ike_sa_manager.h

Revision 4811, 7.1 kB (checked in by martin, 3 weeks ago)
updated documentation some minor cleanups calloc does not need an additional memset(0)
Property svn:keywords set to `Id`

Line
1	/*
2	* Copyright (C) 2008 Tobias Brunner
3	* Copyright (C) 2005-2008 Martin Willi
4	* Copyright (C) 2005 Jan Hutter
5	* Hochschule fuer Technik Rapperswil
6	*
7	* This program is free software; you can redistribute it and/or modify it
8	* under the terms of the GNU General Public License as published by the
9	* Free Software Foundation; either version 2 of the License, or (at your
10	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11	*
12	* This program is distributed in the hope that it will be useful, but
13	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15	* for more details.
16	*
17	* $Id$
18	*/
19
20	/**
21	* @defgroup ike_sa_manager ike_sa_manager
22	* @{ @ingroup sa
23	*/
24
25	#ifndef IKE_SA_MANAGER_H_
26	#define IKE_SA_MANAGER_H_
27
28	typedef struct ike_sa_manager_t ike_sa_manager_t;
29
30	#include <library.h>
31	#include <sa/ike_sa.h>
32	#include <encoding/message.h>
33	#include <config/peer_cfg.h>
34
35	/**
36	* Manages and synchronizes access to all IKE_SAs.
37	*
38	* To synchronize access to thread-unsave IKE_SAs, they are checked out for
39	* use and checked in afterwards. A checked out SA is exclusively accessible
40	* by the owning thread.
41	*/
42	struct ike_sa_manager_t {
43
44	/**
45	* Checkout an existing IKE_SA.
46	*
47	* @param ike_sa_id the SA identifier, will be updated
48	* @returns
49	* - checked out IKE_SA if found
50	* - NULL, if specified IKE_SA is not found.
51	*/
52	ike_sa_t* (checkout) (ike_sa_manager_t this, ike_sa_id_t *sa_id);
53
54	/**
55	* Create and check out a new IKE_SA.
56	*
57	* @param initiator TRUE for initiator, FALSE otherwise
58	* @returns created and checked out IKE_SA
59	*/
60	ike_sa_t* (checkout_new) (ike_sa_manager_t this, bool initiator);
61
62	/**
63	* Checkout an IKE_SA by a message.
64	*
65	* In some situations, it is necessary that the manager knows the
66	* message to use for the checkout. This has the following reasons:
67	*
68	* 1. If the targeted IKE_SA is already processing a message, we do not
69	* check it out if the message ID is the same.
70	* 2. If it is an IKE_SA_INIT request, we have to check if it is a
71	* retransmission. If so, we have to drop the message, we would
72	* create another unneeded IKE_SA for each retransmitted packet.
73	*
74	* A call to checkout_by_message() returns a (maybe new created) IKE_SA.
75	* If processing the message does not make sense (for the reasons above),
76	* NULL is returned.
77	*
78	* @param ike_sa_id the SA identifier, will be updated
79	* @returns
80	* - checked out/created IKE_SA
81	* - NULL to not process message further
82	*/
83	ike_sa_t* (checkout_by_message) (ike_sa_manager_t this, message_t *message);
84
85	/**
86	* Checkout an IKE_SA for initiation by a peer_config.
87	*
88	* To initiate, a CHILD_SA may be established within an existing IKE_SA.
89	* This call checks for an existing IKE_SA by comparing the configuration.
90	* If the CHILD_SA can be created in an existing IKE_SA, the matching SA
91	* is returned.
92	* If no IKE_SA is found, a new one is created. This is also the case when
93	* the found IKE_SA is in the DELETING state.
94	*
95	* @param peer_cfg configuration used to find an existing IKE_SA
96	* @return checked out/created IKE_SA
97	*/
98	ike_sa_t* (checkout_by_config) (ike_sa_manager_t this,
99	peer_cfg_t *peer_cfg);
100
101	/**
102	* Check for duplicates of the given IKE_SA.
103	*
104	* Measures are taken according to the uniqueness policy of the IKE_SA.
105	* The return value indicates whether duplicates have been found and if
106	* further measures should be taken (e.g. cancelling an IKE_AUTH exchange).
