: * Update the IKE_SAs host.
458: *
459: * Hosts may be NULL to use current host.
460: *
461: * @param me new local host address, or NULL
462: * @param other new remote host address, or NULL
463: * @param force force update
464: */
465: void (*update_hosts)(ike_sa_t *this, host_t *me, host_t *other, bool force);
466:
467: /**
468: * Get the own identification.
469: *
470: * @return identification
471: */
472: identification_t* (*get_my_id) (ike_sa_t *this);
473:
474: /**
475: * Set the own identification.
476: *
477: * @param me identification
478: */
479: void (*set_my_id) (ike_sa_t *this, identification_t *me);
480:
481: /**
482: * Get the other peer's identification.
483: *
484: * @return identification
485: */
486: identification_t* (*get_other_id) (ike_sa_t *this);
487:
488: /**
489: * Get the others peer identity, but prefer an EAP-Identity.
490: *
491: * @return EAP or IKEv2 identity
492: */
493: identification_t* (*get_other_eap_id)(ike_sa_t *this);
494:
495: /**
496: * Set the other peer's identification.
497: *
498: * @param other identification
499: */
500: void (*set_other_id) (ike_sa_t *this, identification_t *other);
501:
502: /**
503: * Get the config used to setup this IKE_SA.
504: *
505: * @return ike_config
506: */
507: ike_cfg_t* (*get_ike_cfg) (ike_sa_t *this);
508:
509: /**
510: * Set the config to setup this IKE_SA.
511: *
512: * @param config ike_config to use
513: */
514: void (*set_ike_cfg) (ike_sa_t *this, ike_cfg_t* config);
515:
516: /**
517: * Get the peer config used by this IKE_SA.
518: *
519: * @return peer_config
520: */
521: peer_cfg_t* (*get_peer_cfg) (ike_sa_t *this);
522:
523: /**
524: * Set the peer config to use with this IKE_SA.
525: *
526: * @param config peer_config to use
527: */
528: void (*set_peer_cfg) (ike_sa_t *this, peer_cfg_t *config);
529:
530: /**
531: * Get the authentication config with rules of the current auth round.
532: *
533: * @param local TRUE for local rules, FALSE for remote constraints
534: * @return current cfg
535: */
536: auth_cfg_t* (*get_auth_cfg)(ike_sa_t *this, bool local);
537:
538: /**
539: * Insert a completed authentication round.
540: *
541: * @param local TRUE for own rules, FALSE for others constraints
542: * @param cfg auth config to append
543: */
544: void (*add_auth_cfg)(ike_sa_t *this, bool local, auth_cfg_t *cfg);
545:
546: /**
547: * Create an enumerator over added authentication rounds.
548: *
549: * @param local TRUE for own rules, FALSE for others constraints
550: * @return enumerator over auth_cfg_t
551: */
552: enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
553:
554: /**
555: * Verify the trustchains (validity, revocation) in completed public key
556: * auth rounds.
557: *
558: * @return TRUE if certificates were valid, FALSE otherwise
559: */
560: bool (*verify_peer_certificate)(ike_sa_t *this);
561:
562: /**
563: * Get the selected proposal of this IKE_SA.
564: *
565: * @return selected proposal
566: */
567: proposal_t* (*get_proposal)(ike_sa_t *this);
568:
569: /**
570: * Set the proposal selected for this IKE_SA.
571: *
572: * @param selected proposal
573: */
574: void (*set_proposal)(ike_sa_t *this, proposal_t *proposal);
575:
576: /**
577: * Set the message ID of the IKE_SA.
578: *
579: * The IKE_SA stores two message IDs, one for initiating exchanges (send)
580: * and one to respond to exchanges (expect).
581: *
582: * @param initiate TRUE to set message ID for initiating
583: * @param mid message id to set
584: */
585: void (*set_message_id)(ike_sa_t *this, bool initiate, uint32_t mid);
586:
587: /**
588: * Get the message ID of the IKE_SA.
589: *
590: * The IKE_SA stores two message IDs, one for initiating exchanges (send)
591: * and one to respond to exchanges (expect).
592: *
593: * @param initiate TRUE to get message ID for initiating
594: * @return current message
595: */
596: uint32_t (*get_message_id)(ike_sa_t *this, bool initiate);
597:
598: /**
599: * Add an additional address for the peer.
600: *
601: * In MOBIKE, a peer may transmit additional addresses where it is
602: * reachable. These are stored in the IKE_SA.
