ikev1: Log traffic selectors for missing child configs
[strongswan.git] / src / libcharon / bus / bus.h
1 /*
2 * Copyright (C) 2012-2016 Tobias Brunner
3 * Copyright (C) 2006-2009 Martin Willi
4 * HSR Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup bus bus
19 * @{ @ingroup libcharon
20 */
21
22 #ifndef BUS_H_
23 #define BUS_H_
24
25 typedef enum alert_t alert_t;
26 typedef enum narrow_hook_t narrow_hook_t;
27 typedef struct bus_t bus_t;
28
29 #include <stdarg.h>
30
31 #include <utils/debug.h>
32 #include <sa/ike_sa.h>
33 #include <sa/child_sa.h>
34 #include <processing/jobs/job.h>
35 #include <bus/listeners/logger.h>
36 #include <bus/listeners/listener.h>
37
38 /* undefine the definitions from libstrongswan */
39 #undef DBG0
40 #undef DBG1
41 #undef DBG2
42 #undef DBG3
43 #undef DBG4
44
45 #ifndef DEBUG_LEVEL
46 # define DEBUG_LEVEL 4
47 #endif /* DEBUG_LEVEL */
48
49 #if DEBUG_LEVEL >= 0
50 #define DBG0(group, format, ...) charon->bus->log(charon->bus, group, 0, format, ##__VA_ARGS__)
51 #endif /* DEBUG_LEVEL >= 0 */
52 #if DEBUG_LEVEL >= 1
53 #define DBG1(group, format, ...) charon->bus->log(charon->bus, group, 1, format, ##__VA_ARGS__)
54 #endif /* DEBUG_LEVEL >= 1 */
55 #if DEBUG_LEVEL >= 2
56 #define DBG2(group, format, ...) charon->bus->log(charon->bus, group, 2, format, ##__VA_ARGS__)
57 #endif /* DEBUG_LEVEL >= 2 */
58 #if DEBUG_LEVEL >= 3
59 #define DBG3(group, format, ...) charon->bus->log(charon->bus, group, 3, format, ##__VA_ARGS__)
60 #endif /* DEBUG_LEVEL >= 3 */
61 #if DEBUG_LEVEL >= 4
62 #define DBG4(group, format, ...) charon->bus->log(charon->bus, group, 4, format, ##__VA_ARGS__)
63 #endif /* DEBUG_LEVEL >= 4 */
64
65 #ifndef DBG0
66 # define DBG0(...) {}
67 #endif /* DBG0 */
68 #ifndef DBG1
69 # define DBG1(...) {}
70 #endif /* DBG1 */
71 #ifndef DBG2
72 # define DBG2(...) {}
73 #endif /* DBG2 */
74 #ifndef DBG3
75 # define DBG3(...) {}
76 #endif /* DBG3 */
77 #ifndef DBG4
78 # define DBG4(...) {}
79 #endif /* DBG4 */
80
81 /**
82 * Kind of alerts to raise.
