projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
duplicheck: Include required headers for FreeBSD
[strongswan.git] / src / libcharon / bus / bus.h
1 /*
2 * Copyright (C) 2012-2015 Tobias Brunner
3 * Copyright (C) 2006-2009 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup bus bus
19 * @{ @ingroup libcharon
20 */
21
22 #ifndef BUS_H_
23 #define BUS_H_
24
25 typedef enum alert_t alert_t;
26 typedef enum narrow_hook_t narrow_hook_t;
27 typedef struct bus_t bus_t;
28
29 #include <stdarg.h>
30
31 #include <utils/debug.h>
32 #include <sa/ike_sa.h>
33 #include <sa/child_sa.h>
34 #include <processing/jobs/job.h>
35 #include <bus/listeners/logger.h>
36 #include <bus/listeners/listener.h>
37
38 /* undefine the definitions from libstrongswan */
39 #undef DBG0
40 #undef DBG1
41 #undef DBG2
42 #undef DBG3
43 #undef DBG4
44
45 #ifndef DEBUG_LEVEL
46 # define DEBUG_LEVEL 4
47 #endif /* DEBUG_LEVEL */
48
49 #if DEBUG_LEVEL >= 0
50 #define DBG0(group, format, ...) charon->bus->log(charon->bus, group, 0, format, ##__VA_ARGS__)
51 #endif /* DEBUG_LEVEL >= 0 */
52 #if DEBUG_LEVEL >= 1
53 #define DBG1(group, format, ...) charon->bus->log(charon->bus, group, 1, format, ##__VA_ARGS__)
54 #endif /* DEBUG_LEVEL >= 1 */
55 #if DEBUG_LEVEL >= 2
56 #define DBG2(group, format, ...) charon->bus->log(charon->bus, group, 2, format, ##__VA_ARGS__)
57 #endif /* DEBUG_LEVEL >= 2 */
58 #if DEBUG_LEVEL >= 3
59 #define DBG3(group, format, ...) charon->bus->log(charon->bus, group, 3, format, ##__VA_ARGS__)
60 #endif /* DEBUG_LEVEL >= 3 */
61 #if DEBUG_LEVEL >= 4
62 #define DBG4(group, format, ...) charon->bus->log(charon->bus, group, 4, format, ##__VA_ARGS__)
63 #endif /* DEBUG_LEVEL >= 4 */
64
65 #ifndef DBG0
66 # define DBG0(...) {}
67 #endif /* DBG0 */
68 #ifndef DBG1
69 # define DBG1(...) {}
70 #endif /* DBG1 */
71 #ifndef DBG2
72 # define DBG2(...) {}
73 #endif /* DBG2 */
74 #ifndef DBG3
75 # define DBG3(...) {}
76 #endif /* DBG3 */
77 #ifndef DBG4
78 # define DBG4(...) {}
79 #endif /* DBG4 */
80
81 /**
82 * Kind of alerts to raise.
83 */
84 enum alert_t {
85 /** a RADIUS server did not respond, no additional arguments */
86 ALERT_RADIUS_NOT_RESPONDING,
87 /** a shutdown signal has been received, argument is the signal (int) */
88 ALERT_SHUTDOWN_SIGNAL,
89 /** local peer authentication failed (by us or by peer), no arguments */
90 ALERT_LOCAL_AUTH_FAILED,
91 /** peer authentication failed, no arguments */
92 ALERT_PEER_AUTH_FAILED,
93 /** failed to resolve peer address, no arguments */
94 ALERT_PEER_ADDR_FAILED,
95 /** peer did not respond to initial message, current try (int, 0-based) */
96 ALERT_PEER_INIT_UNREACHABLE,
97 /** received IKE message with invalid SPI, argument is message_t* */
98 ALERT_INVALID_IKE_SPI,
99 /** received IKE message with invalid header, argument is message_t* */
100 ALERT_PARSE_ERROR_HEADER,
101 /** received IKE message with invalid body, argument is message_t*,
102 * followed by a status_t result returned by message_t.parse_body(). */
103 ALERT_PARSE_ERROR_BODY,
104 /** sending a retransmit for a message, argument is packet_t, if the message
105 * got fragmented only the first fragment is passed */
106 ALERT_RETRANSMIT_SEND,
107 /** sending retransmits timed out, argument is packet_t, if available and if
108 * the message got fragmented only the first fragment is passed */
109 ALERT_RETRANSMIT_SEND_TIMEOUT,
110 /** received a retransmit for a message, argument is message_t */
111 ALERT_RETRANSMIT_RECEIVE,
112 /** received half-open timeout before IKE_SA established, no argument */
113 ALERT_HALF_OPEN_TIMEOUT,
114 /** IKE proposals do not match, argument is linked_list_t of proposal_t */
115 ALERT_PROPOSAL_MISMATCH_IKE,
116 /** CHILD proposals do not match, argument is linked_list_t of proposal_t */
117 ALERT_PROPOSAL_MISMATCH_CHILD,
118 /** traffic selectors do not match, arguments are two linked_list_t
119 * containing traffic_selector_t for initiator and for responder */
120 ALERT_TS_MISMATCH,
121 /** traffic selectors have been narrowed by the peer, arguments are
122 * an int (TRUE for local TS), a linked_list_t* (final TS list), and the
123 * child_cfg_t*. */
124 ALERT_TS_NARROWED,
125 /** Installation of IPsec SAs failed, argument is child_sa_t */
126 ALERT_INSTALL_CHILD_SA_FAILED,
127 /** Installation of IPsec Policy failed, argument is child_sa_t */
128 ALERT_INSTALL_CHILD_POLICY_FAILED,
129 /** IKE_SA deleted because of "replace" unique policy, no argument */
130 ALERT_UNIQUE_REPLACE,
131 /** IKE_SA deleted because of "keep" unique policy, no argument */
132 ALERT_UNIQUE_KEEP,
133 /** IKE_SA kept on failed child SA establishment, argument is an int (!=0 if
134 * first child SA) */
135 ALERT_KEEP_ON_CHILD_SA_FAILURE,
136 /** allocating virtual IP failed, linked_list_t of host_t requested */
137 ALERT_VIP_FAILURE,
138 /** an authorize() hook failed, no argument */
139 ALERT_AUTHORIZATION_FAILED,
140 /** IKE_SA hit the hard lifetime limit before it could be rekeyed */
141 ALERT_IKE_SA_EXPIRED,
142 /** Certificate rejected; it has expired, certificate_t */
143 ALERT_CERT_EXPIRED,
144 /** Certificate rejected; it has been revoked, certificate_t */
145 ALERT_CERT_REVOKED,
146 /** Validating certificate status failed, certificate_t */
147 ALERT_CERT_VALIDATION_FAILED,
148 /** Certificate rejected; no trusted issuer found, certificate_t */
149 ALERT_CERT_NO_ISSUER,
150 /** Certificate rejected; root not trusted, certificate_t */
151 ALERT_CERT_UNTRUSTED_ROOT,
152 /** Certificate rejected; trustchain length exceeds limit, certificate_t */
153 ALERT_CERT_EXCEEDED_PATH_LEN,
154 /** Certificate rejected; other policy violation, certificate_t */
155 ALERT_CERT_POLICY_VIOLATION,
156 };
157
158 /**
159 * Kind of narrow hook.
160 *
161 * There is a non-authenticated (IKE_AUTH) and a authenticated
162 * (CREATE_CHILD_SA) narrowing hook for the initiator. Only one of these
163 * hooks is invoked before the exchange.
164 * To verify the traffic selectors negotiated, each PRE hook has a POST
165 * counterpart that follows. POST hooks are invoked with an authenticated peer.
166 * It is usually not a good idea to narrow in the POST hooks,
167 * as the resulting traffic selector is not negotiated and results
168 * in non-matching policies.
169 */
170 enum narrow_hook_t {
171 /** invoked as initiator before exchange, peer is not yet authenticated */
172 NARROW_INITIATOR_PRE_NOAUTH,
173 /** invoked as initiator before exchange, peer is authenticated */
174 NARROW_INITIATOR_PRE_AUTH,
175 /** invoked as responder during exchange, peer is authenticated */
176 NARROW_RESPONDER,
177 /** invoked as responder after exchange, peer is authenticated */
178 NARROW_RESPONDER_POST,
179 /** invoked as initiator after exchange, follows a INITIATOR_PRE_NOAUTH */
180 NARROW_INITIATOR_POST_NOAUTH,
181 /** invoked as initiator after exchange, follows a INITIATOR_PRE_AUTH */
182 NARROW_INITIATOR_POST_AUTH,
183 };
184
185 /**
186 * The bus receives events and sends them to all registered listeners.
187 *
188 * Loggers are handled separately.
189 */
190 struct bus_t {
191
192 /**
193 * Register a listener to the bus.
194 *
195 * A registered listener receives all events which are sent to the bus.
196 * The listener is passive; the thread which emitted the event
197 * processes the listener routine.
198 *
199 * @param listener listener to register.
200 */
201 void (*add_listener) (bus_t *this, listener_t *listener);
202
203 /**
204 * Unregister a listener from the bus.
205 *
206 * @param listener listener to unregister.
207 */
208 void (*remove_listener) (bus_t *this, listener_t *listener);
209
210 /**
211 * Register a logger with the bus.
212 *
213 * The logger is passive; the thread which emitted the event
214 * processes the logger routine. This routine may be called concurrently
215 * by multiple threads. Recursive calls are not prevented, so logger that
216 * may cause recursive calls are responsible to avoid infinite loops.
217 *
218 * During registration get_level() is called for all log groups and the
219 * logger is registered to receive log messages for groups for which
220 * the requested log level is > LEVEL_SILENT and whose level is lower
221 * or equal than the requested level.
222 *
223 * To update the registered log levels call add_logger again with the
224 * same logger and return the new levels from get_level().
225 *
226 * @param logger logger to register.
227 */
228 void (*add_logger) (bus_t *this, logger_t *logger);
229
230 /**
231 * Unregister a logger from the bus.
232 *
233 * @param logger logger to unregister.
234 */
235 void (*remove_logger) (bus_t *this, logger_t *logger);
236
237 /**
238 * Set the IKE_SA the calling thread is using.
239 *
240 * To associate a received log message with an IKE_SA without passing it as
241 * parameter each time, the thread registers the currently used IKE_SA
242 * during check-out. Before check-in, the thread unregisters the IKE_SA.
243 * This IKE_SA is stored per-thread, so each thread has its own IKE_SA
244 * registered.
245 *
246 * @param ike_sa ike_sa to register, or NULL to unregister
247 */
248 void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
249
250 /**
251 * Get the IKE_SA the calling thread is currently using.
252 *
253 * If a thread currently does not know what IKE_SA it is processing,
254 * it can call get_sa() to look up the SA set during checkout via set_sa().
255 *
256 * @return registered ike_sa, NULL if none registered
257 */
258 ike_sa_t* (*get_sa)(bus_t *this);
259
260 /**
261 * Send a log message to the bus.
262 *
263 * The format string specifies an additional informational or error
264 * message with a printf() like variable argument list.
265 * Use the DBG() macros.
266 *
267 * @param group debugging group
268 * @param level verbosity level of the signal
269 * @param format printf() style format string
270 * @param ... printf() style argument list
271 */
272 void (*log)(bus_t *this, debug_t group, level_t level, char* format, ...);
273
274 /**
275 * Send a log message to the bus using va_list arguments.
276 *
277 * Same as bus_t.log(), but uses va_list argument list.
278 *
279 * @param group kind of the signal (up, down, rekeyed, ...)
280 * @param level verbosity level of the signal
281 * @param format printf() style format string
282 * @param args va_list arguments
283 */
284 void (*vlog)(bus_t *this, debug_t group, level_t level,
285 char* format, va_list args);
286
287 /**
288 * Raise an alert over the bus.
289 *
290 * @param alert kind of alert
291 * @param ... alert specific arguments
292 */
293 void (*alert)(bus_t *this, alert_t alert, ...);
294
295 /**
296 * Send a IKE_SA state change event to the bus.
297 *
298 * @param ike_sa IKE_SA which changes its state
299 * @param state new state IKE_SA changes to
300 */
301 void (*ike_state_change)(bus_t *this, ike_sa_t *ike_sa,
302 ike_sa_state_t state);
303 /**
304 * Send a CHILD_SA state change event to the bus.
305 *
306 * @param child_sa CHILD_SA which changes its state
307 * @param state new state CHILD_SA changes to
308 */
309 void (*child_state_change)(bus_t *this, child_sa_t *child_sa,
310 child_sa_state_t state);
311 /**
312 * Message send/receive hook.
313 *
314 * The hook is invoked twice for each message: Once with plain, parsed data
315 * and once encoded and encrypted.
316 *
317 * @param message message to send/receive
318 * @param incoming TRUE for incoming messages, FALSE for outgoing
319 * @param plain TRUE if message is parsed and decrypted, FALSE it not
320 */
321 void (*message)(bus_t *this, message_t *message, bool incoming, bool plain);
322
323 /**
324 * IKE_SA authorization hook.
325 *
326 * @param final TRUE if this is the final invocation
327 * @return TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
328 */
329 bool (*authorize)(bus_t *this, bool final);
330
331 /**
332 * CHILD_SA traffic selector narrowing hook.
333 *
334 * @param child_sa CHILD_SA set up with these traffic selectors
335 * @param type type of hook getting invoked
336 * @param local list of local traffic selectors to narrow
337 * @param remote list of remote traffic selectors to narrow
338 */
339 void (*narrow)(bus_t *this, child_sa_t *child_sa, narrow_hook_t type,
340 linked_list_t *local, linked_list_t *remote);
341
342 /**
343 * IKE_SA keymat hook.
344 *
345 * @param ike_sa IKE_SA this keymat belongs to
346 * @param dh diffie hellman shared secret
347 * @param dh_other others DH public value (IKEv1 only)
348 * @param nonce_i initiators nonce
349 * @param nonce_r responders nonce
350 * @param rekey IKE_SA we are rekeying, if any (IKEv2 only)
351 * @param shared shared key used for key derivation (IKEv1-PSK only)
352 */
353 void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
354 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
355 ike_sa_t *rekey, shared_key_t *shared);
356
357 /**
358 * CHILD_SA keymat hook.
359 *
360 * @param child_sa CHILD_SA this keymat is used for
361 * @param initiator initiator of the CREATE_CHILD_SA exchange
362 * @param dh diffie hellman shared secret
363 * @param nonce_i initiators nonce
364 * @param nonce_r responders nonce
365 */
366 void (*child_keys)(bus_t *this, child_sa_t *child_sa, bool initiator,
367 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
368
369 /**
370 * IKE_SA up/down hook.
371 *
372 * @param ike_sa IKE_SA coming up/going down
373 * @param up TRUE for an up event, FALSE for a down event
374 */
375 void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
376
377 /**
378 * IKE_SA rekeying hook.
379 *
380 * @param old rekeyed and obsolete IKE_SA
381 * @param new new IKE_SA replacing old
382 */
383 void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
384
385 /**
386 * IKE_SA peer endpoint update hook.
387 *
388 * @param ike_sa updated IKE_SA, having old endpoints set
389 * @param local TRUE if local endpoint gets updated, FALSE for remote
390 * @param new new endpoint address and port
391 */
392 void (*ike_update)(bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new);
393
394 /**
395 * IKE_SA reestablishing hook (before resolving hosts).
396 *
397 * @param old reestablished and obsolete IKE_SA
398 * @param new new IKE_SA replacing old
399 */
400 void (*ike_reestablish_pre)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
401
402 /**
403 * IKE_SA reestablishing hook (after configuring and initiating the new
404 * IKE_SA).
405 *
406 * @param old reestablished and obsolete IKE_SA
407 * @param new new IKE_SA replacing old
408 * @param initiated TRUE if initiated successfully, FALSE otherwise
409 */
410 void (*ike_reestablish_post)(bus_t *this, ike_sa_t *old, ike_sa_t *new,
411 bool initiated);
412
413 /**
414 * CHILD_SA up/down hook.
415 *
416 * @param child_sa CHILD_SA coming up/going down
417 * @param up TRUE for an up event, FALSE for a down event
418 */
419 void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
420
421 /**
422 * CHILD_SA rekeying hook.
423 *
424 * @param old rekeyed and obsolete CHILD_SA
425 * @param new new CHILD_SA replacing old
426 */
427 void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
428
429 /**
430 * CHILD_SA migration hook.
431 *
432 * @param new ID of new SA when called for the old, NULL otherwise
433 * @param uniue unique ID of new SA when called for the old, 0 otherwise
434 */
435 void (*children_migrate)(bus_t *this, ike_sa_id_t *new, u_int32_t unique);
436
437 /**
438 * Virtual IP assignment hook.
439 *
440 * @param ike_sa IKE_SA the VIPs are assigned to
441 * @param assign TRUE if assigned to IKE_SA, FALSE if released
442 */
443 void (*assign_vips)(bus_t *this, ike_sa_t *ike_sa, bool assign);
444
445 /**
446 * Virtual IP handler hook.
447 *
448 * @param ike_sa IKE_SA the VIPs/attributes got handled on
449 * @param assign TRUE after installing attributes, FALSE on release
450 */
451 void (*handle_vips)(bus_t *this, ike_sa_t *ike_sa, bool handle);
452
453 /**
454 * Destroy the event bus.
455 */
456 void (*destroy) (bus_t *this);
457 };
458
459 /**
460 * Create the event bus which forwards events to its listeners.
461 *
462 * @return event bus instance
463 */
464 bus_t *bus_create();
465
466 #endif /** BUS_H_ @}*/
strongSwan - IPsec VPN