603: * The own list of addresses is not stored, they are queried from
604: * the kernel when required.
605: *
606: * @param host host to add to list
607: */
608: void (*add_peer_address)(ike_sa_t *this, host_t *host);
609:
610: /**
611: * Create an enumerator over all known addresses of the peer.
612: *
613: * @return enumerator over addresses
614: */
615: enumerator_t* (*create_peer_address_enumerator)(ike_sa_t *this);
616:
617: /**
618: * Remove all known addresses of the peer.
619: */
620: void (*clear_peer_addresses)(ike_sa_t *this);
621:
622: /**
623: * Check if mappings have changed on a NAT for our source address.
624: *
625: * @param hash received DESTINATION_IP hash
626: * @return TRUE if mappings have changed
627: */
628: bool (*has_mapping_changed)(ike_sa_t *this, chunk_t hash);
629:
630: /**
631: * Enable an extension the peer supports.
632: *
633: * If support for an IKE extension is detected, this method is called
634: * to enable that extension and behave accordingly.
635: *
636: * @param extension extension to enable
637: */
638: void (*enable_extension)(ike_sa_t *this, ike_extension_t extension);
639:
640: /**
641: * Check if the peer supports an extension.
642: *
643: * @param extension extension to check for support
644: * @return TRUE if peer supports it, FALSE otherwise
645: */
646: bool (*supports_extension)(ike_sa_t *this, ike_extension_t extension);
647:
648: /**
649: * Enable/disable a condition flag for this IKE_SA.
650: *
651: * @param condition condition to enable/disable
652: * @param enable TRUE to enable condition, FALSE to disable
653: */
654: void (*set_condition) (ike_sa_t *this, ike_condition_t condition, bool enable);
655:
656: /**
657: * Check if a condition flag is set.
658: *
659: * @param condition condition to check
660: * @return TRUE if condition flag set, FALSE otherwise
661: */
662: bool (*has_condition) (ike_sa_t *this, ike_condition_t condition);
663:
664: #ifdef ME
665: /**
666: * Activate mediation server functionality for this IKE_SA.
667: */
668: void (*act_as_mediation_server) (ike_sa_t *this);
669:
670: /**
671: * Get the server reflexive host.
672: *
673: * @return server reflexive host
674: */
675: host_t* (*get_server_reflexive_host) (ike_sa_t *this);
676:
677: /**
678: * Set the server reflexive host.
679: *
680: * @param host server reflexive host
681: */
682: void (*set_server_reflexive_host) (ike_sa_t *this, host_t *host);
683:
684: /**
685: * Get the connect ID.
686: *
687: * @return connect ID
688: */
689: chunk_t (*get_connect_id) (ike_sa_t *this);
690:
691: /**
692: * Initiate the mediation of a mediated connection (i.e. initiate a
693: * ME_CONNECT exchange to a mediation server).
694: *
695: * @param mediated_cfg peer_cfg of the mediated connection
696: * @return
697: * - SUCCESS if initialization started
698: * - DESTROY_ME if initialization failed
699: */
700: status_t (*initiate_mediation) (ike_sa_t *this, peer_cfg_t *mediated_cfg);
701:
702: /**
703: * Initiate the mediated connection
704: *
705: * @param me local endpoint (gets cloned)
706: * @param other remote endpoint (gets cloned)
707: * @param connect_id connect ID (gets cloned)
708: * @return
709: * - SUCCESS if initialization started
710: * - DESTROY_ME if initialization failed
711: */
712: status_t (*initiate_mediated) (ike_sa_t *this, host_t *me, host_t *other,
713: chunk_t connect_id);
714:
715: /**
716: * Relay data from one peer to another (i.e. initiate a ME_CONNECT exchange
717: * to a peer).
718: *
719: * Data is cloned.
720: *
721: * @param requester ID of the requesting peer
722: * @param connect_id data of the ME_CONNECTID payload
723: * @param connect_key data of the ME_CONNECTKEY payload
724: * @param endpoints endpoints
725: * @param response TRUE if this is a response
726: * @return
727: * - SUCCESS if relay started
728: * - DESTROY_ME if relay failed
729: */
730: status_t (*relay) (ike_sa_t *this, identification_t *requester,
731: chunk_t connect_id, chunk_t connect_key,
732: linked_list_t *endpoints, bool response);
733:
734: /**
735: * Send a callback to a peer.
736: *
737: * Data is cloned.
