Annotation of embedaddon/strongswan/src/libcharon/sa/ike_sa_manager.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2008-2017 Tobias Brunner
! 3: * Copyright (C) 2005-2008 Martin Willi
! 4: * Copyright (C) 2005 Jan Hutter
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
! 7: * This program is free software; you can redistribute it and/or modify it
! 8: * under the terms of the GNU General Public License as published by the
! 9: * Free Software Foundation; either version 2 of the License, or (at your
! 10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 11: *
! 12: * This program is distributed in the hope that it will be useful, but
! 13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 15: * for more details.
! 16: */
! 17:
! 18: /**
! 19: * @defgroup ike_sa_manager ike_sa_manager
! 20: * @{ @ingroup sa
! 21: */
! 22:
! 23: #ifndef IKE_SA_MANAGER_H_
! 24: #define IKE_SA_MANAGER_H_
! 25:
! 26: typedef struct ike_sa_manager_t ike_sa_manager_t;
! 27:
! 28: #include <library.h>
! 29: #include <sa/ike_sa.h>
! 30: #include <encoding/message.h>
! 31: #include <config/peer_cfg.h>
! 32:
! 33: /**
! 34: * Callback called to generate an IKE SPI.
! 35: *
! 36: * This may be called from multiple threads concurrently.
! 37: *
! 38: * @param data data supplied during registration of the callback
! 39: * @return allocated SPI, 0 on failure
! 40: */
! 41: typedef uint64_t (*spi_cb_t)(void *data);
! 42:
! 43: /**
! 44: * Manages and synchronizes access to all IKE_SAs.
! 45: *
! 46: * To synchronize access to thread-unsave IKE_SAs, they are checked out for
! 47: * use and checked in afterwards. A checked out SA is exclusively accessible
! 48: * by the owning thread.
! 49: */
! 50: struct ike_sa_manager_t {
! 51:
! 52: /**
! 53: * Checkout an existing IKE_SA.
! 54: *
! 55: * @param ike_sa_id the SA identifier, will be updated
! 56: * @returns
! 57: * - checked out IKE_SA if found
! 58: * - NULL, if specified IKE_SA is not found.
! 59: */
! 60: ike_sa_t* (*checkout) (ike_sa_manager_t* this, ike_sa_id_t *sa_id);
! 61:
! 62: /**
! 63: * Create and check out a new IKE_SA.
! 64: *
! 65: * @param version IKE version of this SA
! 66: * @param initiator TRUE for initiator, FALSE otherwise
! 67: * @returns created and checked out IKE_SA
! 68: */
! 69: ike_sa_t* (*checkout_new) (ike_sa_manager_t* this, ike_version_t version,
! 70: bool initiator);
! 71:
! 72: /**
! 73: * Checkout an IKE_SA by a message.
! 74: *
! 75: * In some situations, it is necessary that the manager knows the
! 76: * message to use for the checkout. This has the following reasons:
! 77: *
! 78: * 1. If the targeted IKE_SA is already processing a message, we do not
! 79: * check it out if the message ID is the same.
! 80: * 2. If it is an IKE_SA_INIT request, we have to check if it is a
! 81: * retransmission. If so, we have to drop the message, we would
! 82: * create another unneeded IKE_SA for each retransmitted packet.
! 83: *
! 84: * A call to checkout_by_message() returns a (maybe new created) IKE_SA.
! 85: * If processing the message does not make sense (for the reasons above),
! 86: * NULL is returned.
! 87: *
! 88: * @param ike_sa_id the SA identifier, will be updated
! 89: * @returns
! 90: * - checked out/created IKE_SA
! 91: * - NULL to not process message further
! 92: */
! 93: ike_sa_t* (*checkout_by_message) (ike_sa_manager_t* this, message_t *message);
! 94:
! 95: /**
! 96: * Checkout an IKE_SA for initiation by a peer_config.
