cache keys for in and outbound ESP SAs
[strongswan.git] / src / charon / sa / child_sa.h
1 /*
2 * Copyright (C) 2006-2008 Tobias Brunner
3 * Copyright (C) 2006-2007 Martin Willi
4 * Copyright (C) 2006 Daniel Roethlisberger
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup child_sa child_sa
22 * @{ @ingroup sa
23 */
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 typedef enum child_sa_state_t child_sa_state_t;
29 typedef struct child_sa_t child_sa_t;
30
31 #include <library.h>
32 #include <crypto/prf_plus.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <config/proposal.h>
35 #include <config/child_cfg.h>
36
37 /**
38 * States of a CHILD_SA
39 */
40 enum child_sa_state_t {
41
42 /**
43 * Just created, uninstalled CHILD_SA
44 */
45 CHILD_CREATED,
46
47 /**
48 * Installed SPD, but no SAD entries
49 */
50 CHILD_ROUTED,
51
52 /**
53 * Installed an in-use CHILD_SA
54 */
55 CHILD_INSTALLED,
56
57 /**
58 * CHILD_SA which is rekeying
59 */
60 CHILD_REKEYING,
61
62 /**
63 * CHILD_SA in progress of delete
64 */
65 CHILD_DELETING,
66
67 /**
68 * CHILD_SA object gets destroyed
69 */
70 CHILD_DESTROYING,
71 };
72
73 /**
74 * enum strings for child_sa_state_t.
75 */
76 extern enum_name_t *child_sa_state_names;
77
78 /**
79 * Represents an IPsec SAs between two hosts.
80 *
81 * A child_sa_t contains two SAs. SAs for both
82 * directions are managed in one child_sa_t object. Both
83 * SAs and the policies have the same reqid.
84 *
85 * The procedure for child sa setup is as follows:
86 * - A gets SPIs for a proposal via child_sa_t.alloc
87 * - A send the updated proposal to B
88 * - B selects a suitable proposal
89 * - B calls child_sa_t.add to add and update the selected proposal
90 * - B sends the updated proposal to A
91 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
92 *
93 * Once SAs are set up, policies can be added using add_policies.
94 */
95 struct child_sa_t {
96
97 /**
98 * Get the name of the config this CHILD_SA uses.
99 *
100 * @return name
101 */
102 char* (*get_name) (child_sa_t *this);
103
104 /**
105 * Get the reqid of the CHILD SA.
106 *
107 * Every CHILD_SA has a reqid. The kernel uses this ID to
108 * identify it.
109 *
110 * @return reqid of the CHILD SA
111 */
112 u_int32_t (*get_reqid)(child_sa_t *this);
113
114 /**
115 * Get the SPI of this CHILD_SA.
116 *
117 * Set the boolean parameter inbound to TRUE to
118 * get the SPI for which we receive packets, use
119 * FALSE to get those we use for sending packets.
120 *
121 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
122 * @return SPI of the CHILD SA
123 */
124 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
125
126 /**
127 * Get the CPI of this CHILD_SA.
128 *
129 * Set the boolean parameter inbound to TRUE to
130 * get the CPI for which we receive packets, use
131 * FALSE to get those we use for sending packets.
132 *
133 * @param inbound TRUE to get inbound CPI, FALSE for outbound.
134 * @return CPI of the CHILD SA
135 */
136 u_int16_t (*get_cpi) (child_sa_t *this, bool inbound);
137
138 /**
139 * Get the protocol which this CHILD_SA uses to protect traffic.
140 *
141 * @return AH | ESP
142 */
143 protocol_id_t (*get_protocol) (child_sa_t *this);
144
145 /**
146 * Get info and statistics about this CHILD_SA.
147 *
148 * @param mode mode this IKE_SA uses
149 * @param encr_algo encryption algorithm used by this CHILD_SA.
150 * @param encr_key encryption key
151 * @param int_algo integrity algorithm used by this CHILD_SA
152 * @param int_key integrity key
153 * @param rekey time when rekeying is scheduled
154 * @param use_in time when last traffic was seen coming in
155 * @param use_out time when last traffic was seen going out
156 * @param use_fwd time when last traffic was getting forwarded
157 */
158 void (*get_stats)(child_sa_t *this, ipsec_mode_t *mode,
159 encryption_algorithm_t *encr,
160 chunk_t *encr_key_in, chunk_t *encr_key_out,
161 integrity_algorithm_t *int_algo,
162 chunk_t *int_key_in, chunk_t *int_key_out,
163 u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
164 u_int32_t *use_fwd);
165
166 /**
167 * Allocate SPIs for given proposals.
168 *
169 * Since the kernel manages SPIs for us, we need
170 * to allocate them. If a proposal contains more
171 * than one protocol, for each protocol an SPI is
172 * allocated. SPIs are stored internally and written
173 * back to the proposal.