738: *
739: * @param peer_id ID of the other peer
740: * @return
741: * - SUCCESS if response started
742: * - DESTROY_ME if response failed
743: */
744: status_t (*callback) (ike_sa_t *this, identification_t *peer_id);
745:
746: /**
747: * Respond to a ME_CONNECT request.
748: *
749: * Data is cloned.
750: *
751: * @param peer_id ID of the other peer
752: * @param connect_id the connect ID supplied by the initiator
753: * @return
754: * - SUCCESS if response started
755: * - DESTROY_ME if response failed
756: */
757: status_t (*respond) (ike_sa_t *this, identification_t *peer_id,
758: chunk_t connect_id);
759: #endif /* ME */
760:
761: /**
762: * Initiate a new connection.
763: *
764: * The configs are owned by the IKE_SA after the call. If the initiate
765: * is triggered by a packet, traffic selectors of the packet can be added
766: * to the CHILD_SA.
767: *
768: * @param child_cfg child config to create CHILD from
769: * @param reqid reqid to use for CHILD_SA, 0 assign uniquely
770: * @param tsi source of triggering packet
771: * @param tsr destination of triggering packet.
772: * @return
773: * - SUCCESS if initialization started
774: * - DESTROY_ME if initialization failed
775: */
776: status_t (*initiate) (ike_sa_t *this, child_cfg_t *child_cfg,
777: uint32_t reqid, traffic_selector_t *tsi,
778: traffic_selector_t *tsr);
779:
780: /**
781: * Retry initiation of this IKE_SA after it got deferred previously.
782: *
783: * @return
784: * - SUCCESS if initiation deferred or started
785: * - DESTROY_ME if initiation failed
786: */
787: status_t (*retry_initiate) (ike_sa_t *this);
788:
789: /**
790: * Initiates the deletion of an IKE_SA.
791: *
792: * Sends a delete message to the remote peer and waits for
793: * its response. If the response comes in, or a timeout occurs,
794: * the IKE SA gets destroyed, unless force is TRUE then the IKE_SA is
795: * destroyed immediately without waiting for a response.
796: *
797: * @param force whether to immediately destroy the IKE_SA afterwards
798: * without waiting for a response
799: * @return
800: * - SUCCESS if deletion is initialized
801: * - DESTROY_ME, if destroying is forced, or the IKE_SA
802: * is not in an established state and can not be
803: * deleted (but destroyed)
804: */
805: status_t (*delete) (ike_sa_t *this, bool force);
806:
807: /**
808: * Update IKE_SAs after network interfaces have changed.
809: *
810: * Whenever the network interface configuration changes, the kernel
811: * interface calls roam() on each IKE_SA. The IKE_SA then checks if
812: * the new network config requires changes, and handles appropriate.
813: * If MOBIKE is supported, addresses are updated; If not, the tunnel is
814: * restarted.
815: *
816: * @param address TRUE if address list changed, FALSE otherwise
817: * @return SUCCESS, FAILED, DESTROY_ME
818: */
819: status_t (*roam)(ike_sa_t *this, bool address);
820:
821: /**
822: * Processes an incoming IKE message.
823: *
824: * Message processing may fail. If a critical failure occurs,
825: * process_message() return DESTROY_ME. Then the caller must
826: * destroy the IKE_SA immediately, as it is unusable.
827: *
828: * @param message message to process
829: * @return
830: * - SUCCESS
831: * - FAILED
832: * - DESTROY_ME if this IKE_SA MUST be deleted
833: */
834: status_t (*process_message)(ike_sa_t *this, message_t *message);
835:
836: /**
837: * Generate an IKE message to send it to the peer.
838: *
839: * This method generates all payloads in the message and encrypts/signs
840: * the packet.
841: *
842: * @param message message to generate
843: * @param packet generated output packet
844: * @return
845: * - SUCCESS
846: * - FAILED
847: * - DESTROY_ME if this IKE_SA MUST be deleted
848: */
849: status_t (*generate_message)(ike_sa_t *this, message_t *message,
850: packet_t **packet);
851:
852: /**
853: * Generate an IKE message to send it to the peer. If enabled and supported
854: * it will be fragmented.
855: *
856: * This method generates all payloads in the message and encrypts/signs
857: * the packet/fragments.