! 97: *
! 98: * To initiate, a CHILD_SA may be established within an existing IKE_SA.
! 99: * This call checks for an existing IKE_SA by comparing the configuration.
! 100: * If the CHILD_SA can be created in an existing IKE_SA, the matching SA
! 101: * is returned.
! 102: * If no IKE_SA is found, a new one is created. This is also the case when
! 103: * the found IKE_SA is in the DELETING state.
! 104: *
! 105: * @param peer_cfg configuration used to find an existing IKE_SA
! 106: * @return checked out/created IKE_SA
! 107: */
! 108: ike_sa_t* (*checkout_by_config) (ike_sa_manager_t* this,
! 109: peer_cfg_t *peer_cfg);
! 110:
! 111: /**
! 112: * Reset initiator SPI.
! 113: *
! 114: * Allocate a new initiator SPI for the given IKE_SA in state IKE_CONNECTING
! 115: * and update internal data.
! 116: *
! 117: * @param ike_sa IKE_SA to update
! 118: * @return TRUE if SPI successfully changed
! 119: */
! 120: bool (*new_initiator_spi)(ike_sa_manager_t* this, ike_sa_t *ike_sa);
! 121:
! 122: /**
! 123: * Check for duplicates of the given IKE_SA.
! 124: *
! 125: * Measures are taken according to the uniqueness policy of the IKE_SA.
! 126: * The return value indicates whether duplicates have been found and if
! 127: * further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
! 128: * check_uniqueness() must be called before the IKE_SA is complete,
! 129: * deadlocks occur otherwise.
! 130: *
! 131: * @param ike_sa ike_sa to check
! 132: * @param force_replace replace existing SAs, regardless of unique policy
! 133: * @return TRUE, if the given IKE_SA has duplicates and
! 134: * should be deleted
! 135: */
! 136: bool (*check_uniqueness)(ike_sa_manager_t *this, ike_sa_t *ike_sa,
! 137: bool force_replace);
! 138:
! 139: /**
! 140: * Check if we already have a connected IKE_SA between two identities.
! 141: *
! 142: * @param me own identity
! 143: * @param other remote identity
! 144: * @param family address family to include in uniqueness check
! 145: * @return TRUE if we have a connected IKE_SA
! 146: */
! 147: bool (*has_contact)(ike_sa_manager_t *this, identification_t *me,
! 148: identification_t *other, int family);
! 149:
! 150: /**
! 151: * Check out an IKE_SA a unique ID.
! 152: *
! 153: * Every IKE_SA is uniquely identified by a numerical ID. This checkout
! 154: * function uses the unique ID of the IKE_SA to check it out.
! 155: *
! 156: * @param id unique ID of the object
! 157: * @return
! 158: * - checked out IKE_SA, if found
! 159: * - NULL, if not found
! 160: */
! 161: ike_sa_t* (*checkout_by_id) (ike_sa_manager_t* this, uint32_t id);
! 162:
! 163: /**
! 164: * Check out an IKE_SA by the policy/connection name.
! 165: *
! 166: * Check out the IKE_SA by the configuration name, either from the IKE- or
! 167: * one of its CHILD_SAs.
! 168: *
! 169: * @param name name of the connection/policy
! 170: * @param child TRUE to use policy name, FALSE to use conn name
! 171: * @return
! 172: * - checked out IKE_SA, if found
! 173: * - NULL, if not found
! 174: */
! 175: ike_sa_t* (*checkout_by_name) (ike_sa_manager_t* this, char *name,
! 176: bool child);
! 177:
! 178: /**
! 179: * Create an enumerator over all stored IKE_SAs.
! 180: *
! 181: * While enumerating an IKE_SA, it is temporarily checked out and
! 182: * automatically checked in after the current enumeration step.
! 183: *
! 184: * @param wait TRUE to wait for checked out SAs, FALSE to skip
! 185: * @return enumerator over all IKE_SAs.
