8b58bfe68d0af5da3bbe7ae0e7c6ceb8100f2451
[strongswan.git] / Source / charon / sa / ike_sa.h
1 /**
2 * @file ike_sa.h
3 *
4 * @brief Interface of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef IKE_SA_H_
24 #define IKE_SA_H_
25
26 #include <types.h>
27 #include <encoding/message.h>
28 #include <encoding/payloads/proposal_substructure.h>
29 #include <sa/ike_sa_id.h>
30 #include <sa/child_sa.h>
31 #include <sa/states/state.h>
32 #include <config/configuration.h>
33 #include <utils/logger.h>
34 #include <utils/randomizer.h>
35 #include <crypto/prfs/prf.h>
36 #include <crypto/crypters/crypter.h>
37 #include <crypto/signers/signer.h>
38 #include <config/connections/connection.h>
39 #include <config/policies/policy.h>
40
41 /**
42 * Nonce size in bytes for nonces sending to other peer.
43 *
44 * @warning Nonce size MUST be between 16 and 256 bytes.
45 *
46 * @ingroup sa
47 */
48 #define NONCE_SIZE 16
49
50
51 typedef struct ike_sa_t ike_sa_t;
52
53 /**
54 * @brief Class ike_sa_t representing an IKE_SA.
55 *
56 * An object of this type is managed by an ike_sa_manager_t object
57 * and represents an IKE_SA. Message processing is split up in different states.
58 * They will handle all related things for the state they represent.
59 *
60 * @b Constructors:
61 * - ike_sa_create()
62 *
63 * @ingroup sa
64 */
65 struct ike_sa_t {
66
67 /**
68 * @brief Processes a incoming IKEv2-Message of type message_t.
69 *
70 * @param this ike_sa_t object object
71 * @param[in] message message_t object to process
72 * @return
73 * - SUCCESS
74 * - FAILED
75 * - DELETE_ME if this IKE_SA MUST be deleted
76 */
77 status_t (*process_message) (ike_sa_t *this,message_t *message);
78
79 /**
80 * @brief Initiate a new connection with given connection_t object.
81 *
82 * The connection_t object is owned by the IKE_SA after the call, so
83 * do not modify or destroy it.
84 *
85 * @param this calling object
86 * @param connection connection to initiate
87 * @return
88 * - SUCCESS if initialization started
89 * - FAILED if in wrong state
90 * - DELETE_ME if initialization failed and IKE_SA MUST be deleted
91 */
92 status_t (*initiate_connection) (ike_sa_t *this, connection_t *connection);
93
94 /**
95 * @brief Retransmits a request.
96 *
97 * @param this calling object
98 * @param message_id ID of the request to retransmit
99 * @return
100 * - SUCCESS
101 * - NOT_FOUND if request doesn't have to be retransmited
102 */
103 status_t (*retransmit_request) (ike_sa_t *this, u_int32_t message_id);
104
105 /**
106 * @brief Sends a request to delete IKE_SA.
107 *
108 * Only supported in state IKE_SA_ESTABLISHED
109 *
110 * @param this calling object
111 */
112 void (*send_delete_ike_sa_request) (ike_sa_t *this);
113
114 /**
115 * @brief Get the id of the SA.
116 *
117 * Returned ike_sa_id_t object is not getting cloned!
118 *
119 * @param this calling object
120 * @return ike_sa's ike_sa_id_t
121 */
122 ike_sa_id_t* (*get_id) (ike_sa_t *this);
123
124 /**
125 * @brief Get local peer address of the IKE_SA.
126 *
127 * @param this calling object
128 * @return local host_t
129 */
130 host_t* (*get_my_host) (ike_sa_t *this);
131
132 /**
133 * @brief Get remote peer address of the IKE_SA.
134 *
135 * @param this calling object
136 * @return remote host_t
137 */
138 host_t* (*get_other_host) (ike_sa_t *this);
139
140 /**
141 * @brief Get own ID of the IKE_SA.
142 *
143 * @param this calling object
144 * @return local identification_t
145 */
146 identification_t* (*get_my_id) (ike_sa_t *this);
147
148 /**
149 * @brief Get remote ID the IKE_SA.