858: *
859: * @param message message to generate
860: * @param packets enumerator of generated packet_t* (are not destroyed
861: * with the enumerator)
862: * @return
863: * - SUCCESS
864: * - FAILED
865: * - DESTROY_ME if this IKE_SA MUST be deleted
866: */
867: status_t (*generate_message_fragmented)(ike_sa_t *this, message_t *message,
868: enumerator_t **packets);
869:
870: /**
871: * Retransmits a request.
872: *
873: * @param message_id ID of the request to retransmit
874: * @return
875: * - SUCCESS
876: * - NOT_FOUND if request doesn't have to be retransmitted
877: */
878: status_t (*retransmit) (ike_sa_t *this, uint32_t message_id);
879:
880: /**
881: * Sends a DPD request to the peer.
882: *
883: * To check if a peer is still alive, periodic
884: * empty INFORMATIONAL messages are sent if no
885: * other traffic was received.
886: *
887: * @return
888: * - SUCCESS
889: * - DESTROY_ME, if peer did not respond
890: */
891: status_t (*send_dpd) (ike_sa_t *this);
892:
893: /**
894: * Sends a keep alive packet.
895: *
896: * To refresh NAT tables in a NAT router between the peers, periodic empty
897: * UDP packets are sent if no other traffic was sent.
898: *
899: * @param scheduled if this is a scheduled keepalive
900: */
901: void (*send_keepalive) (ike_sa_t *this, bool scheduled);
902:
903: /**
904: * Redirect an active IKE_SA.
905: *
906: * @param gateway gateway ID (IP or FQDN) of the target
907: * @return state, including DESTROY_ME, if this IKE_SA MUST be
908: * destroyed
909: */
910: status_t (*redirect)(ike_sa_t *this, identification_t *gateway);
911:
912: /**
913: * Handle a redirect request.
914: *
915: * The behavior is different depending on the state of the IKE_SA.
916: *
917: * @param gateway gateway ID (IP or FQDN) of the target
918: * @return FALSE if redirect not possible, TRUE otherwise
919: */
920: bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway);
921:
922: /**
923: * Get the address of the gateway that redirected us.
924: *
925: * @return original gateway address
926: */
927: host_t *(*get_redirected_from)(ike_sa_t *this);
928:
929: /**
930: * Get the keying material of this IKE_SA.
931: *
932: * @return per IKE_SA keymat instance
933: */
934: keymat_t* (*get_keymat)(ike_sa_t *this);
935:
936: /**
937: * Associates a child SA to this IKE SA
938: *
939: * @param child_sa child_sa to add
940: */
941: void (*add_child_sa) (ike_sa_t *this, child_sa_t *child_sa);
942:
943: /**
944: * Get a CHILD_SA identified by protocol and SPI.
945: *
946: * @param protocol protocol of the SA
947: * @param spi SPI of the CHILD_SA
948: * @param inbound TRUE if SPI is inbound, FALSE if outbound
949: * @return child_sa, or NULL if none found
950: */
951: child_sa_t* (*get_child_sa) (ike_sa_t *this, protocol_id_t protocol,
952: uint32_t spi, bool inbound);
953:
954: /**
955: * Get the number of CHILD_SAs.
956: *
957: * @return number of CHILD_SAs
958: */
959: int (*get_child_count) (ike_sa_t *this);
960:
961: /**
962: * Create an enumerator over all CHILD_SAs.
963: *
964: * @return enumerator
965: */
966: enumerator_t* (*create_child_sa_enumerator) (ike_sa_t *this);
967:
968: /**
969: * Remove the CHILD_SA the given enumerator points to from this IKE_SA.
970: *
971: * @param enumerator enumerator pointing to CHILD_SA
972: */
973: void (*remove_child_sa) (ike_sa_t *this, enumerator_t *enumerator);
974:
975: /**
976: * Rekey the CHILD SA with the specified reqid.
977: *
978: * Looks for a CHILD SA owned by this IKE_SA, and start the rekeing.
979: *
980: * @param protocol protocol of the SA
981: * @param spi inbound SPI of the CHILD_SA
982: * @return
983: * - NOT_FOUND, if IKE_SA has no such CHILD_SA
984: * - SUCCESS, if rekeying initiated
985: */
986: status_t (*rekey_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
987:
988: /**
989: * Close the CHILD SA with the specified protocol/SPI.
990: *
991: * Looks for a CHILD SA owned by this IKE_SA, deletes it and
992: * notify's the remote peer about the delete. The associated
993: * states and policies in the kernel get deleted, if they exist.