107	* check_uniqueness() must be called before the IKE_SA is complete,
108	* deadlocks occur otherwise.
109	*
110	* @param ike_sa ike_sa to check
111	* @return TRUE, if the given IKE_SA has duplicates and
112	* should be deleted
113	*/
114	bool (check_uniqueness)(ike_sa_manager_t this, ike_sa_t *ike_sa);
115
116	/**
117	* Check out an IKE_SA a unique ID.
118	*
119	* Every IKE_SA and every CHILD_SA is uniquely identified by an ID.
120	* These checkout function uses, depending
121	* on the child parameter, the unique ID of the IKE_SA or the reqid
122	* of one of a IKE_SAs CHILD_SA.
123	*
124	* @param id unique ID of the object
125	* @param child TRUE to use CHILD, FALSE to use IKE_SA
126	* @return
127	* - checked out IKE_SA, if found
128	* - NULL, if not found
129	*/
130	ike_sa_t* (checkout_by_id) (ike_sa_manager_t this, u_int32_t id,
131	bool child);
132
133	/**
134	* Check out an IKE_SA by the policy/connection name.
135	*
136	* Check out the IKE_SA by the configuration name, either from the IKE- or
137	* one of its CHILD_SAs.
138	*
139	* @param name name of the connection/policy
140	* @param child TRUE to use policy name, FALSE to use conn name
141	* @return
142	* - checked out IKE_SA, if found
143	* - NULL, if not found
144	*/
145	ike_sa_t* (checkout_by_name) (ike_sa_manager_t this, char *name,
146	bool child);
147
148	/**
149	* Create an enumerator over all stored IKE_SAs.
150	*
151	* While enumerating an IKE_SA, it is temporarily checked out and
152	* automatically checked in after the current enumeration step.
153	*
154	* @return enumerator over all IKE_SAs.
155	*/
156	enumerator_t (create_enumerator) (ike_sa_manager_t* this);
157
158	/**
159	* Checkin the SA after usage.
160	*
161	* If the IKE_SA is not registered in the manager, a new entry is created.
162	*
163	* @param ike_sa_id the SA identifier, will be updated
164	* @param ike_sa checked out SA
165	*/
166	void (checkin) (ike_sa_manager_t this, ike_sa_t *ike_sa);
167
168	/**
169	* Destroy a checked out SA.
170	*
171	* The IKE SA is destroyed without notification of the remote peer.
172	* Use this only if the other peer doesn't respond or behaves not
173	* as predicted.
174	* Checking in and destruction is an atomic operation (for the IKE_SA),
175	* so this can be called if the SA is in a "unclean" state, without the
176	* risk that another thread can get the SA.
177	*
178	* @param ike_sa SA to delete
179	*/
180	void (checkin_and_destroy) (ike_sa_manager_t this, ike_sa_t *ike_sa);
181
182	/**
183	* Get the number of IKE_SAs which are in the connecting state.
184	*
185	* To prevent the server from resource exhaustion, cookies and other
186	* mechanisms are used. The number of half open IKE_SAs is a good
187	* indicator to see if a peer is flooding the server.
188	* If a host is supplied, only the number of half open IKE_SAs initiated
189	* from this IP are counted.
190	* Only SAs for which we are the responder are counted.
191	*
192	* @param ip NULL for all, IP for half open IKE_SAs with IP
193	* @return number of half open IKE_SAs
194	*/
195	int (get_half_open_count) (ike_sa_manager_t this, host_t *ip);
196
197	/**
198	* Delete all existing IKE_SAs and destroy them immediately.
199	*
200	* Threads will be driven out, so all SAs can be deleted cleanly.
201	*/
202	void (flush)(ike_sa_manager_t this);
203
204	/**
205	* Destroys the manager with all associated SAs.
206	*
207	* A call to flush() is required before calling destroy.
208	*/
209	void (destroy) (ike_sa_manager_t this);
210	};
211
212	/**
213	* Create the IKE_SA manager.
214	*
215	* @returns ike_sa_manager_t object, NULL if initialization fails
216	*/
217	ike_sa_manager_t *ike_sa_manager_create(void);
218
219	#endif /IKE_SA_MANAGER_H_ @} /

Note: See TracBrowser for help on using the browser.

root/trunk/src/charon/sa/ike_sa_manager.h

Download in other formats: