some improvements in signaling code
[strongswan.git] / src / charon / sa / child_sa.h
1 /**
2 * @file child_sa.h
3 *
4 * @brief Interface of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2006 Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 #include <types.h>
29 #include <crypto/prf_plus.h>
30 #include <encoding/payloads/proposal_substructure.h>
31 #include <config/proposal.h>
32
33 /**
34 * Where we should start with reqid enumeration
35 */
36 #define REQID_START 2000000000
37
38 /**
39 * Printf() specifier for child_sa_t
40 */
41 #define CHILD_SA_PRINTF_SPEC 'P'
42
43 typedef enum child_sa_state_t child_sa_state_t;
44
45 /**
46 * @brief States of a CHILD_SA
47 */
48 enum child_sa_state_t {
49
50 /**
51 * Just created, uninstalled CHILD_SA
52 */
53 CHILD_CREATED,
54
55 /**
56 * Installed SPD, but no SAD entries
57 */
58 CHILD_ROUTED,
59
60 /**
61 * Installed an in-use CHILD_SA
62 */
63 CHILD_INSTALLED,
64
65 /**
66 * CHILD_SA which is rekeying
67 */
68 CHILD_REKEYING,
69
70 /**
71 * CHILD_SA in progress of delete
72 */
73 CHILD_DELETING,
74 };
75
76 /**
77 * enum strings for child_sa_state_t.
78 */
79 extern enum_name_t *child_sa_state_names;
80
81 typedef struct child_sa_t child_sa_t;
82
83 /**
84 * @brief Represents an IPsec SAs between two hosts.
85 *
86 * A child_sa_t contains two SAs. SAs for both
87 * directions are managed in one child_sa_t object. Both
88 * SAs and the policies have the same reqid.
89 *
90 * The procedure for child sa setup is as follows:
91 * - A gets SPIs for a proposal via child_sa_t.alloc
92 * - A send the updated proposal to B
93 * - B selects a suitable proposal
94 * - B calls child_sa_t.add to add and update the selected proposal
95 * - B sends the updated proposal to A
96 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
97 *
98 * Once SAs are set up, policies can be added using add_policies.
99 *
100 *
101 * @b Constructors:
102 * - child_sa_create()
103 *
104 * @ingroup sa
105 */
106 struct child_sa_t {
107
108 /**
109 * @brief Get the name of the policy this CHILD_SA uses.
110 *
111 * @param this calling object
112 * @return name
113 */
114 char* (*get_name) (child_sa_t *this);
115
116 /**
117 * @brief Set the name of the policy this IKE_SA uses.
118 *
119 * @param this calling object
120 * @param name name, gets cloned
121 */
122 void (*set_name) (child_sa_t *this, char* name);
123
124 /**
125 * @brief Get the unique reqid of the CHILD SA.
126 *
127 * Every CHILD_SA has a unique reqid, which is also
128 * stored down in the kernel.
129 *
130 * @param this calling object
131 * @return reqid of the CHILD SA
132 */
133 u_int32_t (*get_reqid)(child_sa_t *this);
134
135 /**
136 * @brief Get the SPI of this CHILD_SA.
137 *
138 * Set the boolean parameter inbound to TRUE to
139 * get the SPI for which we receive packets, use
140 * FALSE to get those we use for sending packets.
141 *
142 * @param this calling object
143 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
144 * @return spi of the CHILD SA
145 */
146 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
147
148 /**
149 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
150 *
151 * @param this calling object
152 * @return AH | ESP
153 */
154 protocol_id_t (*get_protocol) (child_sa_t *this);
155
156 /**
157 * @brief Allocate SPIs for given proposals.
158 *
159 * Since the kernel manages SPIs for us, we need
160 * to allocate them. If a proposal contains more
161 * than one protocol, for each protocol an SPI is
162 * allocated. SPIs are stored internally and written
163 * back to the proposal.
164 *
165 * @param this calling object
166 * @param proposals list of proposals for which SPIs are allocated
167 */
168 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
169
170 /**
171 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
172 *
173 * @param this calling object
174 * @param proposal proposal for which SPIs are allocated
175 * @param prf_plus key material to use for key derivation
176 * @return SUCCESS or FAILED
177 */
178 status_t (*add)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
179
180 /**
181 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
182 *
183 * Updates an SA, for which SPIs are already allocated via alloc().
