projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
adapted evaltest of ikev1/mode-config-push scenario to resolve plugin
[strongswan.git] / src / pluto / connections.h
1 /* information about connections between hosts and clients
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
3 * Copyright (C) 2009 Andreas Steffen - Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #ifndef _CONNECTIONS_H
17 #define _CONNECTIONS_H
18
19 #include <sys/queue.h>
20
21 #include <utils/linked_list.h>
22 #include <utils/identification.h>
23 #include <credentials/ietf_attributes/ietf_attributes.h>
24
25 #include "certs.h"
26 #include "smartcard.h"
27 #include "whack.h"
28
29 /* There are two kinds of connections:
30 * - ISAKMP connections, between hosts (for IKE communication)
31 * - IPsec connections, between clients (for secure IP communication)
32 *
33 * An ISAKMP connection looks like:
34 * host<--->host
35 *
36 * An IPsec connection looks like:
37 * client-subnet<-->host<->nexthop<--->nexthop<->host<-->client-subnet
38 *
39 * For the connection to be relevant to this instance of Pluto,
40 * exactly one of the hosts must be a public interface of our machine
41 * known to this instance.
42 *
43 * The client subnet might simply be the host -- this is a
44 * representation of "host mode".
45 *
46 * Each nexthop defaults to the neighbouring host's IP address.
47 * The nexthop is a property of the pair of hosts, not each
48 * individually. It is only needed for IPsec because of the
49 * way IPsec is mixed into the kernel routing logic. Furthermore,
50 * only this end's nexthop is actually used. Eventually, nexthop
51 * will be unnecessary.
52 *
53 * Other information represented:
54 * - each connection has a name: a chunk of uninterpreted text
55 * that is unique for each connection.
56 * - security requirements (currently just the "policy" flags from
57 * the whack command to initiate the connection, but eventually
58 * much more. Different for ISAKMP and IPsec connections.
59 * - rekeying parameters:
60 * + time an SA may live
61 * + time before SA death that a rekeying should be attempted
62 * (only by the initiator)
63 * + number of times to attempt rekeying
64 * - With the current KLIPS, we must route packets for a client
65 * subnet through the ipsec interface (ipsec0). Only one
66 * gateway can get traffic for a specific (client) subnet.
67 * Furthermore, if the routing isn't in place, packets will
68 * be sent in the clear.
69 * "routing" indicates whether the routing has been done for
70 * this connection. Note that several connections may claim
71 * the same routing, as long as they agree about where the
72 * packets are to be sent.
73 * - With the current KLIPS, only one outbound IPsec SA bundle can be
74 * used for a particular client. This is due to a limitation
75 * of using only routing for selection. So only one IPsec state (SA)
76 * may "own" the eroute. "eroute_owner" is the serial number of
77 * this state, SOS_NOBODY if there is none. "routing" indicates
78 * what kind of erouting has been done for this connection, if any.
79 *
80 * Details on routing is in constants.h
81 *
82 * Operations on Connections:
83 *
84 * - add a new connection (with all details) [whack command]
85 * - delete a connection (by name) [whack command]
86 * - initiate a connection (by name) [whack command]
87 * - find a connection (by IP addresses of hosts)
88 * [response to peer request; finding ISAKMP connection for IPsec connection]
89 *
90 * Some connections are templates, missing the address of the peer
91 * (represented by INADDR_ANY). These are always arranged so that the
92 * missing end is "that" (there can only be one missing end). These can
93 * be instantiated (turned into real connections) by Pluto in one of two
94 * different ways: Road Warrior Instantiation or Opportunistic
95 * Instantiation. A template connection is marked for Opportunistic
96 * Instantiation by specifying the peer client as 0.0.0.0/32 (or the IPV6
97 * equivalent). Otherwise, it is suitable for Road Warrior Instantiation.
98 *
99 * Instantiation creates a new temporary connection, with the missing
100 * details filled in. The resulting template lasts only as long as there
101 * is a state that uses it.
102 */
103
104 /* connection policy priority: how important this policy is
105 * - used to implement eroute-like precedence (augmented by a small
106 * bonus for a routed connection).
107 * - a whole number
108 * - larger is more important
109 * - three subcomponents. In order of decreasing significance:
110 * + length of source subnet mask (8 bits)
111 * + length of destination subnet mask (8 bits)
112 * + bias (8 bit)
113 * - a bias of 1 is added to allow prio BOTTOM_PRIO to be less than all
114 * normal priorities
115 * - other bias values are created on the fly to give mild preference
116 * to certaion conditions (eg. routedness)
117 * - priority is inherited -- an instance of a policy has the same priority
118 * as the original policy, even though its subnets might be smaller.
