updated API doc for socket.h
[strongswan.git] / src / charon / sa / child_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006-2007 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup child_sa child_sa
22 * @{ @ingroup sa
23 */
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 typedef enum child_sa_state_t child_sa_state_t;
29 typedef struct child_sa_t child_sa_t;
30
31 #include <library.h>
32 #include <crypto/prf_plus.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <config/proposal.h>
35 #include <config/child_cfg.h>
36
37 /**
38 * States of a CHILD_SA
39 */
40 enum child_sa_state_t {
41
42 /**
43 * Just created, uninstalled CHILD_SA
44 */
45 CHILD_CREATED,
46
47 /**
48 * Installed SPD, but no SAD entries
49 */
50 CHILD_ROUTED,
51
52 /**
53 * Installing an in-use CHILD_SA
54 */
55 CHILD_INSTALLING,
56
57 /**
58 * Installed an in-use CHILD_SA
59 */
60 CHILD_INSTALLED,
61
62 /**
63 * While updating hosts, in update_hosts()
64 */
65 CHILD_UPDATING,
66
67 /**
68 * CHILD_SA which is rekeying
69 */
70 CHILD_REKEYING,
71
72 /**
73 * CHILD_SA in progress of delete
74 */
75 CHILD_DELETING,
76
77 /**
78 * CHILD_SA object gets destroyed
79 */
80 CHILD_DESTROYING,
81 };
82
83 /**
84 * enum strings for child_sa_state_t.
85 */
86 extern enum_name_t *child_sa_state_names;
87
88 /**
89 * Represents an IPsec SAs between two hosts.
90 *
91 * A child_sa_t contains two SAs. SAs for both
92 * directions are managed in one child_sa_t object. Both
93 * SAs and the policies have the same reqid.
94 *
95 * The procedure for child sa setup is as follows:
96 * - A gets SPIs for a proposal via child_sa_t.alloc
97 * - A send the updated proposal to B
98 * - B selects a suitable proposal
99 * - B calls child_sa_t.add to add and update the selected proposal
100 * - B sends the updated proposal to A
101 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
102 *
103 * Once SAs are set up, policies can be added using add_policies.
104 */
105 struct child_sa_t {
106
107 /**
108 * Get the name of the config this CHILD_SA uses.
109 *
110 * @return name
111 */
112 char* (*get_name) (child_sa_t *this);
113
114 /**
115 * Get the reqid of the CHILD SA.
116 *
117 * Every CHILD_SA has a reqid. The kernel uses this ID to
118 * identify it.
119 *
120 * @return reqid of the CHILD SA
121 */
122 u_int32_t (*get_reqid)(child_sa_t *this);
123
124 /**
125 * Get the SPI of this CHILD_SA.
126 *
127 * Set the boolean parameter inbound to TRUE to
128 * get the SPI for which we receive packets, use
129 * FALSE to get those we use for sending packets.
130 *
131 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
132 * @return SPI of the CHILD SA
133 */
134 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
135
136 /**
137 * Get the CPI of this CHILD_SA.
138 *
139 * Set the boolean parameter inbound to TRUE to
140 * get the CPI for which we receive packets, use
141 * FALSE to get those we use for sending packets.
142 *
143 * @param inbound TRUE to get inbound CPI, FALSE for outbound.
144 * @return CPI of the CHILD SA
145 */
146 u_int16_t (*get_cpi) (child_sa_t *this, bool inbound);
147
148 /**
149 * Get the protocol which this CHILD_SA uses to protect traffic.
150 *
151 * @return AH | ESP
152 */
153 protocol_id_t (*get_protocol) (child_sa_t *this);
154
155 /**
156 * Get the IPsec mode of this CHILD_SA.
157 *
158 * @return TUNNEL | TRANSPORT | BEET
159 */
160 ipsec_mode_t (*get_mode)(child_sa_t *this);
161
162 /**
163 * Get the used IPComp algorithm.
164 *
165 * @return IPComp compression algorithm.
166 */
167 ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
168
169 /**
170 * Check if this CHILD_SA uses UDP encapsulation.
171 *
172 * @return TRUE if SA encapsulates ESP packets
173 */
174 bool (*has_encap)(child_sa_t *this);
175
176 /**
177 * Get the lifetime of the CHILD_SA.
178 *
179 * @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
180 * @return lifetime in seconds
181 */
182 u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
183
184 /**
185 * Get last use time of the CHILD_SA.
186 *
187 * @param inbound TRUE for inbound traffic, FALSE for outbound
188 * @return time of last use in seconds
189 */
190 u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
191
192 /**
193 * Allocate SPIs for given proposals.
194 *
195 * Since the kernel manages SPIs for us, we need
196 * to allocate them. If a proposal contains more
197 * than one protocol, for each protocol an SPI is
198 * allocated. SPIs are stored internally and written
199 * back to the proposal.
