- working policy installation and removal
[strongswan.git] / Source / charon / sa / ike_sa.h
1 /**
2 * @file ike_sa.h
3 *
4 * @brief Interface of ike_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef IKE_SA_H_
24 #define IKE_SA_H_
25
26 #include <types.h>
27 #include <encoding/message.h>
28 #include <encoding/payloads/proposal_substructure.h>
29 #include <sa/ike_sa_id.h>
30 #include <sa/child_sa.h>
31 #include <sa/states/state.h>
32 #include <config/configuration_manager.h>
33 #include <utils/logger.h>
34 #include <utils/randomizer.h>
35 #include <transforms/prfs/prf.h>
36 #include <transforms/crypters/crypter.h>
37 #include <transforms/signers/signer.h>
38
39 /**
40 * Nonce size in bytes for nonces sending to other peer.
41 *
42 * @warning Nonce size MUST be between 16 and 256 bytes.
43 *
44 * @ingroup sa
45 */
46 #define NONCE_SIZE 16
47
48
49 typedef struct ike_sa_t ike_sa_t;
50
51 /**
52 * @brief Class ike_sa_t representing an IKE_SA.
53 *
54 * An object of this type is managed by an ike_sa_manager_t object
55 * and represents an IKE_SA. Message processing is split up in different states.
56 * They will handle all related things for the state they represent.
57 *
58 * @b Constructors:
59 * - ike_sa_create()
60 *
61 * @ingroup sa
62 */
63 struct ike_sa_t {
64
65 /**
66 * @brief Processes a incoming IKEv2-Message of type message_t.
67 *
68 * @param this ike_sa_t object object
69 * @param[in] message message_t object to process
70 * @return
71 * - SUCCESS
72 * - FAILED
73 * - DELETE_ME if this IKE_SA MUST be deleted
74 */
75 status_t (*process_message) (ike_sa_t *this,message_t *message);
76
77 /**
78 * @brief Initiate a new connection with given configuration name.
79 *
80 * @param this calling object
81 * @param name name of the configuration
82 * @return
83 * - SUCCESS if initialization started
84 * - FAILED if in wrong state
85 * - DELETE_ME if initialization failed and IKE_SA MUST be deleted
86 */
87 status_t (*initialize_connection) (ike_sa_t *this, char *name);
88
89 /**
90 * @brief Retransmits a request.
91 *
92 * @param this calling object
93 * @param message_id ID of the request to retransmit
94 * @return
95 * - SUCCESS
96 * - NOT_FOUND if request doesn't have to be retransmited
97 */
98 status_t (*retransmit_request) (ike_sa_t *this, u_int32_t message_id);
99
100 /**
101 * @brief Sends a request to delete IKE_SA.
102 *
103 * Only supported in state IKE_SA_ESTABLISHED
104 *
105 * @param this calling object
106 */
107 void (*send_delete_ike_sa_request) (ike_sa_t *this);
108
109 /**
110 * @brief Get the id of the SA.
111 *
112 * Returned ike_sa_id_t object is not getting cloned!
113 *
114 * @param this calling object
115 * @return ike_sa's ike_sa_id_t
116 */
117 ike_sa_id_t* (*get_id) (ike_sa_t *this);
118
119 /**
120 * @brief Get the state of type of associated state object.
121 *
122 * @param this calling object
123 * @return state of IKE_SA
124 */
125 ike_sa_state_t (*get_state) (ike_sa_t *this);
126
127 /**
128 * @brief Destroys a ike_sa_t object.
129 *
130 * @param this calling object
131 */
132 void (*destroy) (ike_sa_t *this);
133 };
134
135
136 typedef struct protected_ike_sa_t protected_ike_sa_t;
137
138 /**
139 * @brief Protected functions of an ike_sa_t object.
140 *
141 * This members are only accessed out from
142 * the various state_t implementations.
143 *
144 * @ingroup sa
145 */
146 struct protected_ike_sa_t {
147
148 /**
149 * Public interface of an ike_sa_t object.
150 */
151 ike_sa_t public;
152
153 /**
154 * @brief Build an empty IKEv2-Message and fills in default informations.
155 *
156 * Depending on the type of message (request or response), the message id is
157 * either message_id_out or message_id_in.
158 *
159 * Used in state_t Implementation to build an empty IKEv2-Message.
160 *
161 * @param this calling object
162 * @param type exchange type of new message
163 * @param request TRUE, if message has to be a request
164 * @param message new message is stored at this location
165 */
166 void (*build_message) (protected_ike_sa_t *this, exchange_type_t type, bool request, message_t **message);
167
168 /**
169 * @brief Get the internal stored logger_t object for given ike_sa_t object.