994: *
995: * @param protocol protocol of the SA
996: * @param spi inbound SPI of the CHILD_SA
997: * @param expired TRUE if CHILD_SA is expired
998: * @return
999: * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1000: * - SUCCESS, if delete message sent
1001: */
1002: status_t (*delete_child_sa)(ike_sa_t *this, protocol_id_t protocol,
1003: uint32_t spi, bool expired);
1004:
1005: /**
1006: * Destroy a CHILD SA with the specified protocol/SPI.
1007: *
1008: * Looks for a CHILD SA owned by this IKE_SA and destroys it.
1009: *
1010: * @param protocol protocol of the SA
1011: * @param spi inbound SPI of the CHILD_SA
1012: * @return
1013: * - NOT_FOUND, if IKE_SA has no such CHILD_SA
1014: * - SUCCESS
1015: */
1016: status_t (*destroy_child_sa) (ike_sa_t *this, protocol_id_t protocol, uint32_t spi);
1017:
1018: /**
1019: * Rekey the IKE_SA.
1020: *
1021: * Sets up a new IKE_SA, moves all CHILD_SAs to it and deletes this IKE_SA.
1022: *
1023: * @return - SUCCESS, if IKE_SA rekeying initiated
1024: */
1025: status_t (*rekey) (ike_sa_t *this);
1026:
1027: /**
1028: * Reauthenticate the IKE_SA.
1029: *
1030: * Triggers a new IKE_SA that replaces this one. IKEv1 implicitly inherits
1031: * all Quick Modes, while IKEv2 recreates all active and queued CHILD_SAs
1032: * in the new IKE_SA.
1033: *
1034: * @return DESTROY_ME to destroy the IKE_SA
1035: */
1036: status_t (*reauth) (ike_sa_t *this);
1037:
1038: /**
1039: * Reestablish the IKE_SA.
1040: *
1041: * Reestablish an IKE_SA after it has been closed.
1042: *
1043: * @return DESTROY_ME to destroy the IKE_SA
1044: */
1045: status_t (*reestablish) (ike_sa_t *this);
1046:
1047: /**
1048: * Set the lifetime limit received/to send in a AUTH_LIFETIME notify.
1049: *
1050: * If the IKE_SA is already ESTABLISHED, an INFORMATIONAL is sent with
1051: * an AUTH_LIFETIME notify. The call never fails on unestablished SAs.
1052: *
1053: * @param lifetime lifetime in seconds
1054: * @return DESTROY_ME to destroy the IKE_SA
1055: */
1056: status_t (*set_auth_lifetime)(ike_sa_t *this, uint32_t lifetime);
1057:
1058: /**
1059: * Add a virtual IP to use for this IKE_SA and its children.
1060: *
1061: * The virtual IP is assigned per IKE_SA, not per CHILD_SA. It has the same
1062: * lifetime as the IKE_SA.
1063: *
1064: * @param local TRUE to set local address, FALSE for remote
1065: * @param ip IP to set as virtual IP
1066: */
1067: void (*add_virtual_ip) (ike_sa_t *this, bool local, host_t *ip);
1068:
1069: /**
1070: * Clear all virtual IPs stored on this IKE_SA.
1071: *
1072: * @param local TRUE to clear local addresses, FALSE for remote
1073: */
1074: void (*clear_virtual_ips) (ike_sa_t *this, bool local);
1075:
1076: /**
1077: * Get interface ID to use as default for children of this IKE_SA.
1078: *
1079: * @param inbound TRUE for inbound interface ID
1080: * @return interface ID
1081: */
1082: uint32_t (*get_if_id)(ike_sa_t *this, bool inbound);
1083:
1084: /**
1085: * Create an enumerator over virtual IPs.
1086: *
1087: * @param local TRUE to get local virtual IP, FALSE for remote
1088: * @return enumerator over host_t*
1089: */
1090: enumerator_t* (*create_virtual_ip_enumerator) (ike_sa_t *this, bool local);
1091:
1092: /**
1093: * Register a configuration attribute to the IKE_SA.
1094: *
1095: * If an IRAS sends a configuration attribute it is installed and
1096: * registered at the IKE_SA. Attributes are inherit()ed and get released
1097: * when the IKE_SA is closed.
1098: *
1099: * Unhandled attributes are passed as well, but with a NULL handler. They
1100: * do not get released.
1101: *
1102: * @param handler handler installed the attribute, use for release()
1103: * @param type configuration attribute type
1104: * @param data associated attribute data
1105: */
1106: void (*add_configuration_attribute)(ike_sa_t *this,
1107: attribute_handler_t *handler,
1108: configuration_attribute_type_t type, chunk_t data);
1109:
1110: /**
1111: * Create an enumerator over received configuration attributes.
