full support of ikev1 and ikev2 connection flags
[strongswan.git] / src / pluto / connections.h
1 /* information about connections between hosts and clients
2 * Copyright (C) 1998-2001 D. Hugh Redelmeier
3 *
4 * This program is free software; you can redistribute it and/or modify it
5 * under the terms of the GNU General Public License as published by the
6 * Free Software Foundation; either version 2 of the License, or (at your
7 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
8 *
9 * This program is distributed in the hope that it will be useful, but
10 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
11 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
12 * for more details.
13 *
14 * RCSID $Id: connections.h,v 1.18 2006/04/22 21:59:20 as Exp $
15 */
16
17 #ifndef _CONNECTIONS_H
18 #define _CONNECTIONS_H
19
20 #include <sys/queue.h>
21
22 #include "id.h"
23 #include "certs.h"
24 #include "ac.h"
25 #include "smartcard.h"
26 #include "whack.h"
27
28 /* There are two kinds of connections:
29 * - ISAKMP connections, between hosts (for IKE communication)
30 * - IPsec connections, between clients (for secure IP communication)
31 *
32 * An ISAKMP connection looks like:
33 * host<--->host
34 *
35 * An IPsec connection looks like:
36 * client-subnet<-->host<->nexthop<--->nexthop<->host<-->client-subnet
37 *
38 * For the connection to be relevant to this instance of Pluto,
39 * exactly one of the hosts must be a public interface of our machine
40 * known to this instance.
41 *
42 * The client subnet might simply be the host -- this is a
43 * representation of "host mode".
44 *
45 * Each nexthop defaults to the neighbouring host's IP address.
46 * The nexthop is a property of the pair of hosts, not each
47 * individually. It is only needed for IPsec because of the
48 * way IPsec is mixed into the kernel routing logic. Furthermore,
49 * only this end's nexthop is actually used. Eventually, nexthop
50 * will be unnecessary.
51 *
52 * Other information represented:
53 * - each connection has a name: a chunk of uninterpreted text
54 * that is unique for each connection.
55 * - security requirements (currently just the "policy" flags from
56 * the whack command to initiate the connection, but eventually
57 * much more. Different for ISAKMP and IPsec connections.
58 * - rekeying parameters:
59 * + time an SA may live
60 * + time before SA death that a rekeying should be attempted
61 * (only by the initiator)
62 * + number of times to attempt rekeying
63 * - With the current KLIPS, we must route packets for a client
64 * subnet through the ipsec interface (ipsec0). Only one
65 * gateway can get traffic for a specific (client) subnet.
66 * Furthermore, if the routing isn't in place, packets will
67 * be sent in the clear.
68 * "routing" indicates whether the routing has been done for
69 * this connection. Note that several connections may claim
70 * the same routing, as long as they agree about where the
71 * packets are to be sent.
72 * - With the current KLIPS, only one outbound IPsec SA bundle can be
73 * used for a particular client. This is due to a limitation
74 * of using only routing for selection. So only one IPsec state (SA)
75 * may "own" the eroute. "eroute_owner" is the serial number of
76 * this state, SOS_NOBODY if there is none. "routing" indicates
77 * what kind of erouting has been done for this connection, if any.
78 *
79 * Details on routing is in constants.h
80 *
81 * Operations on Connections:
82 *
83 * - add a new connection (with all details) [whack command]
84 * - delete a connection (by name) [whack command]
85 * - initiate a connection (by name) [whack command]
86 * - find a connection (by IP addresses of hosts)
87 * [response to peer request; finding ISAKMP connection for IPsec connection]
88 *
89 * Some connections are templates, missing the address of the peer
90 * (represented by INADDR_ANY). These are always arranged so that the
91 * missing end is "that" (there can only be one missing end). These can
92 * be instantiated (turned into real connections) by Pluto in one of two
93 * different ways: Road Warrior Instantiation or Opportunistic
94 * Instantiation. A template connection is marked for Opportunistic
95 * Instantiation by specifying the peer client as 0.0.0.0/32 (or the IPV6
96 * equivalent). Otherwise, it is suitable for Road Warrior Instantiation.
97 *
98 * Instantiation creates a new temporary connection, with the missing
99 * details filled in. The resulting template lasts only as long as there
100 * is a state that uses it.
101 */
102
103 /* connection policy priority: how important this policy is
104 * - used to implement eroute-like precedence (augmented by a small
105 * bonus for a routed connection).
106 * - a whole number
107 * - larger is more important
108 * - three subcomponents. In order of decreasing significance:
109 * + length of source subnet mask (8 bits)
110 * + length of destination subnet mask (8 bits)
111 * + bias (8 bit)
112 * - a bias of 1 is added to allow prio BOTTOM_PRIO to be less than all
113 * normal priorities
114 * - other bias values are created on the fly to give mild preference
115 * to certaion conditions (eg. routedness)
116 * - priority is inherited -- an instance of a policy has the same priority
117 * as the original policy, even though its subnets might be smaller.