83 */
84 enum alert_t {
85 /** a RADIUS server did not respond, no additional arguments */
86 ALERT_RADIUS_NOT_RESPONDING,
87 /** a shutdown signal has been received, argument is the signal (int) */
88 ALERT_SHUTDOWN_SIGNAL,
89 /** local peer authentication failed (by us or by peer), no arguments */
90 ALERT_LOCAL_AUTH_FAILED,
91 /** peer authentication failed, no arguments */
92 ALERT_PEER_AUTH_FAILED,
93 /** failed to resolve peer address, no arguments */
94 ALERT_PEER_ADDR_FAILED,
95 /** peer did not respond to initial message, current try (int, 0-based) */
96 ALERT_PEER_INIT_UNREACHABLE,
97 /** received IKE message with invalid SPI, argument is message_t* */
98 ALERT_INVALID_IKE_SPI,
99 /** received IKE message with invalid header, argument is message_t* */
100 ALERT_PARSE_ERROR_HEADER,
101 /** received IKE message with invalid body, argument is message_t*,
102 * followed by a status_t result returned by message_t.parse_body(). */
103 ALERT_PARSE_ERROR_BODY,
104 /** sending a retransmit for a message, arguments are packet_t and number
105 * of the retransmit, if the message got fragmented only the first fragment
106 * is passed */
107 ALERT_RETRANSMIT_SEND,
108 /** received response for retransmitted request, argument is packet_t, if
109 * the message got fragmented only the first fragment is passed */
110 ALERT_RETRANSMIT_SEND_CLEARED,
111 /** sending retransmits timed out, argument is packet_t, if available and if
112 * the message got fragmented only the first fragment is passed */
113 ALERT_RETRANSMIT_SEND_TIMEOUT,
114 /** received a retransmit for a message, argument is message_t */
115 ALERT_RETRANSMIT_RECEIVE,
116 /** received half-open timeout before IKE_SA established, no argument */
117 ALERT_HALF_OPEN_TIMEOUT,
118 /** IKE proposals do not match, argument is linked_list_t of proposal_t */
119 ALERT_PROPOSAL_MISMATCH_IKE,
120 /** CHILD proposals do not match, argument is linked_list_t of proposal_t */
121 ALERT_PROPOSAL_MISMATCH_CHILD,
122 /** traffic selectors do not match, arguments are two linked_list_t
123 * containing traffic_selector_t for initiator and for responder */
124 ALERT_TS_MISMATCH,
125 /** traffic selectors have been narrowed by the peer, arguments are
126 * an int (TRUE for local TS), a linked_list_t* (final TS list), and the
127 * child_cfg_t*. */
128 ALERT_TS_NARROWED,
129 /** Installation of IPsec SAs failed, argument is child_sa_t */
130 ALERT_INSTALL_CHILD_SA_FAILED,
131 /** Installation of IPsec Policy failed, argument is child_sa_t */
132 ALERT_INSTALL_CHILD_POLICY_FAILED,
133 /** IKE_SA deleted because of "replace" unique policy, no argument */
134 ALERT_UNIQUE_REPLACE,
135 /** IKE_SA deleted because of "keep" unique policy, no argument */
136 ALERT_UNIQUE_KEEP,
137 /** IKE_SA kept on failed child SA establishment, argument is an int (!=0 if
138 * first child SA) */
139 ALERT_KEEP_ON_CHILD_SA_FAILURE,
140 /** allocating virtual IP failed, linked_list_t of host_t requested */
141 ALERT_VIP_FAILURE,
142 /** an authorize() hook failed, no argument */
143 ALERT_AUTHORIZATION_FAILED,
144 /** IKE_SA hit the hard lifetime limit before it could be rekeyed */
145 ALERT_IKE_SA_EXPIRED,
146 /** Certificate rejected; it has expired, certificate_t */
147 ALERT_CERT_EXPIRED,
148 /** Certificate rejected; it has been revoked, certificate_t */
149 ALERT_CERT_REVOKED,
150 /** Validating certificate status failed, certificate_t */
151 ALERT_CERT_VALIDATION_FAILED,
152 /** Certificate rejected; no trusted issuer found, certificate_t */
153 ALERT_CERT_NO_ISSUER,
154 /** Certificate rejected; root not trusted, certificate_t */
155 ALERT_CERT_UNTRUSTED_ROOT,
156 /** Certificate rejected; trustchain length exceeds limit, certificate_t */
157 ALERT_CERT_EXCEEDED_PATH_LEN,
158 /** Certificate rejected; other policy violation, certificate_t */
159 ALERT_CERT_POLICY_VIOLATION,
160 };
161
162 /**
163 * Kind of narrow hook.
164 *
165 * There is a non-authenticated (IKE_AUTH) and a authenticated
166 * (CREATE_CHILD_SA) narrowing hook for the initiator. Only one of these
167 * hooks is invoked before the exchange.
168 * To verify the traffic selectors negotiated, each PRE hook has a POST
169 * counterpart that follows. POST hooks are invoked with an authenticated peer.
