b67f0b56280faa6e6d761b0232355c5609bd9c9f
[strongswan.git] / src / pluto / connections.h
1 /* information about connections between hosts and clients
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
3 * Copyright (C) 2009-2010 Andreas Steffen - Hochschule fuer Technik Rapperswil
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #ifndef _CONNECTIONS_H
17 #define _CONNECTIONS_H
18
19 #include <sys/queue.h>
20
21 #include <utils/host.h>
22 #include <utils/linked_list.h>
23 #include <utils/identification.h>
24 #include <credentials/ietf_attributes/ietf_attributes.h>
25
26 #include "certs.h"
27 #include "smartcard.h"
28 #include "whack.h"
29
30 /* There are two kinds of connections:
31 * - ISAKMP connections, between hosts (for IKE communication)
32 * - IPsec connections, between clients (for secure IP communication)
33 *
34 * An ISAKMP connection looks like:
35 * host<--->host
36 *
37 * An IPsec connection looks like:
38 * client-subnet<-->host<->nexthop<--->nexthop<->host<-->client-subnet
39 *
40 * For the connection to be relevant to this instance of Pluto,
41 * exactly one of the hosts must be a public interface of our machine
42 * known to this instance.
43 *
44 * The client subnet might simply be the host -- this is a
45 * representation of "host mode".
46 *
47 * Each nexthop defaults to the neighbouring host's IP address.
48 * The nexthop is a property of the pair of hosts, not each
49 * individually. It is only needed for IPsec because of the
50 * way IPsec is mixed into the kernel routing logic. Furthermore,
51 * only this end's nexthop is actually used. Eventually, nexthop
52 * will be unnecessary.
53 *
54 * Other information represented:
55 * - each connection has a name: a chunk of uninterpreted text
56 * that is unique for each connection.
57 * - security requirements (currently just the "policy" flags from
58 * the whack command to initiate the connection, but eventually
59 * much more. Different for ISAKMP and IPsec connections.
60 * - rekeying parameters:
61 * + time an SA may live
62 * + time before SA death that a rekeying should be attempted
63 * (only by the initiator)
64 * + number of times to attempt rekeying
65 * - With the current KLIPS, we must route packets for a client
66 * subnet through the ipsec interface (ipsec0). Only one
67 * gateway can get traffic for a specific (client) subnet.
68 * Furthermore, if the routing isn't in place, packets will
69 * be sent in the clear.
70 * "routing" indicates whether the routing has been done for
71 * this connection. Note that several connections may claim
72 * the same routing, as long as they agree about where the
73 * packets are to be sent.
74 * - With the current KLIPS, only one outbound IPsec SA bundle can be
75 * used for a particular client. This is due to a limitation
76 * of using only routing for selection. So only one IPsec state (SA)
77 * may "own" the eroute. "eroute_owner" is the serial number of
78 * this state, SOS_NOBODY if there is none. "routing" indicates
79 * what kind of erouting has been done for this connection, if any.
80 *
81 * Details on routing is in constants.h
82 *
83 * Operations on Connections:
84 *
85 * - add a new connection (with all details) [whack command]
86 * - delete a connection (by name) [whack command]
87 * - initiate a connection (by name) [whack command]
88 * - find a connection (by IP addresses of hosts)
89 * [response to peer request; finding ISAKMP connection for IPsec connection]
90 *
91 * Some connections are templates, missing the address of the peer
92 * (represented by INADDR_ANY). These are always arranged so that the
93 * missing end is "that" (there can only be one missing end). These can
94 * be instantiated (turned into real connections) by Pluto in one of two
95 * different ways: Road Warrior Instantiation or Opportunistic
96 * Instantiation. A template connection is marked for Opportunistic
97 * Instantiation by specifying the peer client as 0.0.0.0/32 (or the IPV6
98 * equivalent). Otherwise, it is suitable for Road Warrior Instantiation.
99 *
100 * Instantiation creates a new temporary connection, with the missing
101 * details filled in. The resulting template lasts only as long as there
102 * is a state that uses it.
103 */
104
105 /* connection policy priority: how important this policy is
106 * - used to implement eroute-like precedence (augmented by a small
107 * bonus for a routed connection).
108 * - a whole number
109 * - larger is more important
110 * - three subcomponents. In order of decreasing significance:
111 * + length of source subnet mask (8 bits)
112 * + length of destination subnet mask (8 bits)
113 * + bias (8 bit)
114 * - a bias of 1 is added to allow prio BOTTOM_PRIO to be less than all
115 * normal priorities
116 * - other bias values are created on the fly to give mild preference
117 * to certaion conditions (eg. routedness)
118 * - priority is inherited -- an instance of a policy has the same priority
119 * as the original policy, even though its subnets might be smaller.
