- improved "stroke status" output
[strongswan.git] / Source / charon / sa / ike_sa.h
1 /**
2 * @file ike_sa.h
3 *
4 * @brief Interface of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef IKE_SA_H_
24 #define IKE_SA_H_
25
26 #include <types.h>
27 #include <encoding/message.h>
28 #include <encoding/payloads/proposal_substructure.h>
29 #include <sa/ike_sa_id.h>
30 #include <sa/child_sa.h>
31 #include <sa/states/state.h>
32 #include <config/configuration.h>
33 #include <utils/logger.h>
34 #include <utils/randomizer.h>
35 #include <crypto/prfs/prf.h>
36 #include <crypto/crypters/crypter.h>
37 #include <crypto/signers/signer.h>
38 #include <config/connections/connection.h>
39 #include <config/policies/policy.h>
40 #include <utils/logger.h>
41
42 /**
43 * Nonce size in bytes for nonces sending to other peer.
44 *
45 * @warning Nonce size MUST be between 16 and 256 bytes.
46 *
47 * @ingroup sa
48 */
49 #define NONCE_SIZE 16
50
51
52 typedef struct ike_sa_t ike_sa_t;
53
54 /**
55 * @brief Class ike_sa_t representing an IKE_SA.
56 *
57 * An object of this type is managed by an ike_sa_manager_t object
58 * and represents an IKE_SA. Message processing is split up in different states.
59 * They will handle all related things for the state they represent.
60 *
61 * @b Constructors:
62 * - ike_sa_create()
63 *
64 * @ingroup sa
65 */
66 struct ike_sa_t {
67
68 /**
69 * @brief Processes a incoming IKEv2-Message of type message_t.
70 *
71 * @param this ike_sa_t object object
72 * @param[in] message message_t object to process
73 * @return
74 * - SUCCESS
75 * - FAILED
76 * - DELETE_ME if this IKE_SA MUST be deleted
77 */
78 status_t (*process_message) (ike_sa_t *this,message_t *message);
79
80 /**
81 * @brief Initiate a new connection with given connection_t object.
82 *
83 * The connection_t object is owned by the IKE_SA after the call, so
84 * do not modify or destroy it.
85 *
86 * @param this calling object
87 * @param connection connection to initiate
88 * @return
89 * - SUCCESS if initialization started
90 * - FAILED if in wrong state
91 * - DELETE_ME if initialization failed and IKE_SA MUST be deleted
92 */
93 status_t (*initiate_connection) (ike_sa_t *this, connection_t *connection);
94
95 /**
96 * @brief Retransmits a request.
97 *
98 * @param this calling object
99 * @param message_id ID of the request to retransmit
100 * @return
101 * - SUCCESS
102 * - NOT_FOUND if request doesn't have to be retransmited
103 */
104 status_t (*retransmit_request) (ike_sa_t *this, u_int32_t message_id);
105
106 /**
107 * @brief Sends a request to delete IKE_SA.
108 *
109 * Only supported in state IKE_SA_ESTABLISHED
110 *
111 * @param this calling object
112 */
113 void (*send_delete_ike_sa_request) (ike_sa_t *this);
114
115 /**
116 * @brief Get the id of the SA.
117 *
118 * Returned ike_sa_id_t object is not getting cloned!
119 *
120 * @param this calling object
121 * @return ike_sa's ike_sa_id_t
122 */
123 ike_sa_id_t* (*get_id) (ike_sa_t *this);
124
125 /**
126 * @brief Get local peer address of the IKE_SA.
127 *
128 * @param this calling object
129 * @return local host_t
130 */
131 host_t* (*get_my_host) (ike_sa_t *this);
132
133 /**
134 * @brief Get remote peer address of the IKE_SA.
135 *
136 * @param this calling object
137 * @return remote host_t
138 */
139 host_t* (*get_other_host) (ike_sa_t *this);
140
141 /**
142 * @brief Get own ID of the IKE_SA.
143 *
144 * @param this calling object
145 * @return local identification_t
146 */
147 identification_t* (*get_my_id) (ike_sa_t *this);
148
149 /**
150 * @brief Get remote ID the IKE_SA.
151 *
152 * @param this calling object
153 * @return remote identification_t
154 */
155 identification_t* (*get_other_id) (ike_sa_t *this);
156
157 /**
158 * @brief Get the state of type of associated state object.
