added possibility to route CHILD_SAs, without to set them up
[strongswan.git] / src / charon / sa / child_sa.h
1 /**
2 * @file child_sa.h
3 *
4 * @brief Interface of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2006 Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 #include <types.h>
29 #include <crypto/prf_plus.h>
30 #include <encoding/payloads/proposal_substructure.h>
31 #include <config/proposal.h>
32 #include <utils/logger.h>
33
34 /**
35 * Where we should start with reqid enumeration
36 */
37 #define REQID_START 2000000000
38
39 typedef enum child_sa_state_t child_sa_state_t;
40
41 /**
42 * @brief States of a CHILD_SA
43 */
44 enum child_sa_state_t {
45
46 /**
47 * Just created, uninstalled CHILD_SA
48 */
49 CHILD_CREATED,
50
51 /**
52 * Installed SPD, but no SAD entries
53 */
54 CHILD_ROUTED,
55
56 /**
57 * Installed an in-use CHILD_SA
58 */
59 CHILD_INSTALLED,
60
61 /**
62 * CHILD_SA which is rekeying
63 */
64 CHILD_REKEYING,
65
66 /**
67 * CHILD_SA in progress of delete
68 */
69 CHILD_DELETING,
70 };
71
72 /**
73 * String mappings for child_sa_state_t.
74 */
75 extern mapping_t child_sa_state_m[];
76
77 typedef struct child_sa_t child_sa_t;
78
79 /**
80 * @brief Represents an IPsec SAs between two hosts.
81 *
82 * A child_sa_t contains two SAs. SAs for both
83 * directions are managed in one child_sa_t object. Both
84 * SAs and the policies have the same reqid.
85 *
86 * The procedure for child sa setup is as follows:
87 * - A gets SPIs for a proposal via child_sa_t.alloc
88 * - A send the updated proposal to B
89 * - B selects a suitable proposal
90 * - B calls child_sa_t.add to add and update the selected proposal
91 * - B sends the updated proposal to A
92 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
93 *
94 * Once SAs are set up, policies can be added using add_policies.
95 *
96 *
97 * @b Constructors:
98 * - child_sa_create()
99 *
100 * @ingroup sa
101 */
102 struct child_sa_t {
103
104 /**
105 * @brief Get the unique reqid of the CHILD SA.
106 *
107 * Every CHILD_SA has a unique reqid, which is also
108 * stored down in the kernel.
109 *
110 * @param this calling object
111 * @return reqid of the CHILD SA
112 */
113 u_int32_t (*get_reqid)(child_sa_t *this);
114
115 /**
116 * @brief Get the SPI of this CHILD_SA.
117 *
118 * Set the boolean parameter inbound to TRUE to
119 * get the SPI for which we receive packets, use
120 * FALSE to get those we use for sending packets.
121 *
122 * @param this calling object
123 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
124 * @return spi of the CHILD SA
125 */
126 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
127
128 /**
129 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
130 *
131 * @param this calling object
132 * @return AH | ESP
133 */
134 protocol_id_t (*get_protocol) (child_sa_t *this);
135
136 /**
137 * @brief Allocate SPIs for given proposals.
138 *
139 * Since the kernel manages SPIs for us, we need
140 * to allocate them. If a proposal contains more
141 * than one protocol, for each protocol an SPI is
142 * allocated. SPIs are stored internally and written
143 * back to the proposal.
144 *
145 * @param this calling object
146 * @param proposals list of proposals for which SPIs are allocated
147 */
148 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
149
150 /**
151 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
152 *
153 * @param this calling object
154 * @param proposal proposal for which SPIs are allocated
155 * @param prf_plus key material to use for key derivation
156 * @return SUCCESS or FAILED
157 */
158 status_t (*add)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
159
160 /**
161 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
162 *
163 * Updates an SA, for which SPIs are already allocated via alloc().
164 *
165 * @param this calling object
166 * @param proposal proposal for which SPIs are allocated
167 * @param prf_plus key material to use for key derivation
168 * @return SUCCESS or FAILED
169 */
170 status_t (*update)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
171
172 /**
173 * @brief Update the hosts in the kernel SAs and policies
174 *
175 * @warning only call this after update() has been called.