118 * - display format: n,m
119 */
120 typedef unsigned long policy_prio_t;
121 #define BOTTOM_PRIO ((policy_prio_t)0) /* smaller than any real prio */
122 #define set_policy_prio(c) { (c)->prio = \
123 ((policy_prio_t)(c)->spd.this.client.maskbits << 16) \
124 | ((policy_prio_t)(c)->spd.that.client.maskbits << 8) \
125 | (policy_prio_t)1; }
126 #define POLICY_PRIO_BUF (3+1+3+1)
127 extern void fmt_policy_prio(policy_prio_t pp, char buf[POLICY_PRIO_BUF]);
128
129 #ifdef VIRTUAL_IP
130 struct virtual_t;
131 #endif
132
133 struct end {
134 struct id id;
135 ip_address
136 host_addr,
137 host_nexthop,
138 host_srcip;
139 ip_subnet client;
140
141 bool key_from_DNS_on_demand;
142 bool has_client;
143 bool has_client_wildcard;
144 bool has_port_wildcard;
145 bool has_id_wildcards;
146 char *updown;
147 u_int16_t host_port; /* host order */
148 u_int16_t port; /* host order */
149 u_int8_t protocol;
150 cert_t cert; /* end certificate */
151 chunk_t ca; /* CA distinguished name */
152 struct ietfAttrList *groups;/* access control groups */
153 smartcard_t *sc; /* smartcard reader and key info */
154 #ifdef VIRTUAL_IP
155 struct virtual_t *virt;
156 #endif
157 bool modecfg; /* this end: request local address from server */
158 /* that end: give local addresses to clients */
159 bool hostaccess; /* allow access to host via iptables INPUT/OUTPUT */
160 /* rules if client behind host is a subnet */
161 certpolicy_t sendcert; /* whether or not to send the certificate */
162 };
163
164 struct spd_route {
165 struct spd_route *next;
166 struct end this;
167 struct end that;
168 so_serial_t eroute_owner;
169 enum routing_t routing; /* level of routing in place */
170 uint32_t reqid;
171 };
172
173 struct connection {
174 char *name;
175 bool ikev1;
176
177 lset_t policy;
178 time_t sa_ike_life_seconds;
179 time_t sa_ipsec_life_seconds;
180 time_t sa_rekey_margin;
181 unsigned long sa_rekey_fuzz;
182 unsigned long sa_keying_tries;
183
184 /* RFC 3706 DPD */
185 time_t dpd_delay;
186 time_t dpd_timeout;
187 dpd_action_t dpd_action;
188
189 char *log_file_name; /* name of log file */
190 FILE *log_file; /* possibly open FILE */
191 CIRCLEQ_ENTRY(connection) log_link; /* linked list of open conns */
192 bool log_file_err; /* only bitch once */
193
194 struct spd_route spd;
195
196 /* internal fields: */
197
198 unsigned long instance_serial;
199 policy_prio_t prio;
200 bool instance_initiation_ok; /* this is an instance of a policy that mandates initiate */
201 enum connection_kind kind;
202 const struct iface *interface; /* filled in iff oriented */
203
204 so_serial_t /* state object serial number */
205 newest_isakmp_sa,
206 newest_ipsec_sa;
207
208
209 #ifdef DEBUG
210 lset_t extra_debugging;
211 #endif
212
213 /* note: if the client is the gateway, the following must be equal */
214 sa_family_t addr_family; /* between gateways */
215 sa_family_t tunnel_addr_family; /* between clients */
216
217 struct connection *policy_next; /* if multiple policies,
218 next one to apply */
219
220 struct gw_info *gw_info;
221 struct alg_info_esp *alg_info_esp;
222 struct alg_info_ike *alg_info_ike;
223
224 struct host_pair *host_pair;
225 struct connection *hp_next; /* host pair list link */
226
227 struct connection *ac_next; /* all connections list link */
228
229 generalName_t *requested_ca; /* collected certificate requests */
230 bool got_certrequest;
231 };
232
233 #define oriented(c) ((c).interface != NULL)
234 extern bool orient(struct connection *c);
235
236 extern bool same_peer_ids(const struct connection *c
237 , const struct connection *d, const struct id *his_id);
238
239 /* Format the topology of a connection end, leaving out defaults.
