4 * @brief Interface of child_sa_t.
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2006 Martin Willi
11 * Hochschule fuer Technik Rapperswil
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
29 #include <crypto/prf_plus.h>
30 #include <encoding/payloads/proposal_substructure.h>
31 #include <config/proposal.h>
32 #include <utils/logger.h>
35 * Where we should start with reqid enumeration
37 #define REQID_START 2000000000
39 typedef enum child_sa_state_t child_sa_state_t
;
42 * @brief States of a CHILD_SA
44 enum child_sa_state_t
{
47 * Just created, uninstalled CHILD_SA
52 * Installed SPD, but no SAD entries
57 * Installed an in-use CHILD_SA
62 * CHILD_SA which is rekeying
67 * CHILD_SA in progress of delete
73 * String mappings for child_sa_state_t.
75 extern mapping_t child_sa_state_m
[];
77 typedef struct child_sa_t child_sa_t
;
80 * @brief Represents an IPsec SAs between two hosts.
82 * A child_sa_t contains two SAs. SAs for both
83 * directions are managed in one child_sa_t object. Both
84 * SAs and the policies have the same reqid.
86 * The procedure for child sa setup is as follows:
87 * - A gets SPIs for a proposal via child_sa_t.alloc
88 * - A send the updated proposal to B
89 * - B selects a suitable proposal
90 * - B calls child_sa_t.add to add and update the selected proposal
91 * - B sends the updated proposal to A
92 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
94 * Once SAs are set up, policies can be added using add_policies.
105 * @brief Get the name of the policy this CHILD_SA uses.
107 * @param this calling object
110 char* (*get_name
) (child_sa_t
*this);
113 * @brief Set the name of the policy this IKE_SA uses.
115 * @param this calling object
116 * @param name name, gets cloned
118 void (*set_name
) (child_sa_t
*this, char* name
);
121 * @brief Get the unique reqid of the CHILD SA.
123 * Every CHILD_SA has a unique reqid, which is also
124 * stored down in the kernel.
126 * @param this calling object
127 * @return reqid of the CHILD SA
129 u_int32_t (*get_reqid
)(child_sa_t
*this);
132 * @brief Get the SPI of this CHILD_SA.
134 * Set the boolean parameter inbound to TRUE to
135 * get the SPI for which we receive packets, use
136 * FALSE to get those we use for sending packets.
138 * @param this calling object
139 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
140 * @return spi of the CHILD SA
142 u_int32_t (*get_spi
) (child_sa_t
*this, bool inbound
);
145 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
147 * @param this calling object
150 protocol_id_t (*get_protocol
) (child_sa_t
*this);
153 * @brief Allocate SPIs for given proposals.
155 * Since the kernel manages SPIs for us, we need
156 * to allocate them. If a proposal contains more
157 * than one protocol, for each protocol an SPI is
158 * allocated. SPIs are stored internally and written
159 * back to the proposal.
161 * @param this calling object
162 * @param proposals list of proposals for which SPIs are allocated
164 status_t (*alloc
)(child_sa_t
*this, linked_list_t
* proposals
);
167 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
169 * @param this calling object
170 * @param proposal proposal for which SPIs are allocated
171 * @param prf_plus key material to use for key derivation
172 * @return SUCCESS or FAILED
174 status_t (*add
)(child_sa_t
*this, proposal_t
*proposal
, prf_plus_t
*prf_plus
);
177 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
179 * Updates an SA, for which SPIs are already allocated via alloc().
181 * @param this calling object
182 * @param proposal proposal for which SPIs are allocated
183 * @param prf_plus key material to use for key derivation
184 * @return SUCCESS or FAILED
186 status_t (*update
)(child_sa_t
*this, proposal_t
*proposal
, prf_plus_t
*prf_plus
);
189 * @brief Update the hosts in the kernel SAs and policies
191 * @warning only call this after update() has been called.
193 * @param this calling object
194 * @param new_me the new local host
195 * @param new_other the new remote host
196 * @param my_diff differences to apply for me
197 * @param other_diff differences to apply for other
198 * @return SUCCESS or FAILED
200 status_t (*update_hosts
) (child_sa_t
*this, host_t
*new_me
, host_t
*new_other
,
201 host_diff_t my_diff
, host_diff_t other_diff
);
204 * @brief Install the policies using some traffic selectors.
206 * Supplied lists of traffic_selector_t's specify the policies
207 * to use for this child sa.
209 * @param this calling object
210 * @param my_ts traffic selectors for local site
211 * @param other_ts traffic selectors for remote site
212 * @return SUCCESS or FAILED
214 status_t (*add_policies
) (child_sa_t
*this, linked_list_t
*my_ts_list
, linked_list_t
*other_ts_list
);
217 * @brief Get the traffic selectors of added policies of local host.
219 * @param this calling object
220 * @return list of traffic selectors
222 linked_list_t
* (*get_my_traffic_selectors
) (child_sa_t
*this);
225 * @brief Get the traffic selectors of added policies of remote host.
227 * @param this calling object
228 * @return list of traffic selectors
230 linked_list_t
* (*get_other_traffic_selectors
) (child_sa_t
*this);
233 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
235 * @param this calling object
236 * @param inbound query for in- or outbound usage
237 * @param use_time the time
238 * @return SUCCESS or FAILED
240 status_t (*get_use_time
) (child_sa_t
*this, bool inbound
, time_t *use_time
);
243 * @brief Get the state of the CHILD_SA.
245 * @param this calling object
247 child_sa_state_t (*get_state
) (child_sa_t
*this);
250 * @brief Set the state of the CHILD_SA.
252 * @param this calling object
254 void (*set_state
) (child_sa_t
*this, child_sa_state_t state
);
257 * @brief Set the transaction which rekeys this CHILD_SA.
259 * Since either end may initiate CHILD_SA rekeying, we must detect
260 * such situations to handle them cleanly. A rekeying transaction
261 * registers itself to the CHILD_SA, and checks later if another
262 * transaction is in progress of a rekey.
264 * @todo Fix include problematics to allow inclusion of
265 * the create_child_sa_t transaction.
267 * @param this calling object
269 void (*set_rekeying_transaction
) (child_sa_t
*this, void *transaction
);
272 * @brief Get the transaction which rekeys this CHILD_SA.
274 * @see set_rekeying_transactoin().
276 * @param this calling object
278 void* (*get_rekeying_transaction
) (child_sa_t
*this);
281 * @brief Log the status of a child_sa to a logger.
283 * The status of ESP/AH SAs is logged with the supplied logger in
284 * a human readable form.
285 * Supplying NULL as logger uses the internal child_sa logger
288 * @param this calling object
289 * @param logger logger to use for logging
291 void (*log_status
) (child_sa_t
*this, logger_t
*logger
);
294 * @brief Destroys a child_sa.
296 * @param this calling object
298 void (*destroy
) (child_sa_t
*this);
302 * @brief Constructor to create a new child_sa_t.
304 * @param rekey_reqid reqid of old CHILD_SA when rekeying, 0 otherwise
305 * @param me own address
306 * @param other remote address
307 * @param soft_lifetime time before rekeying
308 * @param hard_lifteime time before delete
309 * @param use_natt TRUE if NAT traversal is used
310 * @return child_sa_t object
314 child_sa_t
* child_sa_create(u_int32_t rekey_reqid
, host_t
*me
, host_t
*other
,
315 u_int32_t soft_lifetime
, u_int32_t hard_lifetime
,
318 #endif /*CHILD_SA_H_*/
projects / strongswan.git / blob