1112: *
1113: * The resulting enumerator is over the configuration_attribute_type_t type,
1114: * a value chunk_t followed by a bool flag. The boolean flag indicates if
1115: * the attribute has been handled by an attribute handler.
1116: *
1117: * @return enumerator over type, value and the "handled" flag.
1118: */
1119: enumerator_t* (*create_attribute_enumerator)(ike_sa_t *this);
1120:
1121: /**
1122: * Set local and remote host addresses to be used for IKE.
1123: *
1124: * These addresses are communicated via the KMADDRESS field of a MIGRATE
1125: * message sent via the NETLINK or PF _KEY kernel socket interface.
1126: *
1127: * @param local local kmaddress
1128: * @param remote remote kmaddress
1129: */
1130: void (*set_kmaddress) (ike_sa_t *this, host_t *local, host_t *remote);
1131:
1132: /**
1133: * Create enumerator over a task queue of this IKE_SA.
1134: *
1135: * @param queue type to enumerate
1136: * @return enumerator over task_t
1137: */
1138: enumerator_t* (*create_task_enumerator)(ike_sa_t *this, task_queue_t queue);
1139:
1140: /**
1141: * Remove the task the given enumerator points to.
1142: *
1143: * @note This should be used with caution, in particular, for tasks in the
1144: * active and passive queues.
1145: *
1146: * @param enumerator enumerator created with the method above
1147: */
1148: void (*remove_task)(ike_sa_t *this, enumerator_t *enumerator);
1149:
1150: /**
1151: * Flush a task queue, cancelling all tasks in it.
1152: *
1153: * @param queue queue type to flush
1154: */
1155: void (*flush_queue)(ike_sa_t *this, task_queue_t queue);
1156:
1157: /**
1158: * Queue a task for initiation to the task manager.
1159: *
1160: * @param task task to queue
1161: */
1162: void (*queue_task)(ike_sa_t *this, task_t *task);
1163:
1164: /**
1165: * Queue a task in the manager, but delay its initiation for at least the
1166: * given number of seconds.
1167: *
1168: * @param task task to queue
1169: * @param delay minimum delay in s before initiating the task
1170: */
1171: void (*queue_task_delayed)(ike_sa_t *this, task_t *task, uint32_t delay);
1172:
1173: /**
1174: * Adopt child creating tasks from the given IKE_SA.
1175: *
1176: * @param other other IKE_SA to adopt tasks from
1177: */
1178: void (*adopt_child_tasks)(ike_sa_t *this, ike_sa_t *other);
1179:
1180: /**
1181: * Inherit required attributes to new SA before rekeying.
1182: *
1183: * Some properties of the SA must be applied before starting IKE_SA
1184: * rekeying, such as the configuration or support extensions.
1185: *
1186: * @param other other IKE_SA to inherit from
1187: */
1188: void (*inherit_pre)(ike_sa_t *this, ike_sa_t *other);
1189:
1190: /**
1191: * Inherit all attributes of other to this after rekeying.
1192: *
1193: * When rekeying is completed, all CHILD_SAs, the virtual IP and all
1194: * outstanding tasks are moved from other to this.
1195: *
1196: * @param other other IKE SA to inherit from
1197: */
1198: void (*inherit_post) (ike_sa_t *this, ike_sa_t *other);
1199:
1200: /**
1201: * Reset the IKE_SA, usable when initiating fails.
1202: *
1203: * @param new_spi TRUE to allocate a new initiator SPI
1204: */
1205: void (*reset) (ike_sa_t *this, bool new_spi);
1206:
1207: /**
1208: * Destroys a ike_sa_t object.
1209: */
1210: void (*destroy) (ike_sa_t *this);
1211: };
1212:
1213: /**
1214: * Creates an ike_sa_t object with a specific ID and IKE version.
1215: *
1216: * @param ike_sa_id ike_sa_id_t to associate with new IKE_SA/ISAKMP_SA
1217: * @param initiator TRUE to create this IKE_SA as initiator
1218: * @param version IKE version of this SA
1219: * @return ike_sa_t object
1220: */
1221: ike_sa_t *ike_sa_create(ike_sa_id_t *ike_sa_id, bool initiator,
1222: ike_version_t version);
1223:
1224: #endif /** IKE_SA_H_ @}*/