170 * It is usually not a good idea to narrow in the POST hooks,
171 * as the resulting traffic selector is not negotiated and results
172 * in non-matching policies.
173 */
174 enum narrow_hook_t {
175 /** invoked as initiator before exchange, peer is not yet authenticated */
176 NARROW_INITIATOR_PRE_NOAUTH,
177 /** invoked as initiator before exchange, peer is authenticated */
178 NARROW_INITIATOR_PRE_AUTH,
179 /** invoked as responder during exchange, peer is authenticated */
180 NARROW_RESPONDER,
181 /** invoked as responder after exchange, peer is authenticated */
182 NARROW_RESPONDER_POST,
183 /** invoked as initiator after exchange, follows a INITIATOR_PRE_NOAUTH */
184 NARROW_INITIATOR_POST_NOAUTH,
185 /** invoked as initiator after exchange, follows a INITIATOR_PRE_AUTH */
186 NARROW_INITIATOR_POST_AUTH,
187 };
188
189 /**
190 * The bus receives events and sends them to all registered listeners.
191 *
192 * Loggers are handled separately.
193 */
194 struct bus_t {
195
196 /**
197 * Register a listener to the bus.
198 *
199 * A registered listener receives all events which are sent to the bus.
200 * The listener is passive; the thread which emitted the event
201 * processes the listener routine.
202 *
203 * @param listener listener to register.
204 */
205 void (*add_listener) (bus_t *this, listener_t *listener);
206
207 /**
208 * Unregister a listener from the bus.
209 *
210 * @param listener listener to unregister.
211 */
212 void (*remove_listener) (bus_t *this, listener_t *listener);
213
214 /**
215 * Register a logger with the bus.
216 *
217 * The logger is passive; the thread which emitted the event
218 * processes the logger routine. This routine may be called concurrently
219 * by multiple threads. Recursive calls are not prevented, so logger that
220 * may cause recursive calls are responsible to avoid infinite loops.
221 *
222 * During registration get_level() is called for all log groups and the
223 * logger is registered to receive log messages for groups for which
224 * the requested log level is > LEVEL_SILENT and whose level is lower
225 * or equal than the requested level.
226 *
227 * To update the registered log levels call add_logger again with the
228 * same logger and return the new levels from get_level().
229 *
230 * @param logger logger to register.
231 */
232 void (*add_logger) (bus_t *this, logger_t *logger);
233
234 /**
235 * Unregister a logger from the bus.
236 *
237 * @param logger logger to unregister.
238 */
239 void (*remove_logger) (bus_t *this, logger_t *logger);
240
241 /**
242 * Set the IKE_SA the calling thread is using.
243 *
244 * To associate a received log message with an IKE_SA without passing it as
245 * parameter each time, the thread registers the currently used IKE_SA
246 * during check-out. Before check-in, the thread unregisters the IKE_SA.
247 * This IKE_SA is stored per-thread, so each thread has its own IKE_SA
248 * registered.
249 *
250 * @param ike_sa ike_sa to register, or NULL to unregister
251 */
252 void (*set_sa) (bus_t *this, ike_sa_t *ike_sa);
253
254 /**
255 * Get the IKE_SA the calling thread is currently using.
256 *
257 * If a thread currently does not know what IKE_SA it is processing,
258 * it can call get_sa() to look up the SA set during checkout via set_sa().
259 *
260 * @return registered ike_sa, NULL if none registered
261 */
262 ike_sa_t* (*get_sa)(bus_t *this);
263
264 /**
265 * Send a log message to the bus.
266 *
267 * The format string specifies an additional informational or error
268 * message with a printf() like variable argument list.
269 * Use the DBG() macros.
270 *
271 * @param group debugging group
272 * @param level verbosity level of the signal
273 * @param format printf() style format string
274 * @param ... printf() style argument list
275 */
276 void (*log)(bus_t *this, debug_t group, level_t level, char* format, ...);
277
278 /**
279 * Send a log message to the bus using va_list arguments.
280 *
281 * Same as bus_t.log(), but uses va_list argument list.
282 *
283 * @param group kind of the signal (up, down, rekeyed, ...)