! 186: */
! 187: enumerator_t *(*create_enumerator) (ike_sa_manager_t* this, bool wait);
! 188:
! 189: /**
! 190: * Create an enumerator over ike_sa_id_t*, matching peer identities.
! 191: *
! 192: * The remote peer is identified by its XAuth or EAP identity, if available.
! 193: *
! 194: * @param me local peer identity to match
! 195: * @param other remote peer identity to match
! 196: * @param family address family to match, 0 for any
! 197: * @return enumerator over ike_sa_id_t*
! 198: */
! 199: enumerator_t* (*create_id_enumerator)(ike_sa_manager_t *this,
! 200: identification_t *me, identification_t *other,
! 201: int family);
! 202:
! 203: /**
! 204: * Checkin the SA after usage.
! 205: *
! 206: * If the IKE_SA is not registered in the manager, a new entry is created.
! 207: *
! 208: * @param ike_sa_id the SA identifier, will be updated
! 209: * @param ike_sa checked out SA
! 210: */
! 211: void (*checkin) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
! 212:
! 213: /**
! 214: * Destroy a checked out SA.
! 215: *
! 216: * The IKE SA is destroyed without notification of the remote peer.
! 217: * Use this only if the other peer doesn't respond or behaves not
! 218: * as predicted.
! 219: * Checking in and destruction is an atomic operation (for the IKE_SA),
! 220: * so this can be called if the SA is in a "unclean" state, without the
! 221: * risk that another thread can get the SA.
! 222: *
! 223: * @param ike_sa SA to delete
! 224: */
! 225: void (*checkin_and_destroy) (ike_sa_manager_t* this, ike_sa_t *ike_sa);
! 226:
! 227: /**
! 228: * Get the number of IKE_SAs currently registered.
! 229: *
! 230: * @return number of registered IKE_SAs
! 231: */
! 232: u_int (*get_count)(ike_sa_manager_t *this);
! 233:
! 234: /**
! 235: * Get the number of IKE_SAs which are in the connecting state.
! 236: *
! 237: * To prevent the server from resource exhaustion, cookies and other
! 238: * mechanisms are used. The number of half open IKE_SAs is a good
! 239: * indicator to see if a peer is flooding the server.
! 240: * If a host is supplied, only the number of half open IKE_SAs with this IP
! 241: * are counted.
! 242: *
! 243: * @param ip NULL for all, IP for half open IKE_SAs with IP
! 244: * @param responder_only TRUE to return only the number of responding SAs
! 245: * @return number of half open IKE_SAs
! 246: */
! 247: u_int (*get_half_open_count)(ike_sa_manager_t *this, host_t *ip,
! 248: bool responder_only);
! 249:
! 250: /**
! 251: * Set the callback to generate IKE SPIs
! 252: *
! 253: * @param callback callback to register
! 254: * @param data data provided to callback
! 255: */
! 256: void (*set_spi_cb)(ike_sa_manager_t *this, spi_cb_t callback,
! 257: void *data);
! 258:
! 259: /**
! 260: * Delete all existing IKE_SAs and destroy them immediately.
! 261: *
! 262: * Threads will be driven out, so all SAs can be deleted cleanly.
! 263: * To a flush(), an immediate call to destroy() is mandatory; no other
! 264: * method may be used.
! 265: */
! 266: void (*flush)(ike_sa_manager_t *this);
! 267:
! 268: /**
! 269: * Destroys the manager with all associated SAs.
! 270: *
! 271: * A call to flush() is required before calling destroy.
! 272: */
! 273: void (*destroy) (ike_sa_manager_t *this);
! 274: };
! 275:
! 276: /**
! 277: * Create the IKE_SA manager.
! 278: *
! 279: * @returns ike_sa_manager_t object, NULL if initialization fails
! 280: */
! 281: ike_sa_manager_t *ike_sa_manager_create(void);
! 282:
! 283: #endif /** IKE_SA_MANAGER_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ike_sa_manager.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libcharon / sa