159 *
160 * @param this calling object
161 * @return state of IKE_SA
162 */
163 ike_sa_state_t (*get_state) (ike_sa_t *this);
164
165 /**
166 * @brief Log the status of a the ike sa to a logger.
167 *
168 * The status of the IKE SA and all child SAs is logged.
169 * Supplying NULL as logger uses the internal child_sa logger
170 * to do the logging.
171 *
172 * @param this calling object
173 * @param logger logger to use for logging
174 */
175 void (*log_status) (ike_sa_t *this, logger_t *logger);
176
177 /**
178 * @brief Destroys a ike_sa_t object.
179 *
180 * @param this calling object
181 */
182 void (*destroy) (ike_sa_t *this);
183 };
184
185
186 typedef struct protected_ike_sa_t protected_ike_sa_t;
187
188 /**
189 * @brief Protected functions of an ike_sa_t object.
190 *
191 * This members are only accessed out from
192 * the various state_t implementations.
193 *
194 * @ingroup sa
195 */
196 struct protected_ike_sa_t {
197
198 /**
199 * Public interface of an ike_sa_t object.
200 */
201 ike_sa_t public;
202
203 /**
204 * @brief Build an empty IKEv2-Message and fills in default informations.
205 *
206 * Depending on the type of message (request or response), the message id is
207 * either message_id_out or message_id_in.
208 *
209 * Used in state_t Implementation to build an empty IKEv2-Message.
210 *
211 * @param this calling object
212 * @param type exchange type of new message
213 * @param request TRUE, if message has to be a request
214 * @param message new message is stored at this location
215 */
216 void (*build_message) (protected_ike_sa_t *this, exchange_type_t type, bool request, message_t **message);
217
218 /**
219 * @brief Get the internal stored connection_t object.
220 *
221 * @param this calling object
222 * @return pointer to the internal stored connection_t object
223 */
224 connection_t *(*get_connection) (protected_ike_sa_t *this);
225
226 /**
227 * @brief Set the internal connection object.
228 *
229 * @param this calling object
230 * @param connection object of type connection_t
231 */
232 void (*set_connection) (protected_ike_sa_t *this, connection_t *connection);
233
234 /**
235 * @brief Get the internal stored policy object.
236 *
237 * @param this calling object
238 * @return pointer to the internal stored policy_t object
239 */
240 policy_t *(*get_policy) (protected_ike_sa_t *this);
241
242 /**
243 * @brief Set the internal policy_t object.
244 *
245 * @param this calling object
246 * @param policy object of type policy_t
247 */
248 void (*set_policy) (protected_ike_sa_t *this,policy_t *policy);
249
250 /**
251 * @brief Derive all keys and create the transforms for IKE communication.
252 *
253 * Keys are derived using the diffie hellman secret, nonces and internal
254 * stored SPIs.
255 * Allready existing objects get destroyed.
256 *
257 * @param this calling object
258 * @param proposal proposal which contains algorithms to use
259 * @param dh diffie hellman object with shared secret
260 * @param nonce_i initiators nonce
261 * @param nonce_r responders nonce
262 */
263 status_t (*build_transforms) (protected_ike_sa_t *this, proposal_t* proposal,
264 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
265
266 /**
267 * @brief Send the next request message.
268 *
269 * Also the first retransmit job is created.
270 *
271 * Last stored requested message gets destroyed. Object gets not cloned!
272 *
273 * @param this calling object
274 * @param message pointer to the message which should be sent
275 * @return
276 * - SUCCESS
277 * - FAILED if message id is not next expected one
278 */
279 status_t (*send_request) (protected_ike_sa_t *this,message_t * message);
280
281 /**
282 * @brief Send the next response message.
283 *
284 * Last stored responded message gets destroyed. Object gets not cloned!
285 *
286 * @param this calling object
287 * @param message pointer to the message which should be sent
288 * return
289 * - SUCCESS
290 * - FAILED if message id is not next expected one
291 */
292 status_t (*send_response) (protected_ike_sa_t *this,message_t * message);
293
294 /**
295 * @brief Send a notify reply message.
296 *
297 * @param this calling object
298 * @param exchange_type type of exchange in which the notify should be wrapped
299 * @param type type of the notify message to send
300 * @param data notification data
301 */
302 void (*send_notify) (protected_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data);
303
304 /**
305 * @brief Get the internal stored randomizer_t object.
