summaryrefslogtreecommitdiff
path: root/src/libcharon/sa/task.h
blob: 1a0a1acfa1759d830462ef6e08513ed480be1ddc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
/*
 * Copyright (C) 2007-2015 Tobias Brunner
 * Copyright (C) 2006 Martin Willi
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup task task
 * @{ @ingroup sa
 */

#ifndef TASK_H_
#define TASK_H_

#include <utils/utils.h>

typedef enum task_type_t task_type_t;
typedef struct task_t task_t;

#include <library.h>
#include <sa/ike_sa.h>
#include <encoding/message.h>

/**
 * Different kinds of tasks.
 */
enum task_type_t {
	/** establish an unauthenticated IKE_SA */
	TASK_IKE_INIT,
	/** detect NAT situation */
	TASK_IKE_NATD,
	/** handle MOBIKE stuff */
	TASK_IKE_MOBIKE,
	/** authenticate the initiated IKE_SA */
	TASK_IKE_AUTH,
	/** AUTH_LIFETIME negotiation, RFC4478 */
	TASK_IKE_AUTH_LIFETIME,
	/** certificate processing before authentication (certreqs, cert parsing) */
	TASK_IKE_CERT_PRE,
	/** certificate processing after authentication (certs payload generation) */
	TASK_IKE_CERT_POST,
	/** Configuration payloads, virtual IP and such */
	TASK_IKE_CONFIG,
	/** rekey an IKE_SA */
	TASK_IKE_REKEY,
	/** reestablish a complete IKE_SA, break-before-make */
	TASK_IKE_REAUTH,
	/** completion task for make-before-break IKE_SA re-authentication */
	TASK_IKE_REAUTH_COMPLETE,
	/** redirect an active IKE_SA */
	TASK_IKE_REDIRECT,
	/** verify a peer's certificate */
	TASK_IKE_VERIFY_PEER_CERT,
	/** synchronize message IDs, RFC6311 */
	TASK_IKE_MID_SYNC,
	/** delete an IKE_SA */
	TASK_IKE_DELETE,
	/** liveness check */
	TASK_IKE_DPD,
	/** Vendor ID processing */
	TASK_IKE_VENDOR,
#ifdef ME
	/** handle ME stuff */
	TASK_IKE_ME,
#endif /* ME */
	/** establish a CHILD_SA within an IKE_SA */
	TASK_CHILD_CREATE,
	/** delete an established CHILD_SA */
	TASK_CHILD_DELETE,
	/** rekey a CHILD_SA */
	TASK_CHILD_REKEY,
	/** IKEv1 main mode */
	TASK_MAIN_MODE,
	/** IKEv1 aggressive mode */
	TASK_AGGRESSIVE_MODE,
	/** IKEv1 informational exchange */
	TASK_INFORMATIONAL,
	/** IKEv1 delete using an informational */
	TASK_ISAKMP_DELETE,
	/** IKEv1 XAUTH authentication */
	TASK_XAUTH,
	/** IKEv1 Mode Config */
	TASK_MODE_CONFIG,
	/** IKEv1 quick mode */
	TASK_QUICK_MODE,
	/** IKEv1 delete of a quick mode SA */
	TASK_QUICK_DELETE,
	/** IKEv1 vendor ID payload handling */
	TASK_ISAKMP_VENDOR,
	/** IKEv1 NAT detection */
	TASK_ISAKMP_NATD,
	/** IKEv1 DPD */
	TASK_ISAKMP_DPD,
	/** IKEv1 pre-authentication certificate handling */
	TASK_ISAKMP_CERT_PRE,
	/** IKEv1 post-authentication certificate handling */
	TASK_ISAKMP_CERT_POST,
};

/**
 * enum names for task_type_t.
 */
extern enum_name_t *task_type_names;

/**
 * Interface for a task, an operation handled within exchanges.
 *
 * A task is an elemantary operation. It may be handled by a single or by
 * multiple exchanges. An exchange may even complete multiple tasks.
 * A task has a build() and an process() operation. The build() operation
 * creates payloads and adds it to the message. The process() operation
 * inspects a message and handles its payloads. An initiator of an exchange
 * first calls build() to build the request, and processes the response message
 * with the process() method.
 * A responder does the opposite; it calls process() first to handle an incoming
 * request and secondly calls build() to build an appropriate response.
 * Both methods return either SUCCESS, NEED_MORE or FAILED. A SUCCESS indicates
 * that the task completed, even when the task completed unsuccessfully. The
 * manager then removes the task from the list. A NEED_MORE is returned when
 * the task needs further build()/process() calls to complete, the manager
 * leaves the taks in the queue. A returned FAILED indicates a critical failure.
 * The manager closes the IKE_SA whenever a task returns FAILED.
 */
struct task_t {

	/**
	 * Build a request or response message for this task.
	 *
	 * @param message		message to add payloads to
	 * @return
	 *						- FAILED if a critical error occurred
	 *						- DESTROY_ME if IKE_SA has been properly deleted
	 *						- NEED_MORE if another call to build/process needed
	 *						- ALREADY_DONE to cancel task processing
	 *						- SUCCESS if task completed
	 */
	status_t (*build) (task_t *this, message_t *message);

	/**
	 * Process a request or response message for this task.
	 *
	 * @param message		message to read payloads from
	 * @return
	 *						- FAILED if a critical error occurred
	 *						- DESTROY_ME if IKE_SA has been properly deleted
	 *						- NEED_MORE if another call to build/process needed
	 *						- ALREADY_DONE to cancel task processing
	 *						- SUCCESS if task completed
	 */
	status_t (*process) (task_t *this, message_t *message);

	/**
	 * Verify a message before processing it (optional to implement by tasks).
	 *
	 * @param message		message to verify
	 * @return
	 *						- FAILED if verification is not successful, the
	 *						  message will be silently discarded
	 *						- DESTROY_ME if IKE_SA has to be destroyed
	 *						- SUCCESS if verification is successful
	 */
	status_t (*pre_process) (task_t *this, message_t *message);

	/**
	 * Get the type of the task implementation.
	 */
	task_type_t (*get_type) (task_t *this);

	/**
	 * Migrate a task to a new IKE_SA.
	 *
	 * After migrating a task, it goes back to a state where it can be
	 * used again to initate an exchange. This is useful when a task
	 * has to get migrated to a new IKE_SA.
	 * A special usage is when a INVALID_KE_PAYLOAD is received. A call
	 * to reset resets the task, but uses another DH group for the next
	 * try.
	 * The ike_sa is the new IKE_SA this task belongs to and operates on.
	 *
	 * @param ike_sa		new IKE_SA this task works for
	 */
	void (*migrate) (task_t *this, ike_sa_t *ike_sa);

	/**
	 * Destroys a task_t object.
	 */
	void (*destroy) (task_t *this);
};

#endif /** TASK_H_ @}*/