2bbe95fe078c74840327da87a4f3aa256f5a4eb3
[strongswan.git] / src / charon / sa / child_sa.h
1 /**
2 * @file child_sa.h
3 *
4 * @brief Interface of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23
24 #ifndef CHILD_SA_H_
25 #define CHILD_SA_H_
26
27 #include <types.h>
28 #include <crypto/prf_plus.h>
29 #include <encoding/payloads/proposal_substructure.h>
30 #include <config/proposal.h>
31 #include <utils/logger.h>
32
33 typedef struct child_sa_t child_sa_t;
34
35 /**
36 * @brief Represents multiple IPsec SAs between two hosts.
37 *
38 * A child_sa_t contains multiple SAs. SAs for both
39 * directions are managed in one child_sa_t object, and
40 * if both AH and ESP is set up, both protocols are managed
41 * by one child_sa_t. This means we can have two or
42 * in the AH+ESP case four IPsec-SAs in one child_sa_t.
43 *
44 * The procedure for child sa setup is as follows:
45 * - A gets SPIs for a proposal via child_sa_t.alloc
46 * - A send the updated proposal to B
47 * - B selects a suitable proposal
48 * - B calls child_sa_t.add to add and update the selected proposal
49 * - B sends the updated proposal to A
50 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
51 *
52 * Once SAs are set up, policies can be added using add_policies.
53 *
54 *
55 * @b Constructors:
56 * - child_sa_create()
57 *
58 * @ingroup sa
59 */
60 struct child_sa_t {
61
62 /**
63 * @brief Get the unique reqid of the CHILD SA.
64 *
65 * Every CHILD_SA has a unique reqid, which is also
66 * stored down in the kernel.
67 *
68 * @param this calling object
69 * @return reqid of the CHILD SA
70 */
71 u_int32_t (*get_reqid)(child_sa_t *this);
72
73 /**
74 * @brief Get the SPI of this CHILD_SA.
75 *
76 * Set the boolean parameter inbound to TRUE to
77 * get the SPI for which we receive packets, use
78 * FALSE to get those we use for sending packets.
79 *
80 * @param this calling object
81 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
82 * @return spi of the CHILD SA
83 */
84 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
85
86 /**
87 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
88 *
89 * @param this calling object
90 * @return AH | ESP
91 */
92 protocol_id_t (*get_protocol) (child_sa_t *this);
93
94 /**
95 * @brief Allocate SPIs for a given proposals.
96 *
97 * Since the kernel manages SPIs for us, we need
98 * to allocate them. If the proposal contains more
99 * than one protocol, for each protocol an SPI is
100 * allocated. SPIs are stored internally and written
101 * back to the proposal.
102 *
103 * @param this calling object
104 * @param proposal proposal for which SPIs are allocated
105 */
106 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
107
108 /**
109 * @brief Install the kernel SAs for a proposal.
110 *
111 * Since the kernel manages SPIs for us, we need
112 * to allocate them. If the proposal contains more
113 * than one protocol, for each protocol an SPI is
114 * allocated. SPIs are stored internally and written
115 * back to the proposal.
116 *
117 * @param this calling object
118 * @param proposal proposal for which SPIs are allocated
119 * @param prf_plus key material to use for key derivation
120 */
121 status_t (*add)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
122
123 /**
124 * @brief Install the kernel SAs for a proposal, if SPIs already allocated.
125 *
126 * This one updates the SAs in the kernel, which are
127 * allocated via alloc, with a selected proposals.
128 *
129 * @param this calling object
130 * @param proposal proposal for which SPIs are allocated
131 * @param prf_plus key material to use for key derivation
132 */
133 status_t (*update)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
134
135 /**
136 * @brief Install the policies using some traffic selectors.
137 *
138 * Supplied lists of traffic_selector_t's specify the policies
139 * to use for this child sa.
140 *
141 * @param this calling object
142 * @param my_ts traffic selectors for local site
143 * @param other_ts traffic selectors for remote site
144 * @return SUCCESS or FAILED
145 */
146 status_t (*add_policies) (child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list);
147
148 /**
149 * @brief Mark this child_sa as rekeyed.
150 *
151 * Since an SA which rekeys a old SA shares the same policy,
152 * we must mark a child_sa as rekeyed. A so marked SA does
153 * not remove its policy, as the new SA uses it.
154 *
155 * @param this calling object
156 * @param reqid reqid of the SA which replaces this one.
157 */
158 void (*set_rekeyed) (child_sa_t *this, u_int32_t reqid);
159
160 /**
161 * @brief Log the status of a child_sa to a logger.
162 *
163 * The status of ESP/AH SAs is logged with the supplied logger in
164 * a human readable form.
165 * Supplying NULL as logger uses the internal child_sa logger
166 * to do the logging. The name is only a log-prefix without further
167 * meaning.
168 *
169 * @param this calling object
170 * @param logger logger to use for logging
171 * @param name connection name
172 */
173 void (*log_status) (child_sa_t *this, logger_t *logger, char *name);
174
175 /**
176 * @brief Destroys a child_sa.
177 *
178 * @param this calling object
179 */
180 void (*destroy) (child_sa_t *this);
181 };
182
183 /**
184 * @brief Constructor to create a new child_sa_t.
185 *
186 * @param me own address
187 * @param other remote address
188 * @param soft_lifetime time before rekeying
189 * @param hard_lifteime time before delete
190 * @return child_sa_t object
191 *
192 * @ingroup sa
193 */
194 child_sa_t * child_sa_create(host_t *me, host_t *other, u_int32_t soft_lifetime, u_int32_t hard_lifetime);
195
196 #endif /*CHILD_SA_H_*/