120 * - display format: n,m
121 */
122 typedef unsigned long policy_prio_t;
123 #define BOTTOM_PRIO ((policy_prio_t)0) /* smaller than any real prio */
124 #define set_policy_prio(c) { (c)->prio = \
125 ((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
126 | ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
127 | (policy_prio_t)1; }
128 #define POLICY_PRIO_BUF (3+1+3+1)
129 extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
130
131 struct virtual_t;
132
133 struct end {
134 identification_t *id;
135 ip_address host_addr, host_nexthop;
136 host_t *host_srcip;
137 ip_subnet client;
138
139 bool is_left;
140 bool key_from_DNS_on_demand;
141 bool has_client;
142 bool has_client_wildcard;
143 bool has_port_wildcard;
144 bool has_id_wildcards;
145 bool has_natip;
146 char *updown;
147 u_int16_t host_port; /* host order */
148 u_int16_t port; /* host order */
149 u_int8_t protocol;
150 cert_t *cert; /* end certificate */
151 identification_t *ca; /* CA distinguished name */
152 ietf_attributes_t *groups; /* access control groups */
153 smartcard_t *sc; /* smartcard reader and key info */
154 struct virtual_t *virt;
155 bool modecfg; /* this end: request local address from server */
156 /* that end: give local addresses to clients */
157 char *pool; /* name of an associated virtual IP address pool */
158 bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */
159 /* rules if client behind host is a subnet */
160 bool allow_any; /* IP address is subject to change */
161 certpolicy_t sendcert; /* whether or not to send the certificate */
162 };
163
164 struct spd_route {
165 struct spd_route *next;
166 struct end this;
167 struct end that;
168 so_serial_t eroute_owner;
169 enum routing_t routing; /* level of routing in place */
170 uint32_t reqid;
171 };
172
173 typedef struct connection connection_t;
174
175 struct connection {
176 char *name;
177 bool ikev1;
178
179 lset_t policy;
180 time_t sa_ike_life_seconds;
181 time_t sa_ipsec_life_seconds;
182 time_t sa_rekey_margin;
183 unsigned long sa_rekey_fuzz;
184 unsigned long sa_keying_tries;
185
186 identification_t *xauth_identity; /* XAUTH identity */
187
188 /* RFC 3706 DPD */
189 time_t dpd_delay;
190 time_t dpd_timeout;
191 dpd_action_t dpd_action;
192
193 char *log_file_name; /* name of log file */
194 FILE *log_file; /* possibly open FILE */
195 TAILQ_ENTRY(connection) log_link; /* linked list of open conns */
196 bool log_file_err; /* only bitch once */
197
198 struct spd_route spd;
199
200 /* internal fields: */
201
202 unsigned long instance_serial;
203 policy_prio_t prio;
204 bool instance_initiation_ok; /* this is an instance of a policy that mandates initiate */
205 enum connection_kind kind;
206 const struct iface *interface; /* filled in iff oriented */
207
208 so_serial_t /* state object serial number */
209 newest_isakmp_sa,
210 newest_ipsec_sa;
211
212
213 #ifdef DEBUG
214 lset_t extra_debugging;
215 #endif
216
217 /* note: if the client is the gateway, the following must be equal */
218 sa_family_t addr_family; /* between gateways */
219 sa_family_t tunnel_addr_family; /* between clients */
220
221 connection_t *policy_next; /* if multiple policies,
222 next one to apply */
223 struct gw_info *gw_info;
224 struct alg_info_esp *alg_info_esp;
225 struct alg_info_ike *alg_info_ike;
226 struct host_pair *host_pair;
227 connection_t *hp_next; /* host pair list link */
228 connection_t *ac_next; /* all connections list link */
229 linked_list_t *requested_ca; /* collected certificate requests */
230 linked_list_t *requested; /* requested attributes with handlers */
231 linked_list_t *attributes; /* configuration attributes with handlers */
232 bool got_certrequest;
233 };
234
235 #define oriented(c) ((c).interface != NULL)
236 extern bool orient(connection_t *c);
237
238 extern bool same_peer_ids(const connection_t *c, const connection_t *d,
239 identification_t *his_id);
240
241 /* Format the topology of a connection end, leaving out defaults.
242 * Largest left end looks like: client === host : port [ host_id ] --- hop
243 * Note: if that==NULL, skip nexthop
244 */
245 #define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
246 extern size_t format_end(char *buf, size_t buf_len, const struct end *this,
247 const struct end *that, bool is_left, lset_t policy);
248
249 extern void add_connection(const whack_message_t *wm);
250 extern void initiate_connection(const char *name, int whackfd);
251 extern void initiate_opportunistic(const ip_address *our_client,
252 const ip_address *peer_client,
253 int transport_proto, bool held, int whackfd);
254 extern void terminate_connection(const char *nm);
255 extern void release_connection(connection_t *c, bool relations);
256 extern void delete_connection(connection_t *c, bool relations);
257 extern void delete_connections_by_name(const char *name, bool strict);
258 extern void delete_every_connection(void);
259 extern char *add_group_instance(connection_t *group, const ip_subnet *target);
260 extern void remove_group_instance(const connection_t *group, const char *name);
261 extern void release_dead_interfaces(void);
262 extern void check_orientations(void);
263 extern connection_t *route_owner(connection_t *c, struct spd_route **srp,
264 connection_t **erop, struct spd_route **esrp);
265 extern connection_t *shunt_owner(const ip_subnet *ours, const ip_subnet *his);
266
267 extern bool uniqueIDs; /* --uniqueids? */
268 extern void ISAKMP_SA_established(connection_t *c, so_serial_t serial);
269
270 #define id_is_ipaddr(id) ((id)->get_type(id) == ID_IPV4_ADDR || \
271 (id)->get_type(id) == ID_IPV6_ADDR)
272 extern bool his_id_was_instantiated(const connection_t *c);
273
274 struct state; /* forward declaration of tag (defined in state.h) */
275
276 extern connection_t* con_by_name(const char *nm, bool strict);
277 extern connection_t* find_host_connection(const ip_address *me,
278 u_int16_t my_port,
279 const ip_address *him,
280 u_int16_t his_port, lset_t policy);
281 extern connection_t* refine_host_connection(const struct state *st,
282 identification_t *id,
283 identification_t *peer_ca);
284 extern connection_t* find_client_connection(connection_t *c,
285 const ip_subnet *our_net,
286 const ip_subnet *peer_net,
287 const u_int8_t our_protocol,
288 const u_int16_t out_port,
289 const u_int8_t peer_protocol,
290 const u_int16_t peer_port);
291 extern connection_t* find_connection_by_reqid(uint32_t reqid);
292 extern connection_t* find_connection_for_clients(struct spd_route **srp,
293 const ip_address *our_client,
294 const ip_address *peer_client,
295 int transport_proto);
296 extern void get_peer_ca_and_groups(connection_t *c,
297 identification_t **peer_ca,
298 ietf_attributes_t **peer_attributes);
299
300 /* instantiating routines
301 * Note: connection_discard() is in state.h because all its work
302 * is looking through state objects.
303 */
304 struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
305 struct alg_info; /* forward declaration of tag (defined in alg_info.h) */
306 extern connection_t *rw_instantiate(connection_t *c,
307 const ip_address *him,
308 u_int16_t his_port,
309 const ip_subnet *his_net,
310 identification_t *his_id);
311
312 extern connection_t *oppo_instantiate(connection_t *c,
313 const ip_address *him,
314 identification_t *his_id,
315 struct gw_info *gw,
316 const ip_address *our_client,
317 const ip_address *peer_client);
318
319 extern connection_t
320 *build_outgoing_opportunistic_connection(struct gw_info *gw,
321 const ip_address *our_client,
322 const ip_address *peer_client);
323
324 #define CONN_INST_BUF BUF_LEN
325
326 extern void fmt_conn_instance(const connection_t *c, char buf[CONN_INST_BUF]);
327
328 /* operations on "pending", the structure representing Quick Mode
329 * negotiations delayed until a Keying Channel has been negotiated.
330 */
331
332 struct pending; /* forward declaration (opaque outside connections.c) */
333
334 extern void add_pending(int whack_sock, struct state *isakmp_sa,
335 connection_t *c, lset_t policy, unsigned long try,
336 so_serial_t replacing);
337
338 extern void release_pending_whacks(struct state *st, err_t story);
339 extern void unpend(struct state *st);
340 extern void update_pending(struct state *os, struct state *ns);
341 extern void flush_pending_by_state(struct state *st);
342 extern void show_pending_phase2(const struct host_pair *hp, const struct state *st);
343
344 extern void connection_discard(connection_t *c);
345
346 /* A template connection's eroute can be eclipsed by
347 * either a %hold or an eroute for an instance iff
348 * the template is a /32 -> /32. This requires some special casing.
349 */
350 #define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client))
351 extern long eclipse_count;
352 extern connection_t *eclipsed(connection_t *c, struct spd_route **);
353
354
355 /* print connection status */
356
357 extern void show_connections_status(bool all, const char *name);
358 extern int connection_compare(const connection_t *ca
359 , const connection_t *cb);
360 extern void update_host_pair(const char *why, connection_t *c
361 , const ip_address *myaddr, u_int16_t myport
362 , const ip_address *hisaddr, u_int16_t hisport);
363
364 #endif /* _CONNECTIONS_H */