7e180b7eeef6886c109276cb06149479e20fa004
[strongswan.git] / src / charon / sa / child_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006-2008 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup child_sa child_sa
22 * @{ @ingroup sa
23 */
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 typedef enum child_sa_state_t child_sa_state_t;
29 typedef struct child_sa_t child_sa_t;
30
31 #include <library.h>
32 #include <crypto/prf_plus.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <config/proposal.h>
35 #include <config/child_cfg.h>
36
37 /**
38 * States of a CHILD_SA
39 */
40 enum child_sa_state_t {
41
42 /**
43 * Just created, uninstalled CHILD_SA
44 */
45 CHILD_CREATED,
46
47 /**
48 * Installed SPD, but no SAD entries
49 */
50 CHILD_ROUTED,
51
52 /**
53 * Installing an in-use CHILD_SA
54 */
55 CHILD_INSTALLING,
56
57 /**
58 * Installed an in-use CHILD_SA
59 */
60 CHILD_INSTALLED,
61
62 /**
63 * While updating hosts, in update_hosts()
64 */
65 CHILD_UPDATING,
66
67 /**
68 * CHILD_SA which is rekeying
69 */
70 CHILD_REKEYING,
71
72 /**
73 * CHILD_SA in progress of delete
74 */
75 CHILD_DELETING,
76
77 /**
78 * CHILD_SA object gets destroyed
79 */
80 CHILD_DESTROYING,
81 };
82
83 /**
84 * enum strings for child_sa_state_t.
85 */
86 extern enum_name_t *child_sa_state_names;
87
88 /**
89 * Represents an IPsec SAs between two hosts.
90 *
91 * A child_sa_t contains two SAs. SAs for both
92 * directions are managed in one child_sa_t object. Both
93 * SAs and the policies have the same reqid.
94 *
95 * The procedure for child sa setup is as follows:
96 * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
97 * - A send the proposals with the allocated SPIs to B
98 * - B selects a suitable proposal
99 * - B allocates an SPI for the selected protocol
100 * - B calls child_sa_t.install for both, the allocated and received SPI
101 * - B sends the proposal with the allocated SPI to A
102 * - A calls child_sa_t.install for both, the allocated and recevied SPI
103 *
104 * Once SAs are set up, policies can be added using add_policies.
105 */
106 struct child_sa_t {
107
108 /**
109 * Get the name of the config this CHILD_SA uses.
110 *
111 * @return name
112 */
113 char* (*get_name) (child_sa_t *this);
114
115 /**
116 * Get the reqid of the CHILD SA.
117 *
118 * Every CHILD_SA has a reqid. The kernel uses this ID to
119 * identify it.
120 *
121 * @return reqid of the CHILD SA
122 */
123 u_int32_t (*get_reqid)(child_sa_t *this);
124
125 /**
126 * Get the config used to set up this child sa.
127 *
128 * @return child_cfg
129 */
130 child_cfg_t* (*get_config) (child_sa_t *this);
131
132 /**
133 * Get the state of the CHILD_SA.
134 *
135 * @return CHILD_SA state
136 */
137 child_sa_state_t (*get_state) (child_sa_t *this);
138
139 /**
140 * Set the state of the CHILD_SA.
141 *
142 * @param state state to set on CHILD_SA
143 */
144 void (*set_state) (child_sa_t *this, child_sa_state_t state);
145
146 /**
147 * Get the SPI of this CHILD_SA.
148 *
149 * Set the boolean parameter inbound to TRUE to
150 * get the SPI for which we receive packets, use
151 * FALSE to get those we use for sending packets.
152 *
153 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
154 * @return SPI of the CHILD SA
155 */
156 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
157
158 /**
159 * Get the CPI of this CHILD_SA.
160 *
161 * Set the boolean parameter inbound to TRUE to
162 * get the CPI for which we receive packets, use
163 * FALSE to get those we use for sending packets.
164 *
165 * @param inbound TRUE to get inbound CPI, FALSE for outbound.
166 * @return CPI of the CHILD SA
167 */
168 u_int16_t (*get_cpi) (child_sa_t *this, bool inbound);
169
170 /**
171 * Get the protocol which this CHILD_SA uses to protect traffic.
172 *
173 * @return AH | ESP
174 */
175 protocol_id_t (*get_protocol) (child_sa_t *this);
176
177 /**
178 * Set the negotiated protocol to use for this CHILD_SA.