200 *
201 * @param proposals list of proposals for which SPIs are allocated
202 */
203 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
204
205 /**
206 * Install the kernel SAs for a proposal, without previous SPI allocation.
207 *
208 * @param proposal proposal for which SPIs are allocated
209 * @param mode mode for the CHILD_SA
210 * @param integ_in integrity key for inbound traffic
211 * @param integ_out integrity key for outbound traffic
212 * @param encr_in encryption key for inbound traffic
213 * @param enc_out encryption key for outbound traffic
214 * @return SUCCESS or FAILED
215 */
216 status_t (*add)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
217 chunk_t integ_in, chunk_t integ_out,
218 chunk_t encr_in, chunk_t encr_out);
219 /**
220 * Install the kernel SAs for a proposal, after SPIs have been allocated.
221 *
222 * Updates an SA, for which SPIs are already allocated via alloc().
223 *
224 * @param proposal proposal for which SPIs are allocated
225 * @param mode mode for the CHILD_SA
226 * @param integ_in integrity key for inbound traffic
227 * @param integ_out integrity key for outbound traffic
228 * @param encr_in encryption key for inbound traffic
229 * @param enc_out encryption key for outbound traffic
230 * @return SUCCESS or FAILED
231 */
232 status_t (*update)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
233 chunk_t integ_in, chunk_t integ_out,
234 chunk_t encr_in, chunk_t encr_out);
235 /**
236 * Get the selected proposal passed to add()/update().
237 *
238 * @return selected proposal
239 */
240 proposal_t* (*get_proposal)(child_sa_t *this);
241
242 /**
243 * Update the hosts in the kernel SAs and policies.
244 *
245 * The CHILD must be INSTALLED to do this update.
246 *
247 * @param me the new local host
248 * @param other the new remote host
249 * @param vip virtual IP, if any
250 * @param TRUE to use UDP encapsulation for NAT traversal
251 * @return SUCCESS or FAILED
252 */
253 status_t (*update_hosts)(child_sa_t *this, host_t *me, host_t *other,
254 host_t *vip, bool encap);
255
256 /**
257 * Install the policies using some traffic selectors.
258 *
259 * Supplied lists of traffic_selector_t's specify the policies
260 * to use for this child sa.
261 *
262 * @param my_ts traffic selectors for local site
263 * @param other_ts traffic selectors for remote site
264 * @param mode mode for the SA: tunnel/transport
265 * @param proto protocol for policy, ESP/AH
266 * @return SUCCESS or FAILED
267 */
268 status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
269 linked_list_t *other_ts_list, ipsec_mode_t mode,
270 protocol_id_t proto);
271
272 /**
273 * Get the traffic selectors of added policies of local host.
274 *
275 * @param local TRUE for own traffic selectors, FALSE for remote
276 * @return list of traffic selectors
277 */
278 linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
279
280 /**
281 * Create an enumerator over installed policies.
282 *
283 * @return enumerator over pairs of traffic selectors.
284 */
285 enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
286
287 /**
288 * Get the state of the CHILD_SA.
289 */
290 child_sa_state_t (*get_state) (child_sa_t *this);
291
292 /**
293 * Set the state of the CHILD_SA.
294 *
295 * @param state state to set on CHILD_SA
296 */
297 void (*set_state) (child_sa_t *this, child_sa_state_t state);
298
299 /**
300 * Get the config used to set up this child sa.
301 *
302 * @return child_cfg
303 */
304 child_cfg_t* (*get_config) (child_sa_t *this);
305
306 /**
307 * Activate IPComp by setting the transform ID and CPI values.
308 *
309 * @param ipcomp the IPComp transform to use
310 * @param other_cpi other Compression Parameter Index
311 */
312 void (*activate_ipcomp) (child_sa_t *this, ipcomp_transform_t ipcomp,
313 u_int16_t other_cpi);
314
315 /**
316 * Returns the Compression Parameter Index (CPI) allocated from the kernel.
317 *
318 * @return allocated CPI
319 */
320 u_int16_t (*allocate_cpi) (child_sa_t *this);
321
322 /**
323 * Destroys a child_sa.
324 */
325 void (*destroy) (child_sa_t *this);
326 };
327
328 /**
329 * Constructor to create a new child_sa_t.
330 *
331 * @param me own address
332 * @param other remote address
333 * @param my_id id of own peer
334 * @param other_id id of remote peer
335 * @param config config to use for this CHILD_SA
336 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
337 * @param encap TRUE to enable UDP encapsulation (NAT traversal)
338 * @return child_sa_t object
339 */
340 child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
341 u_int32_t reqid, bool encap);
342
343 #endif /*CHILD_SA_H_ @} */