284 * @param level verbosity level of the signal
285 * @param format printf() style format string
286 * @param args va_list arguments
287 */
288 void (*vlog)(bus_t *this, debug_t group, level_t level,
289 char* format, va_list args);
290
291 /**
292 * Raise an alert over the bus.
293 *
294 * @param alert kind of alert
295 * @param ... alert specific arguments
296 */
297 void (*alert)(bus_t *this, alert_t alert, ...);
298
299 /**
300 * Send a IKE_SA state change event to the bus.
301 *
302 * @param ike_sa IKE_SA which changes its state
303 * @param state new state IKE_SA changes to
304 */
305 void (*ike_state_change)(bus_t *this, ike_sa_t *ike_sa,
306 ike_sa_state_t state);
307 /**
308 * Send a CHILD_SA state change event to the bus.
309 *
310 * @param child_sa CHILD_SA which changes its state
311 * @param state new state CHILD_SA changes to
312 */
313 void (*child_state_change)(bus_t *this, child_sa_t *child_sa,
314 child_sa_state_t state);
315 /**
316 * Message send/receive hook.
317 *
318 * The hook is invoked twice for each message: Once with plain, parsed data
319 * and once encoded and encrypted.
320 *
321 * @param message message to send/receive
322 * @param incoming TRUE for incoming messages, FALSE for outgoing
323 * @param plain TRUE if message is parsed and decrypted, FALSE it not
324 */
325 void (*message)(bus_t *this, message_t *message, bool incoming, bool plain);
326
327 /**
328 * IKE_SA authorization hook.
329 *
330 * @param final TRUE if this is the final invocation
331 * @return TRUE to establish IKE_SA, FALSE to send AUTH_FAILED
332 */
333 bool (*authorize)(bus_t *this, bool final);
334
335 /**
336 * CHILD_SA traffic selector narrowing hook.
337 *
338 * @param child_sa CHILD_SA set up with these traffic selectors
339 * @param type type of hook getting invoked
340 * @param local list of local traffic selectors to narrow
341 * @param remote list of remote traffic selectors to narrow
342 */
343 void (*narrow)(bus_t *this, child_sa_t *child_sa, narrow_hook_t type,
344 linked_list_t *local, linked_list_t *remote);
345
346 /**
347 * IKE_SA keymat hook.
348 *
349 * @param ike_sa IKE_SA this keymat belongs to
350 * @param dh diffie hellman shared secret
351 * @param dh_other others DH public value (IKEv1 only)
352 * @param nonce_i initiator's nonce
353 * @param nonce_r responder's nonce
354 * @param rekey IKE_SA we are rekeying, if any (IKEv2 only)
355 * @param shared shared key used for key derivation (IKEv1-PSK only)
356 */
357 void (*ike_keys)(bus_t *this, ike_sa_t *ike_sa, diffie_hellman_t *dh,
358 chunk_t dh_other, chunk_t nonce_i, chunk_t nonce_r,
359 ike_sa_t *rekey, shared_key_t *shared);
360
361 /**
362 * IKE_SA derived keys hook.
363 *
364 * @param sk_ei SK_ei, or Ka for IKEv1
365 * @param sk_er SK_er
366 * @param sk_ai SK_ai, or SKEYID_a for IKEv1
367 * @param sk_ar SK_ar
368 */
369 void (*ike_derived_keys)(bus_t *this, chunk_t sk_ei, chunk_t sk_er,
370 chunk_t sk_ai, chunk_t sk_ar);
371
372 /**
373 * CHILD_SA keymat hook.
374 *
375 * @param child_sa CHILD_SA this keymat is used for
376 * @param initiator initiator of the CREATE_CHILD_SA exchange
377 * @param dh diffie hellman shared secret
378 * @param nonce_i initiator's nonce
379 * @param nonce_r responder's nonce
380 */
381 void (*child_keys)(bus_t *this, child_sa_t *child_sa, bool initiator,
382 diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
383
384 /**
385 * CHILD_SA derived keys hook.