240 * Largest left end looks like: client === host : port [ host_id ] --- hop
241 * Note: if that==NULL, skip nexthop
242 */
243 #define END_BUF (SUBNETTOT_BUF + ADDRTOT_BUF + IDTOA_BUF + ADDRTOT_BUF + 10)
244 extern size_t format_end(char *buf, size_t buf_len
245 , const struct end *this, const struct end *that
246 , bool is_left, lset_t policy);
247
248 extern void add_connection(const whack_message_t *wm);
249 extern void initiate_connection(const char *name, int whackfd);
250 extern void initiate_opportunistic(const ip_address *our_client
251 , const ip_address *peer_client, int transport_proto, bool held, int whackfd);
252 extern void terminate_connection(const char *nm);
253 extern void release_connection(struct connection *c, bool relations);
254 extern void delete_connection(struct connection *c, bool relations);
255 extern void delete_connections_by_name(const char *name, bool strict);
256 extern void delete_every_connection(void);
257 extern char *add_group_instance(struct connection *group, const ip_subnet *target);
258 extern void remove_group_instance(const struct connection *group, const char *name);
259 extern void release_dead_interfaces(void);
260 extern void check_orientations(void);
261 extern struct connection *route_owner(struct connection *c
262 , struct spd_route **srp
263 , struct connection **erop
264 , struct spd_route **esrp);
265 extern struct connection *shunt_owner(const ip_subnet *ours
266 , const ip_subnet *his);
267
268 extern bool uniqueIDs; /* --uniqueids? */
269 extern void ISAKMP_SA_established(struct connection *c, so_serial_t serial);
270
271 #define his_id_was_instantiated(c) ((c)->kind == CK_INSTANCE \
272 && (id_is_ipaddr(&(c)->spd.that.id)? \
273 sameaddr(&(c)->spd.that.id.ip_addr, &(c)->spd.that.host_addr) : TRUE))
274
275 struct state; /* forward declaration of tag (defined in state.h) */
276 extern struct connection
277 *con_by_name(const char *nm, bool strict),
278 *find_host_connection(const ip_address *me, u_int16_t my_port
279 , const ip_address *him, u_int16_t his_port, lset_t policy),
280 *refine_host_connection(const struct state *st, const struct id *id
281 , chunk_t peer_ca),
282 *find_client_connection(struct connection *c
283 , const ip_subnet *our_net
284 , const ip_subnet *peer_net
285 , const u_int8_t our_protocol
286 , const u_int16_t out_port
287 , const u_int8_t peer_protocol
288 , const u_int16_t peer_port),
289 *find_connection_by_reqid(uint32_t reqid);
290
291 extern struct connection *
292 find_connection_for_clients(struct spd_route **srp
293 , const ip_address *our_client
294 , const ip_address *peer_client
295 , int transport_proto);
296
297 extern chunk_t get_peer_ca_and_groups(struct connection *c
298 , const ietfAttrList_t **peer_list);
299
300 /* instantiating routines
301 * Note: connection_discard() is in state.h because all its work
302 * is looking through state objects.
303 */
304 struct gw_info; /* forward declaration of tag (defined in dnskey.h) */
305 struct alg_info; /* forward declaration of tag (defined in alg_info.h) */
306 extern struct connection *rw_instantiate(struct connection *c
307 , const ip_address *him
308 #ifdef NAT_TRAVERSAL
309 , u_int16_t his_port
310 #endif
311 #ifdef VIRTUAL_IP
312 , const ip_subnet *his_net
313 #endif
314 , const struct id *his_id);
315
316 extern struct connection *oppo_instantiate(struct connection *c
317 , const ip_address *him
318 , const struct id *his_id
319 , struct gw_info *gw
320 , const ip_address *our_client
321 , const ip_address *peer_client);
322
323 extern struct connection
324 *build_outgoing_opportunistic_connection(struct gw_info *gw
325 , const ip_address *our_client
326 , const ip_address *peer_client);
327
328 /* worst case: "[" serial "] " myclient "=== ..." peer "===" hisclient '\0' */
329 #define CONN_INST_BUF \
330 (2 + 10 + 1 + SUBNETTOT_BUF + 7 + ADDRTOT_BUF + 3 + SUBNETTOT_BUF + 1)
331
332 extern void fmt_conn_instance(const struct connection *c
333 , char buf[CONN_INST_BUF]);
334
335 /* operations on "pending", the structure representing Quick Mode
336 * negotiations delayed until a Keying Channel has been negotiated.
337 */
338
339 struct pending; /* forward declaration (opaque outside connections.c) */
340
341 extern void add_pending(int whack_sock
342 , struct state *isakmp_sa
343 , struct connection *c
344 , lset_t policy
345 , unsigned long try
346 , so_serial_t replacing);
347
348 extern void release_pending_whacks(struct state *st, err_t story);
349 extern void unpend(struct state *st);
350 extern void update_pending(struct state *os, struct state *ns);
351 extern void flush_pending_by_state(struct state *st);
352 extern void show_pending_phase2(const struct host_pair *hp, const struct state *st);
353
354 extern void connection_discard(struct connection *c);
355
356 /* A template connection's eroute can be eclipsed by
357 * either a %hold or an eroute for an instance iff
358 * the template is a /32 -> /32. This requires some special casing.
359 */
360 #define eclipsable(sr) (subnetishost(&(sr)->this.client) && subnetishost(&(sr)->that.client))
361 extern long eclipse_count;
362 extern struct connection *eclipsed(struct connection *c, struct spd_route **);
363
364
365 /* print connection status */
366
367 extern void show_connections_status(bool all, const char *name);
368 extern int connection_compare(const struct connection *ca
369 , const struct connection *cb);
370 #ifdef NAT_TRAVERSAL
371 void
372 update_host_pair(const char *why, struct connection *c,
373 const ip_address *myaddr, u_int16_t myport ,
374 const ip_address *hisaddr, u_int16_t hisport);
375 #endif /* NAT_TRAVERSAL */
376
377 #endif /* _CONNECTIONS_H */