150 *
151 * @param this calling object
152 * @return remote identification_t
153 */
154 identification_t* (*get_other_id) (ike_sa_t *this);
155
156 /**
157 * @brief Get the state of type of associated state object.
158 *
159 * @param this calling object
160 * @return state of IKE_SA
161 */
162 ike_sa_state_t (*get_state) (ike_sa_t *this);
163
164 /**
165 * @brief Destroys a ike_sa_t object.
166 *
167 * @param this calling object
168 */
169 void (*destroy) (ike_sa_t *this);
170 };
171
172
173 typedef struct protected_ike_sa_t protected_ike_sa_t;
174
175 /**
176 * @brief Protected functions of an ike_sa_t object.
177 *
178 * This members are only accessed out from
179 * the various state_t implementations.
180 *
181 * @ingroup sa
182 */
183 struct protected_ike_sa_t {
184
185 /**
186 * Public interface of an ike_sa_t object.
187 */
188 ike_sa_t public;
189
190 /**
191 * @brief Build an empty IKEv2-Message and fills in default informations.
192 *
193 * Depending on the type of message (request or response), the message id is
194 * either message_id_out or message_id_in.
195 *
196 * Used in state_t Implementation to build an empty IKEv2-Message.
197 *
198 * @param this calling object
199 * @param type exchange type of new message
200 * @param request TRUE, if message has to be a request
201 * @param message new message is stored at this location
202 */
203 void (*build_message) (protected_ike_sa_t *this, exchange_type_t type, bool request, message_t **message);
204
205 /**
206 * @brief Get the internal stored connection_t object.
207 *
208 * @param this calling object
209 * @return pointer to the internal stored connection_t object
210 */
211 connection_t *(*get_connection) (protected_ike_sa_t *this);
212
213 /**
214 * @brief Set the internal connection object.
215 *
216 * @param this calling object
217 * @param connection object of type connection_t
218 */
219 void (*set_connection) (protected_ike_sa_t *this, connection_t *connection);
220
221 /**
222 * @brief Get the internal stored policy object.
223 *
224 * @param this calling object
225 * @return pointer to the internal stored policy_t object
226 */
227 policy_t *(*get_policy) (protected_ike_sa_t *this);
228
229 /**
230 * @brief Set the internal policy_t object.
231 *
232 * @param this calling object
233 * @param policy object of type policy_t
234 */
235 void (*set_policy) (protected_ike_sa_t *this,policy_t *policy);
236
237 /**
238 * @brief Derive all keys and create the transforms for IKE communication.
239 *
240 * Keys are derived using the diffie hellman secret, nonces and internal
241 * stored SPIs.
242 * Allready existing objects get destroyed.
243 *
244 * @param this calling object
245 * @param proposal proposal which contains algorithms to use
246 * @param dh diffie hellman object with shared secret
247 * @param nonce_i initiators nonce
248 * @param nonce_r responders nonce
249 */
250 status_t (*build_transforms) (protected_ike_sa_t *this, proposal_t* proposal,
251 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
252
253 /**
254 * @brief Send the next request message.
255 *
256 * Also the first retransmit job is created.
257 *
258 * Last stored requested message gets destroyed. Object gets not cloned!
259 *
260 * @param this calling object
261 * @param message pointer to the message which should be sent
262 * @return
263 * - SUCCESS
264 * - FAILED if message id is not next expected one
265 */
266 status_t (*send_request) (protected_ike_sa_t *this,message_t * message);
267
268 /**
269 * @brief Send the next response message.
270 *
271 * Last stored responded message gets destroyed. Object gets not cloned!
272 *
273 * @param this calling object
274 * @param message pointer to the message which should be sent
275 * return
276 * - SUCCESS
277 * - FAILED if message id is not next expected one
278 */
279 status_t (*send_response) (protected_ike_sa_t *this,message_t * message);
280
281 /**
282 * @brief Send a notify reply message.
283 *
284 * @param this calling object
285 * @param exchange_type type of exchange in which the notify should be wrapped
286 * @param type type of the notify message to send
287 * @param data notification data
288 */
289 void (*send_notify) (protected_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data);
290
291 /**
292 * @brief Get the internal stored randomizer_t object.