386 *
387 * @param child_sa CHILD_SA these keys are used for
388 * @param initiator initiator of the CREATE_CHILD_SA exchange
389 * @param encr_i initiator's encryption key
390 * @param encr_o responder's encryption key
391 * @param integ_i initiator's integrity key
392 * @param integ_r responder's integrity key
393 */
394 void (*child_derived_keys)(bus_t *this, child_sa_t *child_sa,
395 bool initiator, chunk_t encr_i, chunk_t encr_r,
396 chunk_t integ_i, chunk_t integ_r);
397
398 /**
399 * IKE_SA up/down hook.
400 *
401 * @param ike_sa IKE_SA coming up/going down
402 * @param up TRUE for an up event, FALSE for a down event
403 */
404 void (*ike_updown)(bus_t *this, ike_sa_t *ike_sa, bool up);
405
406 /**
407 * IKE_SA rekeying hook.
408 *
409 * @param old rekeyed and obsolete IKE_SA
410 * @param new new IKE_SA replacing old
411 */
412 void (*ike_rekey)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
413
414 /**
415 * IKE_SA peer endpoint update hook.
416 *
417 * @param ike_sa updated IKE_SA, having old endpoints set
418 * @param local TRUE if local endpoint gets updated, FALSE for remote
419 * @param new new endpoint address and port
420 */
421 void (*ike_update)(bus_t *this, ike_sa_t *ike_sa, bool local, host_t *new);
422
423 /**
424 * IKE_SA reestablishing hook (before resolving hosts).
425 *
426 * @param old reestablished and obsolete IKE_SA
427 * @param new new IKE_SA replacing old
428 */
429 void (*ike_reestablish_pre)(bus_t *this, ike_sa_t *old, ike_sa_t *new);
430
431 /**
432 * IKE_SA reestablishing hook (after configuring and initiating the new
433 * IKE_SA).
434 *
435 * @param old reestablished and obsolete IKE_SA
436 * @param new new IKE_SA replacing old
437 * @param initiated TRUE if initiated successfully, FALSE otherwise
438 */
439 void (*ike_reestablish_post)(bus_t *this, ike_sa_t *old, ike_sa_t *new,
440 bool initiated);
441
442 /**
443 * CHILD_SA up/down hook.
444 *
445 * @param child_sa CHILD_SA coming up/going down
446 * @param up TRUE for an up event, FALSE for a down event
447 */
448 void (*child_updown)(bus_t *this, child_sa_t *child_sa, bool up);
449
450 /**
451 * CHILD_SA rekeying hook.
452 *
453 * @param old rekeyed and obsolete CHILD_SA
454 * @param new new CHILD_SA replacing old
455 */
456 void (*child_rekey)(bus_t *this, child_sa_t *old, child_sa_t *new);
457
458 /**
459 * CHILD_SA migration hook.
460 *
461 * @param new ID of new SA when called for the old, NULL otherwise
462 * @param uniue unique ID of new SA when called for the old, 0 otherwise
463 */
464 void (*children_migrate)(bus_t *this, ike_sa_id_t *new, uint32_t unique);
465
466 /**
467 * Virtual IP assignment hook.
468 *
469 * @param ike_sa IKE_SA the VIPs are assigned to
470 * @param assign TRUE if assigned to IKE_SA, FALSE if released
471 */
472 void (*assign_vips)(bus_t *this, ike_sa_t *ike_sa, bool assign);
473
474 /**
475 * Virtual IP handler hook.
476 *
477 * @param ike_sa IKE_SA the VIPs/attributes got handled on
478 * @param assign TRUE after installing attributes, FALSE on release
479 */
480 void (*handle_vips)(bus_t *this, ike_sa_t *ike_sa, bool handle);
481
482 /**
483 * Destroy the event bus.
484 */
485 void (*destroy) (bus_t *this);
486 };
487
488 /**
489 * Create the event bus which forwards events to its listeners.
490 *
491 * @return event bus instance
492 */
493 bus_t *bus_create();
494
495 #endif /** BUS_H_ @}*/