119 * - display format: n,m
120 */
121 typedef unsigned long policy_prio_t;
122 #define BOTTOM_PRIO ((policy_prio_t)0) /* smaller than any real prio */
123 #define set_policy_prio(c) { (c)->prio = \
124 ((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
125 | ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
126 | (policy_prio_t)1; }
127 #define POLICY_PRIO_BUF (3+1+3+1)
128 extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
129
130 struct virtual_t;
131
132 struct end {
133 identification_t *id;
134 ip_address
135 host_addr,
136 host_nexthop,
137 host_srcip;
138 ip_subnet client;
139
140 bool is_left;
141 bool key_from_DNS_on_demand;
142 bool has_client;
143 bool has_client_wildcard;
144 bool has_port_wildcard;
145 bool has_id_wildcards;
146 bool has_natip;
147 char *updown;
148 u_int16_t host_port; /* host order */
149 u_int16_t port; /* host order */
150 u_int8_t protocol;
151 cert_t *cert; /* end certificate */
152 identification_t *ca; /* CA distinguished name */
153 ietf_attributes_t *groups; /* access control groups */
154 smartcard_t *sc; /* smartcard reader and key info */
155 struct virtual_t *virt;
156 bool modecfg; /* this end: request local address from server */
157 /* that end: give local addresses to clients */
158 char *pool; /* name of an associated virtual IP address pool */
159 bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */
160 /* rules if client behind host is a subnet */
161 bool allow_any; /* IP address is subject to change */
162 certpolicy_t sendcert; /* whether or not to send the certificate */
163 };
164
165 struct spd_route {
166 struct spd_route *next;
167 struct end this;
168 struct end that;
169 so_serial_t eroute_owner;
170 enum routing_t routing; /* level of routing in place */
171 uint32_t reqid;
172 };
173
174 typedef struct connection connection_t;
175
176 struct connection {
177 char *name;
178 bool ikev1;
179
180 lset_t policy;
181 time_t sa_ike_life_seconds;
182 time_t sa_ipsec_life_seconds;
183 time_t sa_rekey_margin;
184 unsigned long sa_rekey_fuzz;
185 unsigned long sa_keying_tries;
186
187 /* RFC 3706 DPD */
188 time_t dpd_delay;
189 time_t dpd_timeout;
190 dpd_action_t dpd_action;
191
192 char *log_file_name; /* name of log file */
193 FILE *log_file; /* possibly open FILE */
194 TAILQ_ENTRY(connection) log_link; /* linked list of open conns */
195 bool log_file_err; /* only bitch once */
196
197 struct spd_route spd;
198
199 /* internal fields: */
200
201 unsigned long instance_serial;
202 policy_prio_t prio;
203 bool instance_initiation_ok; /* this is an instance of a policy that mandates initiate */
204 enum connection_kind kind;
205 const struct iface *interface; /* filled in iff oriented */
206
207 so_serial_t /* state object serial number */
208 newest_isakmp_sa,
209 newest_ipsec_sa;
210
211
212 #ifdef DEBUG
213 lset_t extra_debugging;
214 #endif
215
216 /* note: if the client is the gateway, the following must be equal */
217 sa_family_t addr_family; /* between gateways */
218 sa_family_t tunnel_addr_family; /* between clients */
219
220 connection_t *policy_next; /* if multiple policies,
221 next one to apply */
222 struct gw_info *gw_info;
223 struct alg_info_esp *alg_info_esp;
224 struct alg_info_ike *alg_info_ike;
225 struct host_pair *host_pair;
226 connection_t *hp_next; /* host pair list link */
227 connection_t *ac_next; /* all connections list link */
228 linked_list_t *requested_ca; /* collected certificate requests */
229 linked_list_t *requested; /* requested attributes with handlers */
230 linked_list_t *attributes; /* configuration attributes with handlers */
231 bool got_certrequest;
232 };
233
234 #define oriented(c) ((c).interface != NULL)
235 extern bool orient(connection_t *c);
236
237 extern bool same_peer_ids(const connection_t *c, const connection_t *d,
238 identification_t *his_id);
239
240 /* Format the topology of a connection end, leaving out defaults.