176 *
177 * @param this calling object
178 * @param new_me the new local host
179 * @param new_other the new remote host
180 * @param my_diff differences to apply for me
181 * @param other_diff differences to apply for other
182 * @return SUCCESS or FAILED
183 */
184 status_t (*update_hosts) (child_sa_t *this, host_t *new_me, host_t *new_other,
185 host_diff_t my_diff, host_diff_t other_diff);
186
187 /**
188 * @brief Install the policies using some traffic selectors.
189 *
190 * Supplied lists of traffic_selector_t's specify the policies
191 * to use for this child sa.
192 *
193 * @param this calling object
194 * @param my_ts traffic selectors for local site
195 * @param other_ts traffic selectors for remote site
196 * @return SUCCESS or FAILED
197 */
198 status_t (*add_policies) (child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list);
199
200 /**
201 * @brief Get the traffic selectors of added policies of local host.
202 *
203 * @param this calling object
204 * @return list of traffic selectors
205 */
206 linked_list_t* (*get_my_traffic_selectors) (child_sa_t *this);
207
208 /**
209 * @brief Get the traffic selectors of added policies of remote host.
210 *
211 * @param this calling object
212 * @return list of traffic selectors
213 */
214 linked_list_t* (*get_other_traffic_selectors) (child_sa_t *this);
215
216 /**
217 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
218 *
219 * @param this calling object
220 * @param inbound query for in- or outbound usage
221 * @param use_time the time
222 * @return SUCCESS or FAILED
223 */
224 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
225
226 /**
227 * @brief Get the state of the CHILD_SA.
228 *
229 * @param this calling object
230 */
231 child_sa_state_t (*get_state) (child_sa_t *this);
232
233 /**
234 * @brief Set the state of the CHILD_SA.
235 *
236 * @param this calling object
237 */
238 void (*set_state) (child_sa_t *this, child_sa_state_t state);
239
240 /**
241 * @brief Set the transaction which rekeys this CHILD_SA.
242 *
243 * Since either end may initiate CHILD_SA rekeying, we must detect
244 * such situations to handle them cleanly. A rekeying transaction
245 * registers itself to the CHILD_SA, and checks later if another
246 * transaction is in progress of a rekey.
247 *
248 * @todo Fix include problematics to allow inclusion of
249 * the create_child_sa_t transaction.
250 *
251 * @param this calling object
252 */
253 void (*set_rekeying_transaction) (child_sa_t *this, void *transaction);
254
255 /**
256 * @brief Get the transaction which rekeys this CHILD_SA.
257 *
258 * @see set_rekeying_transactoin().
259 *
260 * @param this calling object
261 */
262 void* (*get_rekeying_transaction) (child_sa_t *this);
263
264 /**
265 * @brief Log the status of a child_sa to a logger.
266 *
267 * The status of ESP/AH SAs is logged with the supplied logger in
268 * a human readable form.
269 * Supplying NULL as logger uses the internal child_sa logger
270 * to do the logging. The name is only a log-prefix without further
271 * meaning.
272 *
273 * @param this calling object
274 * @param logger logger to use for logging
275 * @param name connection name
276 */
277 void (*log_status) (child_sa_t *this, logger_t *logger, char *name);
278
279 /**
280 * @brief Destroys a child_sa.
281 *
282 * @param this calling object
283 */
284 void (*destroy) (child_sa_t *this);
285 };
286
287 /**
288 * @brief Constructor to create a new child_sa_t.
289 *
290 * @param rekey_reqid reqid of old CHILD_SA when rekeying, 0 otherwise
291 * @param me own address
292 * @param other remote address
293 * @param soft_lifetime time before rekeying
294 * @param hard_lifteime time before delete
295 * @param use_natt TRUE if NAT traversal is used
296 * @return child_sa_t object
297 *
298 * @ingroup sa
299 */
300 child_sa_t * child_sa_create(u_int32_t rekey_reqid, host_t *me, host_t *other,
301 u_int32_t soft_lifetime, u_int32_t hard_lifetime,
302 bool use_natt);
303
304 #endif /*CHILD_SA_H_*/