184 *
185 * @param this calling object
186 * @param proposal proposal for which SPIs are allocated
187 * @param prf_plus key material to use for key derivation
188 * @return SUCCESS or FAILED
189 */
190 status_t (*update)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
191
192 /**
193 * @brief Update the hosts in the kernel SAs and policies
194 *
195 * @warning only call this after update() has been called.
196 *
197 * @param this calling object
198 * @param new_me the new local host
199 * @param new_other the new remote host
200 * @param my_diff differences to apply for me
201 * @param other_diff differences to apply for other
202 * @return SUCCESS or FAILED
203 */
204 status_t (*update_hosts)(child_sa_t *this, host_t *new_me, host_t *new_other,
205 host_diff_t my_diff, host_diff_t other_diff);
206
207 /**
208 * @brief Install the policies using some traffic selectors.
209 *
210 * Supplied lists of traffic_selector_t's specify the policies
211 * to use for this child sa.
212 *
213 * @param this calling object
214 * @param my_ts traffic selectors for local site
215 * @param other_ts traffic selectors for remote site
216 * @return SUCCESS or FAILED
217 */
218 status_t (*add_policies)(child_sa_t *this,
219 linked_list_t *my_ts_list,
220 linked_list_t *other_ts_list);
221
222 /**
223 * @brief Get the traffic selectors of added policies of local host.
224 *
225 * @param this calling object
226 * @return list of traffic selectors
227 */
228 linked_list_t* (*get_my_traffic_selectors) (child_sa_t *this);
229
230 /**
231 * @brief Get the traffic selectors of added policies of remote host.
232 *
233 * @param this calling object
234 * @return list of traffic selectors
235 */
236 linked_list_t* (*get_other_traffic_selectors) (child_sa_t *this);
237
238 /**
239 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
240 *
241 * @param this calling object
242 * @param inbound query for in- or outbound usage
243 * @param use_time the time
244 * @return SUCCESS or FAILED
245 */
246 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
247
248 /**
249 * @brief Get the state of the CHILD_SA.
250 *
251 * @param this calling object
252 */
253 child_sa_state_t (*get_state) (child_sa_t *this);
254
255 /**
256 * @brief Set the state of the CHILD_SA.
257 *
258 * @param this calling object
259 */
260 void (*set_state) (child_sa_t *this, child_sa_state_t state);
261
262 /**
263 * @brief Set the transaction which rekeys this CHILD_SA.
264 *
265 * Since either end may initiate CHILD_SA rekeying, we must detect
266 * such situations to handle them cleanly. A rekeying transaction
267 * registers itself to the CHILD_SA, and checks later if another
268 * transaction is in progress of a rekey.
269 *
270 * @todo Fix include problematics to allow inclusion of
271 * the create_child_sa_t transaction.
272 *
273 * @param this calling object
274 */
275 void (*set_rekeying_transaction) (child_sa_t *this, void *transaction);
276
277 /**
278 * @brief Get the transaction which rekeys this CHILD_SA.
279 *
280 * @see set_rekeying_transactoin().
281 *
282 * @param this calling object
283 */
284 void* (*get_rekeying_transaction) (child_sa_t *this);
285
286 /**
287 * @brief Destroys a child_sa.
288 *
289 * @param this calling object
290 */
291 void (*destroy) (child_sa_t *this);
292 };
293
294 /**
295 * @brief Constructor to create a new child_sa_t.
296 *
297 * @param rekey_reqid reqid of old CHILD_SA when rekeying, 0 otherwise
298 * @param me own address
299 * @param other remote address
300 * @param my_id id of own peer
301 * @param other_id id of remote peer
302 * @param soft_lifetime time before rekeying
303 * @param hard_lifteime time before delete
304 * @param script updown script to use when calling child_sa_t.script()
305 * @param hostaccess allow host access (needed by updown script)
306 * @param use_natt TRUE if NAT traversal is used
307 * @return child_sa_t object
308 *
309 * @ingroup sa
310 */
311 child_sa_t * child_sa_create(u_int32_t rekey_reqid, host_t *me, host_t *other,
312 identification_t *my_id, identification_t* other_id,
313 u_int32_t soft_lifetime, u_int32_t hard_lifetime,
314 char *script, bool hostaccess, bool use_natt);
315
316 #endif /*CHILD_SA_H_*/