179 *
180 * @param protocol AH | ESP
181 */
182 void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
183
184 /**
185 * Get the IPsec mode of this CHILD_SA.
186 *
187 * @return TUNNEL | TRANSPORT | BEET
188 */
189 ipsec_mode_t (*get_mode)(child_sa_t *this);
190
191 /**
192 * Set the negotiated IPsec mode to use.
193 *
194 * @param mode TUNNEL | TRANPORT | BEET
195 */
196 void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
197
198 /**
199 * Get the used IPComp algorithm.
200 *
201 * @return IPComp compression algorithm.
202 */
203 ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
204
205 /**
206 * Set the IPComp algorithm to use.
207 *
208 * @param ipcomp the IPComp transform to use
209 */
210 void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
211
212 /**
213 * Get the selected proposal.
214 *
215 * @return selected proposal
216 */
217 proposal_t* (*get_proposal)(child_sa_t *this);
218
219 /**
220 * Set the negotiated proposal.
221 *
222 * @param proposal selected proposal
223 */
224 void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
225
226 /**
227 * Check if this CHILD_SA uses UDP encapsulation.
228 *
229 * @return TRUE if SA encapsulates ESP packets
230 */
231 bool (*has_encap)(child_sa_t *this);
232
233 /**
234 * Get the lifetime of the CHILD_SA.
235 *
236 * @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
237 * @return lifetime in seconds
238 */
239 u_int32_t (*get_lifetime)(child_sa_t *this, bool hard);
240
241 /**
242 * Get last use time of the CHILD_SA.
243 *
244 * @param inbound TRUE for inbound traffic, FALSE for outbound
245 * @return time of last use in seconds
246 */
247 u_int32_t (*get_usetime)(child_sa_t *this, bool inbound);
248
249 /**
250 * Get the traffic selectors list added for one side.
251 *
252 * @param local TRUE for own traffic selectors, FALSE for remote
253 * @return list of traffic selectors
254 */
255 linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
256
257 /**
258 * Create an enumerator over installed policies.
259 *
260 * @return enumerator over pairs of traffic selectors.
261 */
262 enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
263
264 /**
265 * Allocate an SPI to include in a proposal.
266 *
267 * @param protocol protocol to allocate SPI for (ESP|AH)
268 * @param spi SPI output pointer
269 * @return SPI, 0 on failure
270 */
271 u_int32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
272
273 /**
274 * Allocate a CPI to use for IPComp.
275 *
276 * @return CPI, 0 on failure
277 */
278 u_int16_t (*alloc_cpi)(child_sa_t *this);
279
280 /**
281 * Install an IPsec SA for one direction.
282 *
283 * @param encr encryption key, if any
284 * @param integ integrity key
285 * @param spi SPI to use, allocated for inbound
286 * @param cpi CPI to use, allocated for outbound
287 * @param inbound TRUE to install an inbound SA, FALSE for outbound
288 * @return SUCCESS or FAILED
289 */
290 status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
291 u_int32_t spi, u_int16_t cpi, bool inbound);
292 /**
293 * Install the policies using some traffic selectors.
294 *
295 * Supplied lists of traffic_selector_t's specify the policies
296 * to use for this child sa.
297 *
298 * @param my_ts traffic selectors for local site
299 * @param other_ts traffic selectors for remote site
300 * @return SUCCESS or FAILED
301 */
302 status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
303 linked_list_t *other_ts_list);
304 /**
305 * Update hosts and ecapulation mode in the kernel SAs and policies.
306 *
307 * @param me the new local host
308 * @param other the new remote host
309 * @param vip virtual IP, if any
310 * @param TRUE to use UDP encapsulation for NAT traversal
311 * @return SUCCESS or FAILED
312 */
313 status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
314 host_t *vip, bool encap);
315 /**
316 * Destroys a child_sa.
317 */
318 void (*destroy) (child_sa_t *this);
319 };
320
321 /**
322 * Constructor to create a new child_sa_t.
323 *
324 * @param me own address
325 * @param other remote address
326 * @param my_id id of own peer
327 * @param other_id id of remote peer
328 * @param config config to use for this CHILD_SA
329 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
330 * @param encap TRUE to enable UDP encapsulation (NAT traversal)
331 * @return child_sa_t object
332 */
333 child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
334 u_int32_t reqid, bool encap);
335
336 #endif /*CHILD_SA_H_ @} */