293 *
294 * @param this calling object
295 * @return pointer to the internal randomizer_t object
296 */
297 randomizer_t *(*get_randomizer) (protected_ike_sa_t *this);
298
299 /**
300 * @brief Set the new state_t object of the IKE_SA object.
301 *
302 * The old state_t object gets not destroyed. It's the callers duty to
303 * make sure old state is destroyed (Normally the old state is the caller).
304 *
305 * @param this calling object
306 * @param state pointer to the new state_t object
307 */
308 void (*set_new_state) (protected_ike_sa_t *this,state_t *state);
309
310 /**
311 * @brief Set the last replied message id.
312 *
313 * @param this calling object
314 * @param message_id message id
315 */
316 void (*set_last_replied_message_id) (protected_ike_sa_t *this,u_int32_t message_id);
317
318 /**
319 * @brief Get the internal stored initiator crypter_t object.
320 *
321 * @param this calling object
322 * @return pointer to crypter_t object
323 */
324 crypter_t *(*get_crypter_initiator) (protected_ike_sa_t *this);
325
326 /**
327 * @brief Get the internal stored initiator signer_t object.
328 *
329 * @param this calling object
330 * @return pointer to signer_t object
331 */
332 signer_t *(*get_signer_initiator) (protected_ike_sa_t *this);
333
334 /**
335 * @brief Get the internal stored responder crypter_t object.
336 *
337 * @param this calling object
338 * @return pointer to crypter_t object
339 */
340 crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this);
341
342 /**
343 * @brief Get the internal stored responder signer object.
344 *
345 * @param this calling object
346 * @return pointer to signer_t object
347 */
348 signer_t *(*get_signer_responder) (protected_ike_sa_t *this);
349
350 /**
351 * @brief Get the multi purpose prf.
352 *
353 * @param this calling object
354 * @return pointer to prf_t object
355 */
356 prf_t *(*get_prf) (protected_ike_sa_t *this);
357
358 /**
359 * @brief Get the prf-object, which is used to derive keys for child SAs.
360 *
361 * @param this calling object
362 * @return pointer to prf_t object
363 */
364 prf_t *(*get_child_prf) (protected_ike_sa_t *this);
365
366 /**
367 * @brief Get the prf used for authentication of initiator.
368 *
369 * @param this calling object
370 * @return pointer to prf_t object
371 */
372 prf_t *(*get_prf_auth_i) (protected_ike_sa_t *this);
373
374 /**
375 * @brief Get the prf used for authentication of responder.
376 *
377 * @param this calling object
378 * @return pointer to prf_t object
379 */
380 prf_t *(*get_prf_auth_r) (protected_ike_sa_t *this);
381
382 /**
383 * @brief Associates a child SA to this IKE SA
384 *
385 * @param this calling object
386 * @param child_sa child_sa to add
387 */
388 void (*add_child_sa) (protected_ike_sa_t *this, child_sa_t *child_sa);
389
390 /**
391 * @brief Get the last responded message.
392 *
393 * @param this calling object
394 * @return
395 * - last received as message_t object
396 * - NULL if no last request available
397 */
398 message_t *(*get_last_responded_message) (protected_ike_sa_t *this);
399
400 /**
401 * @brief Get the last requested message.
402 *
403 * @param this calling object
404 * @return
405 * - last sent as message_t object
406 * - NULL if no last request available
407 */
408 message_t *(*get_last_requested_message) (protected_ike_sa_t *this);
409
410 /**
411 * @brief Resets message counters and does destroy stored received and sent messages.
412 *
413 * @param this calling object
414 */
415 void (*reset_message_buffers) (protected_ike_sa_t *this);
416 };
417
418
419 /**
420 * @brief Creates an ike_sa_t object with a specific ID.
421 *
422 * @warning the Content of internal ike_sa_id_t object can change over time
423 * e.g. when a IKE_SA_INIT has been finished.
424 *
425 * @param[in] ike_sa_id ike_sa_id_t object to associate with new IKE_SA.
426 * The object is internal getting cloned
427 * and so has to be destroyed by the caller.
428 * @return ike_sa_t object
429 *
430 * @ingroup sa
431 */
432 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id);
433
434 #endif /*IKE_SA_H_*/