306 *
307 * @param this calling object
308 * @return pointer to the internal randomizer_t object
309 */
310 randomizer_t *(*get_randomizer) (protected_ike_sa_t *this);
311
312 /**
313 * @brief Set the new state_t object of the IKE_SA object.
314 *
315 * The old state_t object gets not destroyed. It's the callers duty to
316 * make sure old state is destroyed (Normally the old state is the caller).
317 *
318 * @param this calling object
319 * @param state pointer to the new state_t object
320 */
321 void (*set_new_state) (protected_ike_sa_t *this,state_t *state);
322
323 /**
324 * @brief Set the last replied message id.
325 *
326 * @param this calling object
327 * @param message_id message id
328 */
329 void (*set_last_replied_message_id) (protected_ike_sa_t *this,u_int32_t message_id);
330
331 /**
332 * @brief Get the internal stored initiator crypter_t object.
333 *
334 * @param this calling object
335 * @return pointer to crypter_t object
336 */
337 crypter_t *(*get_crypter_initiator) (protected_ike_sa_t *this);
338
339 /**
340 * @brief Get the internal stored initiator signer_t object.
341 *
342 * @param this calling object
343 * @return pointer to signer_t object
344 */
345 signer_t *(*get_signer_initiator) (protected_ike_sa_t *this);
346
347 /**
348 * @brief Get the internal stored responder crypter_t object.
349 *
350 * @param this calling object
351 * @return pointer to crypter_t object
352 */
353 crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this);
354
355 /**
356 * @brief Get the internal stored responder signer object.
357 *
358 * @param this calling object
359 * @return pointer to signer_t object
360 */
361 signer_t *(*get_signer_responder) (protected_ike_sa_t *this);
362
363 /**
364 * @brief Get the multi purpose prf.
365 *
366 * @param this calling object
367 * @return pointer to prf_t object
368 */
369 prf_t *(*get_prf) (protected_ike_sa_t *this);
370
371 /**
372 * @brief Get the prf-object, which is used to derive keys for child SAs.
373 *
374 * @param this calling object
375 * @return pointer to prf_t object
376 */
377 prf_t *(*get_child_prf) (protected_ike_sa_t *this);
378
379 /**
380 * @brief Get the prf used for authentication of initiator.
381 *
382 * @param this calling object
383 * @return pointer to prf_t object
384 */
385 prf_t *(*get_prf_auth_i) (protected_ike_sa_t *this);
386
387 /**
388 * @brief Get the prf used for authentication of responder.
389 *
390 * @param this calling object
391 * @return pointer to prf_t object
392 */
393 prf_t *(*get_prf_auth_r) (protected_ike_sa_t *this);
394
395 /**
396 * @brief Associates a child SA to this IKE SA
397 *
398 * @param this calling object
399 * @param child_sa child_sa to add
400 */
401 void (*add_child_sa) (protected_ike_sa_t *this, child_sa_t *child_sa);
402
403 /**
404 * @brief Get the last responded message.
405 *
406 * @param this calling object
407 * @return
408 * - last received as message_t object
409 * - NULL if no last request available
410 */
411 message_t *(*get_last_responded_message) (protected_ike_sa_t *this);
412
413 /**
414 * @brief Get the last requested message.
415 *
416 * @param this calling object
417 * @return
418 * - last sent as message_t object
419 * - NULL if no last request available
420 */
421 message_t *(*get_last_requested_message) (protected_ike_sa_t *this);
422
423 /**
424 * @brief Resets message counters and does destroy stored received and sent messages.
425 *
426 * @param this calling object
427 */
428 void (*reset_message_buffers) (protected_ike_sa_t *this);
429 };
430
431
432 /**
433 * @brief Creates an ike_sa_t object with a specific ID.
434 *
435 * @warning the Content of internal ike_sa_id_t object can change over time
436 * e.g. when a IKE_SA_INIT has been finished.
437 *
438 * @param[in] ike_sa_id ike_sa_id_t object to associate with new IKE_SA.
439 * The object is internal getting cloned
440 * and so has to be destroyed by the caller.
441 * @return ike_sa_t object
442 *
443 * @ingroup sa
444 */
445 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id);
446
447 #endif /*IKE_SA_H_*/