174 *
175 * @param proposals list of proposals for which SPIs are allocated
176 */
177 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
178
179 /**
180 * Install the kernel SAs for a proposal, without previous SPI allocation.
181 *
182 * @param proposal proposal for which SPIs are allocated
183 * @param mode mode for the CHILD_SA
184 * @param prf_plus key material to use for key derivation
185 * @return SUCCESS or FAILED
186 */
187 status_t (*add)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
188 prf_plus_t *prf_plus);
189
190 /**
191 * Install the kernel SAs for a proposal, after SPIs have been allocated.
192 *
193 * Updates an SA, for which SPIs are already allocated via alloc().
194 *
195 * @param proposal proposal for which SPIs are allocated
196 * @param mode mode for the CHILD_SA
197 * @param prf_plus key material to use for key derivation
198 * @return SUCCESS or FAILED
199 */
200 status_t (*update)(child_sa_t *this, proposal_t *proposal, ipsec_mode_t mode,
201 prf_plus_t *prf_plus);
202
203 /**
204 * Update the hosts in the kernel SAs and policies.
205 *
206 * The CHILD must be INSTALLED to do this update.
207 *
208 * @param me the new local host
209 * @param other the new remote host
210 * @param TRUE to use UDP encapsulation for NAT traversal
211 * @return SUCCESS or FAILED
212 */
213 status_t (*update_hosts)(child_sa_t *this, host_t *me, host_t *other,
214 bool encap);
215
216 /**
217 * Install the policies using some traffic selectors.
218 *
219 * Supplied lists of traffic_selector_t's specify the policies
220 * to use for this child sa.
221 *
222 * @param my_ts traffic selectors for local site
223 * @param other_ts traffic selectors for remote site
224 * @param mode mode for the SA: tunnel/transport
225 * @param proto protocol for policy, ESP/AH
226 * @return SUCCESS or FAILED
227 */
228 status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
229 linked_list_t *other_ts_list, ipsec_mode_t mode,
230 protocol_id_t proto);
231
232 /**
233 * Get the traffic selectors of added policies of local host.
234 *
235 * @param local TRUE for own traffic selectors, FALSE for remote
236 * @return list of traffic selectors
237 */
238 linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
239
240 /**
241 * Create an enumerator over installed policies.
242 *
243 * @return enumerator over pairs of traffic selectors.
244 */
245 enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
246
247 /**
248 * Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
249 *
250 * @param inbound query for in- or outbound usage
251 * @param use_time the time
252 * @return SUCCESS or FAILED
253 */
254 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
255
256 /**
257 * Get the state of the CHILD_SA.
258 */
259 child_sa_state_t (*get_state) (child_sa_t *this);
260
261 /**
262 * Set the state of the CHILD_SA.
263 *
264 * @param state state to set on CHILD_SA
265 */
266 void (*set_state) (child_sa_t *this, child_sa_state_t state);
267
268 /**
269 * Get the config used to set up this child sa.
270 *
271 * @return child_cfg
272 */
273 child_cfg_t* (*get_config) (child_sa_t *this);
274
275 /**
276 * Set the virtual IP used received from IRAS.
277 *
278 * To allow proper setup of firewall rules, the virtual IP is required
279 * for filtering.
280 *
281 * @param ip own virtual IP
282 */
283 void (*set_virtual_ip) (child_sa_t *this, host_t *ip);
284
285 /**
286 * Activate IPComp by setting the transform ID and CPI values.
287 *
288 * @param ipcomp the IPComp transform to use
289 * @param other_cpi other Compression Parameter Index
290 */
291 void (*activate_ipcomp) (child_sa_t *this, ipcomp_transform_t ipcomp,
292 u_int16_t other_cpi);
293
294 /**
295 * Returns the Compression Parameter Index (CPI) allocated from the kernel.
296 *
297 * @return allocated CPI
298 */
299 u_int16_t (*allocate_cpi) (child_sa_t *this);
300
301 /**
302 * Destroys a child_sa.
303 */
304 void (*destroy) (child_sa_t *this);
305 };
306
307 /**
308 * Constructor to create a new child_sa_t.
309 *
310 * @param me own address
311 * @param other remote address
312 * @param my_id id of own peer
313 * @param other_id id of remote peer
314 * @param config config to use for this CHILD_SA
315 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
316 * @param encap TRUE to enable UDP encapsulation (NAT traversal)
317 * @return child_sa_t object
318 */
319 child_sa_t * child_sa_create(host_t *me, host_t *other,
320 identification_t *my_id, identification_t* other_id,
321 child_cfg_t *config, u_int32_t reqid, bool encap);
322
323 #endif /*CHILD_SA_H_ @} */