241 * Largest left end looks like: client === host : port [ host_id ] --- hop
242 * Note: if that==NULL, skip nexthop
243 */
244 #define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
245 extern size_t format_end(char *buf, size_t buf_len, const struct end *this,
246 const struct end *that, bool is_left, lset_t policy);
247
248 extern void add_connection(const whack_message_t *wm);
249 extern void initiate_connection(const char *name, int whackfd);
250 extern void initiate_opportunistic(const ip_address *our_client,
251 const ip_address *peer_client,
252 int transport_proto, bool held, int whackfd);
253 extern void terminate_connection(const char *nm);
254 extern void release_connection(connection_t *c, bool relations);
255 extern void delete_connection(connection_t *c, bool relations);
256 extern void delete_connections_by_name(const char *name, bool strict);
257 extern void delete_every_connection(void);
258 extern char *add_group_instance(connection_t *group, const ip_subnet *target);
259 extern void remove_group_instance(const connection_t *group, const char *name);
260 extern void release_dead_interfaces(void);
261 extern void check_orientations(void);
262 extern connection_t *route_owner(connection_t *c, struct spd_route **srp,
263 connection_t **erop, struct spd_route **esrp);
264 extern connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his);
265
266 extern bool uniqueIDs; /* --uniqueids? */
267 extern void ISAKMP_SA_established(connection_t *c, so_serial_t serial);
268
269 #define id_is_ipaddr(id) ((id)->get_type(id) == ID_IPV4_ADDR || \
270 (id)->get_type(id) == ID_IPV6_ADDR)
271 extern bool his_id_was_instantiated(const connection_t *c);
272
273 struct state; /* forward declaration of tag (defined in state.h) */
274
275 extern connection_t* con_by_name(const char *nm, bool strict);
276 extern connection_t* find_host_connection(const ip_address *me,
277 u_int16_t my_port,
278 const ip_address *him,
279 u_int16_t his_port, lset_t policy);
280 extern connection_t* refine_host_connection(const struct state *st,
281 identification_t *id,
282 identification_t *peer_ca);
283 extern connection_t* find_client_connection(connection_t *c,
284 const ip_subnet *our_net,
285 const ip_subnet *peer_net,
286 const u_int8_t our_protocol,
287 const u_int16_t out_port,
288 const u_int8_t peer_protocol,
289 const u_int16_t peer_port);
290 extern connection_t* find_connection_by_reqid(uint32_t reqid);
291 extern connection_t* find_connection_for_clients(struct spd_route **srp,
292 const ip_address *our_client,
293 const ip_address *peer_client,
294 int transport_proto);
295 extern void get_peer_ca_and_groups(connection_t *c,
296 identification_t **peer_ca,
297 ietf_attributes_t **peer_attributes);
298
299 /* instantiating routines
300 * Note: connection_discard() is in state.h because all its work
301 * is looking through state objects.
302 */
303 struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
304 struct alg_info; /* forward declaration of tag (defined in alg_info.h) */
305 extern connection_t *rw_instantiate(connection_t *c,
306 const ip_address *him,
307 u_int16_t his_port,
308 const ip_subnet *his_net,
309 identification_t *his_id);
310
311 extern connection_t *oppo_instantiate(connection_t *c,
312 const ip_address *him,
313 identification_t *his_id,
314 struct gw_info *gw,
315 const ip_address *our_client,
316 const ip_address *peer_client);
317
318 extern connection_t
319 *build_outgoing_opportunistic_connection(struct gw_info *gw,
320 const ip_address *our_client,
321 const ip_address *peer_client);
322
323 #define CONN_INST_BUF BUF_LEN
324
325 extern void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF]);
326
327 /* operations on "pending", the structure representing Quick Mode
328 * negotiations delayed until a Keying Channel has been negotiated.
329 */
330
331 struct pending; /* forward declaration (opaque outside connections.c) */
332
333 extern void add_pending(int whack_sock, struct state *isakmp_sa,
334 connection_t *c, lset_t policy, unsigned long try,
335 so_serial_t replacing);
336
337 extern void release_pending_whacks(struct state *st, err_t story);
338 extern void unpend(struct state *st);
339 extern void update_pending(struct state *os, struct state *ns);
340 extern void flush_pending_by_state(struct state *st);
341 extern void show_pending_phase2(const struct host_pair *hp, const struct state *st);
342
343 extern void connection_discard(connection_t *c);
344
345 /* A template connection's eroute can be eclipsed by
346 * either a %hold or an eroute for an instance iff
347 * the template is a /32 -> /32. This requires some special casing.
348 */
349 #define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client))
350 extern long eclipse_count;
351 extern connection_t *eclipsed(connection_t *c, struct spd_route **);
352
353
354 /* print connection status */
355
356 extern void show_connections_status(bool all, const char *name);
357 extern int connection_compare(const connection_t *ca
358 , const connection_t *cb);
359 extern void update_host_pair(const char *why, connection_t *c
360 , const ip_address *myaddr, u_int16_t myport
361 , const ip_address *hisaddr, u_int16_t hisport);
362
363 #endif /* _CONNECTIONS_H */
strongSwan - IPsec VPN