170 *
171 * @warning Returned logger_t object is original one and managed by this object.
172 *
173 * @param this calling object
174 * @return pointer to the internal stored logger_t object
175 */
176 logger_t *(*get_logger) (protected_ike_sa_t *this);
177
178 /**
179 * @brief Get the internal stored init_config_t object.
180 *
181 * @param this calling object
182 * @return pointer to the internal stored init_config_t object
183 */
184 init_config_t *(*get_init_config) (protected_ike_sa_t *this);
185
186 /**
187 * @brief Set the internal init_config_t object.
188 *
189 * @param this calling object
190 * @param init_config object of type init_config_t
191 */
192 void (*set_init_config) (protected_ike_sa_t *this,init_config_t *init_config);
193
194 /**
195 * @brief Get the internal stored sa_config_t object.
196 *
197 * @param this calling object
198 * @return pointer to the internal stored sa_config_t object
199 */
200 sa_config_t *(*get_sa_config) (protected_ike_sa_t *this);
201
202 /**
203 * @brief Set the internal sa_config_t object.
204 *
205 * @param this calling object
206 * @param sa_config object of type sa_config_t
207 */
208 void (*set_sa_config) (protected_ike_sa_t *this,sa_config_t *sa_config);
209
210 /**
211 * @brief Get the internal stored host_t object for my host.
212 *
213 * @param this calling object
214 * @return pointer to the internal stored host_t object
215 */
216 host_t *(*get_my_host) (protected_ike_sa_t *this);
217
218 /**
219 * @brief Get the internal stored host_t object for other host.
220 *
221 * @param this calling object
222 * @return pointer to the internal stored host_t object
223 */
224 host_t *(*get_other_host) (protected_ike_sa_t *this);
225
226 /**
227 * @brief Set the internal stored host_t object for my host.
228 *
229 * Allready existing object gets destroyed. object gets not cloned!
230 *
231 * @param this calling object
232 * @param my_host pointer to the new host_t object
233 */
234 void (*set_my_host) (protected_ike_sa_t *this,host_t * my_host);
235
236 /**
237 * @brief Set the internal stored host_t object for other host.
238 *
239 * Allready existing object gets destroyed. object gets not cloned!
240 *
241 * @param this calling object
242 * @param other_host pointer to the new host_t object
243 */
244 void (*set_other_host) (protected_ike_sa_t *this,host_t *other_host);
245
246 /**
247 * @brief Derive all keys and create the transforms for IKE communication.
248 *
249 * Keys are derived using the diffie hellman secret, nonces and internal
250 * stored SPIs.
251 * Allready existing objects get destroyed.
252 *
253 * @param this calling object
254 * @param proposal proposal which contains algorithms to use
255 * @param dh diffie hellman object with shared secret
256 * @param nonce_i initiators nonce
257 * @param nonce_r responders nonce
258 */
259 status_t (*build_transforms) (protected_ike_sa_t *this, proposal_t* proposal,
260 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
261
262 /**
263 * @brief Send the next request message.
264 *
265 * Also the first retransmit job is created.
266 *
267 * Last stored requested message gets destroyed. Object gets not cloned!
268 *
269 * @param this calling object
270 * @param message pointer to the message which should be sent
271 * @return
272 * - SUCCESS
273 * - FAILED if message id is not next expected one
274 */
275 status_t (*send_request) (protected_ike_sa_t *this,message_t * message);
276
277 /**
278 * @brief Send the next response message.
279 *
280 * Last stored responded message gets destroyed. Object gets not cloned!
281 *
282 * @param this calling object
283 * @param message pointer to the message which should be sent
284 * return
285 * - SUCCESS
286 * - FAILED if message id is not next expected one
287 */
288 status_t (*send_response) (protected_ike_sa_t *this,message_t * message);
289
290 /**
291 * @brief Send a notify reply message.
292 *
293 * @param this calling object
294 * @param exchange_type type of exchange in which the notify should be wrapped
295 * @param type type of the notify message to send
296 * @param data notification data
297 */
298 void (*send_notify) (protected_ike_sa_t *this, exchange_type_t exchange_type, notify_message_type_t type, chunk_t data);
299
300 /**
301 * @brief Get the internal stored randomizer_t object.
302 *
303 * @param this calling object
304 * @return pointer to the internal randomizer_t object
305 */
306 randomizer_t *(*get_randomizer) (protected_ike_sa_t *this);
307
308 /**
309 * @brief Set the new state_t object of the IKE_SA object.
