summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/ike_sa.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/sa/ike_sa.h')
-rw-r--r--src/libcharon/sa/ike_sa.h65
1 files changed, 63 insertions, 2 deletions
diff --git a/src/libcharon/sa/ike_sa.h b/src/libcharon/sa/ike_sa.h
index 9dbc805c9..836360e3c 100644
--- a/src/libcharon/sa/ike_sa.h
+++ b/src/libcharon/sa/ike_sa.h
@@ -1,5 +1,5 @@
/*
- * Copyright (C) 2006-2014 Tobias Brunner
+ * Copyright (C) 2006-2015 Tobias Brunner
* Copyright (C) 2006 Daniel Roethlisberger
* Copyright (C) 2005-2009 Martin Willi
* Copyright (C) 2005 Jan Hutter
@@ -66,6 +66,16 @@ typedef struct ike_sa_t ike_sa_t;
#define RETRY_JITTER 20
/**
+ * Number of redirects allowed within REDIRECT_LOOP_DETECT_PERIOD.
+ */
+#define MAX_REDIRECTS 5
+
+/**
+ * Time period in seconds in which at most MAX_REDIRECTS are allowed.
+ */
+#define REDIRECT_LOOP_DETECT_PERIOD 300
+
+/**
* Extensions (or optional features) the peer supports
*/
enum ike_extension_t {
@@ -136,6 +146,11 @@ enum ike_extension_t {
* Signature Authentication, RFC 7427
*/
EXT_SIGNATURE_AUTH = (1<<12),
+
+ /**
+ * IKEv2 Redirect Mechanism, RFC 5685
+ */
+ EXT_IKE_REDIRECTION = (1<<13),
};
/**
@@ -197,6 +212,16 @@ enum ike_condition_t {
* This IKE_SA is currently being reauthenticated
*/
COND_REAUTHENTICATING = (1<<10),
+
+ /**
+ * This IKE_SA has been redirected
+ */
+ COND_REDIRECTED = (1<<11),
+
+ /**
+ * Online certificate revocation checking is suspended for this IKE_SA
+ */
+ COND_ONLINE_VALIDATION_SUSPENDED = (1<<12),
};
/**
@@ -502,6 +527,14 @@ struct ike_sa_t {
enumerator_t* (*create_auth_cfg_enumerator)(ike_sa_t *this, bool local);
/**
+ * Verify the trustchains (validity, revocation) in completed public key
+ * auth rounds.
+ *
+ * @return TRUE if certificates were valid, FALSE otherwise
+ */
+ bool (*verify_peer_certificate)(ike_sa_t *this);
+
+ /**
* Get the selected proposal of this IKE_SA.
*
* @return selected proposal
@@ -837,8 +870,36 @@ struct ike_sa_t {
*
* To refresh NAT tables in a NAT router between the peers, periodic empty
* UDP packets are sent if no other traffic was sent.
+ *
+ * @param scheduled if this is a scheduled keepalive
+ */
+ void (*send_keepalive) (ike_sa_t *this, bool scheduled);
+
+ /**
+ * Redirect an active IKE_SA.
+ *
+ * @param gateway gateway ID (IP or FQDN) of the target
+ * @return state, including DESTROY_ME, if this IKE_SA MUST be
+ * destroyed
+ */
+ status_t (*redirect)(ike_sa_t *this, identification_t *gateway);
+
+ /**
+ * Handle a redirect request.
+ *
+ * The behavior is different depending on the state of the IKE_SA.
+ *
+ * @param gateway gateway ID (IP or FQDN) of the target
+ * @return FALSE if redirect not possible, TRUE otherwise
+ */
+ bool (*handle_redirect)(ike_sa_t *this, identification_t *gateway);
+
+ /**
+ * Get the address of the gateway that redirected us.
+ *
+ * @return original gateway address
*/
- void (*send_keepalive) (ike_sa_t *this);
+ host_t *(*get_redirected_from)(ike_sa_t *this);
/**
* Get the keying material of this IKE_SA.