fba0c73a5b418b43c2eb77ca654e6f6a961f8fa3
[strongswan.git] / src / charon / sa / child_sa.h
1 /**
2 * @file child_sa.h
3 *
4 * @brief Interface of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2006 Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 #include <types.h>
29 #include <crypto/prf_plus.h>
30 #include <encoding/payloads/proposal_substructure.h>
31 #include <config/proposal.h>
32 #include <utils/logger.h>
33
34 /**
35 * Where we should start with reqid enumeration
36 */
37 #define REQID_START 2000000000
38
39 typedef struct child_sa_t child_sa_t;
40
41 /**
42 * @brief Represents an IPsec SAs between two hosts.
43 *
44 * A child_sa_t contains two SAs. SAs for both
45 * directions are managed in one child_sa_t object. Both
46 * SAs and the policies have the same reqid.
47 *
48 * The procedure for child sa setup is as follows:
49 * - A gets SPIs for a proposal via child_sa_t.alloc
50 * - A send the updated proposal to B
51 * - B selects a suitable proposal
52 * - B calls child_sa_t.add to add and update the selected proposal
53 * - B sends the updated proposal to A
54 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
55 *
56 * Once SAs are set up, policies can be added using add_policies.
57 *
58 *
59 * @b Constructors:
60 * - child_sa_create()
61 *
62 * @ingroup sa
63 */
64 struct child_sa_t {
65
66 /**
67 * @brief Get the unique reqid of the CHILD SA.
68 *
69 * Every CHILD_SA has a unique reqid, which is also
70 * stored down in the kernel.
71 *
72 * @param this calling object
73 * @return reqid of the CHILD SA
74 */
75 u_int32_t (*get_reqid)(child_sa_t *this);
76
77 /**
78 * @brief Get the SPI of this CHILD_SA.
79 *
80 * Set the boolean parameter inbound to TRUE to
81 * get the SPI for which we receive packets, use
82 * FALSE to get those we use for sending packets.
83 *
84 * @param this calling object
85 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
86 * @return spi of the CHILD SA
87 */
88 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
89
90 /**
91 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
92 *
93 * @param this calling object
94 * @return AH | ESP
95 */
96 protocol_id_t (*get_protocol) (child_sa_t *this);
97
98 /**
99 * @brief Allocate SPIs for given proposals.
100 *
101 * Since the kernel manages SPIs for us, we need
102 * to allocate them. If a proposal contains more
103 * than one protocol, for each protocol an SPI is
104 * allocated. SPIs are stored internally and written
105 * back to the proposal.
106 *
107 * @param this calling object
108 * @param proposals list of proposals for which SPIs are allocated
109 */
110 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
111
112 /**
113 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
114 *
115 * @param this calling object
116 * @param proposal proposal for which SPIs are allocated
117 * @param prf_plus key material to use for key derivation
118 * @return SUCCESS or FAILED
119 */
120 status_t (*add)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
121
122 /**
123 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
124 *
125 * Updates an SA, for which SPIs are already allocated via alloc().
126 *
127 * @param this calling object
128 * @param proposal proposal for which SPIs are allocated
129 * @param prf_plus key material to use for key derivation
130 * @return SUCCESS or FAILED
131 */
132 status_t (*update)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
133
134 /**
135 * @brief Update the hosts in the kernel SAs and policies
136 *
137 * @warning only call this after update() has been called.
138 *
139 * @param this calling object
140 * @param new_me the new local host
141 * @param new_other the new remote host
142 * @return SUCCESS or FAILED
143 */
144 status_t (*update_hosts) (child_sa_t *this, host_t *new_me, host_t *new_other,
145 int my_changes, int other_changes);
146
147 /**
148 * @brief Install the policies using some traffic selectors.
149 *
150 * Supplied lists of traffic_selector_t's specify the policies
151 * to use for this child sa.
152 *
153 * @param this calling object
154 * @param my_ts traffic selectors for local site
155 * @param other_ts traffic selectors for remote site
156 * @return SUCCESS or FAILED
157 */
158 status_t (*add_policies) (child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list);
159
160 /**
161 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
162 *
163 * @param this calling object
164 * @param inbound query for in- or outbound usage
165 * @param use_time the time
166 * @return SUCCESS or FAILED
167 */
168 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
169
170 /**
171 * @brief Set the transaction which rekeys this CHILD_SA.
172 *
173 * Since either end may initiate CHILD_SA rekeying, we must detect
174 * such situations to handle them cleanly. A rekeying transaction
175 * registers itself to the CHILD_SA, and checks later if another
176 * transaction is in progress of a rekey.
177 *
178 * @param this calling object
179 */
180 void (*set_rekeying_transaction) (child_sa_t *this, void *transaction);
181
182 /**
183 * @brief Get the transaction which rekeys this CHILD_SA.
184 *
185 * See set_rekeying_transactoin
186 *
187 * @param this calling object
188 */
189 void* (*get_rekeying_transaction) (child_sa_t *this);
190
191 /**
192 * @brief Is the CHILD SA rekeying/in progress of rekeying?
193 *
194 * This is a readonly parameter. It is set whenever the
195 * set_rekeying_transaction() method is called.
196 *
197 * @param this calling object
198 */
199 bool (*is_rekeying) (child_sa_t *this);
200
201 /**
202 * @brief Log the status of a child_sa to a logger.
203 *
204 * The status of ESP/AH SAs is logged with the supplied logger in
205 * a human readable form.
206 * Supplying NULL as logger uses the internal child_sa logger
207 * to do the logging. The name is only a log-prefix without further
208 * meaning.
209 *
210 * @param this calling object
211 * @param logger logger to use for logging
212 * @param name connection name
213 */
214 void (*log_status) (child_sa_t *this, logger_t *logger, char *name);
215
216 /**
217 * @brief Destroys a child_sa.
218 *
219 * @param this calling object
220 */
221 void (*destroy) (child_sa_t *this);
222 };
223
224 /**
225 * @brief Constructor to create a new child_sa_t.
226 *
227 * @param rekey_reqid reqid of old CHILD_SA when rekeying, 0 otherwise
228 * @param me own address
229 * @param other remote address
230 * @param soft_lifetime time before rekeying
231 * @param hard_lifteime time before delete
232 * @param use_natt TRUE if NAT traversal is used
233 * @return child_sa_t object
234 *
235 * @ingroup sa
236 */
237 child_sa_t * child_sa_create(u_int32_t rekey_reqid, host_t *me, host_t *other,
238 u_int32_t soft_lifetime, u_int32_t hard_lifetime,
239 bool use_natt);
240
241 #endif /*CHILD_SA_H_*/