310 *
311 * The old state_t object gets not destroyed. It's the callers duty to
312 * make sure old state is destroyed (Normally the old state is the caller).
313 *
314 * @param this calling object
315 * @param state pointer to the new state_t object
316 */
317 void (*set_new_state) (protected_ike_sa_t *this,state_t *state);
318
319 /**
320 * @brief Set the last replied message id.
321 *
322 * @param this calling object
323 * @param message_id message id
324 */
325 void (*set_last_replied_message_id) (protected_ike_sa_t *this,u_int32_t message_id);
326
327 /**
328 * @brief Get the internal stored initiator crypter_t object.
329 *
330 * @param this calling object
331 * @return pointer to crypter_t object
332 */
333 crypter_t *(*get_crypter_initiator) (protected_ike_sa_t *this);
334
335 /**
336 * @brief Get the internal stored initiator signer_t object.
337 *
338 * @param this calling object
339 * @return pointer to signer_t object
340 */
341 signer_t *(*get_signer_initiator) (protected_ike_sa_t *this);
342
343 /**
344 * @brief Get the internal stored responder crypter_t object.
345 *
346 * @param this calling object
347 * @return pointer to crypter_t object
348 */
349 crypter_t *(*get_crypter_responder) (protected_ike_sa_t *this);
350
351 /**
352 * @brief Get the internal stored responder signer object.
353 *
354 * @param this calling object
355 * @return pointer to signer_t object
356 */
357 signer_t *(*get_signer_responder) (protected_ike_sa_t *this);
358
359 /**
360 * @brief Get the multi purpose prf.
361 *
362 * @param this calling object
363 * @return pointer to prf_t object
364 */
365 prf_t *(*get_prf) (protected_ike_sa_t *this);
366
367 /**
368 * @brief Get the prf-object, which is used to derive keys for child SAs.
369 *
370 * @param this calling object
371 * @return pointer to prf_t object
372 */
373 prf_t *(*get_child_prf) (protected_ike_sa_t *this);
374
375 /**
376 * @brief Get the prf used for authentication of initiator.
377 *
378 * @param this calling object
379 * @return pointer to prf_t object
380 */
381 prf_t *(*get_prf_auth_i) (protected_ike_sa_t *this);
382
383 /**
384 * @brief Get the prf used for authentication of responder.
385 *
386 * @param this calling object
387 * @return pointer to prf_t object
388 */
389 prf_t *(*get_prf_auth_r) (protected_ike_sa_t *this);
390
391 /**
392 * @brief Associates a child SA to this IKE SA
393 *
394 * @param this calling object
395 * @param child_sa child_sa to add
396 */
397 void (*add_child_sa) (protected_ike_sa_t *this, child_sa_t *child_sa);
398
399 /**
400 * @brief Get the last responded message.
401 *
402 * @param this calling object
403 * @return
404 * - last received as message_t object
405 * - NULL if no last request available
406 */
407 message_t *(*get_last_responded_message) (protected_ike_sa_t *this);
408
409 /**
410 * @brief Get the last requested message.
411 *
412 * @param this calling object
413 * @return
414 * - last sent as message_t object
415 * - NULL if no last request available
416 */
417 message_t *(*get_last_requested_message) (protected_ike_sa_t *this);
418
419 /**
420 * @brief Resets message counters and does destroy stored received and sent messages.
421 *
422 * @param this calling object
423 */
424 void (*reset_message_buffers) (protected_ike_sa_t *this);
425
426 /**
427 * @brief Creates a job of type DELETE_ESTABLISHED_IKE_SA for the current IKE_SA.
428 *
429 * @param this calling object
430 * @param timeout timeout after the IKE_SA gets deleted
431 *
432 */
433 void (*create_delete_established_ike_sa_job) (protected_ike_sa_t *this,u_int32_t timeout);
434 };
435
436
437 /**
438 * @brief Creates an ike_sa_t object with a specific ID.
439 *
440 * @warning the Content of internal ike_sa_id_t object can change over time
441 * e.g. when a IKE_SA_INIT has been finished.
442 *
443 * @param[in] ike_sa_id ike_sa_id_t object to associate with new IKE_SA.
444 * The object is internal getting cloned
445 * and so has to be destroyed by the caller.
446 * @return ike_sa_t object
447 *
448 * @ingroup sa
449 */
450 ike_sa_t * ike_sa_create(ike_sa_id_t *ike_sa_id);
451
452 #endif /*IKE_SA_H_*/