merged the modularization branch (credentials) back to trunk
[strongswan.git] / src / charon / sa / child_sa.h
1 /*
2 * Copyright (C) 2006-2007 Martin Willi
3 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 *
16 * $Id$
17 */
18
19 /**
20 * @defgroup child_sa child_sa
21 * @{ @ingroup sa
22 */
23
24 #ifndef CHILD_SA_H_
25 #define CHILD_SA_H_
26
27 typedef enum child_sa_state_t child_sa_state_t;
28 typedef struct child_sa_t child_sa_t;
29
30 #include <library.h>
31 #include <crypto/prf_plus.h>
32 #include <encoding/payloads/proposal_substructure.h>
33 #include <config/proposal.h>
34 #include <config/child_cfg.h>
35
36 /**
37 * States of a CHILD_SA
38 */
39 enum child_sa_state_t {
40
41 /**
42 * Just created, uninstalled CHILD_SA
43 */
44 CHILD_CREATED,
45
46 /**
47 * Installed SPD, but no SAD entries
48 */
49 CHILD_ROUTED,
50
51 /**
52 * Installed an in-use CHILD_SA
53 */
54 CHILD_INSTALLED,
55
56 /**
57 * CHILD_SA which is rekeying
58 */
59 CHILD_REKEYING,
60
61 /**
62 * CHILD_SA in progress of delete
63 */
64 CHILD_DELETING,
65 };
66
67 /**
68 * enum strings for child_sa_state_t.
69 */
70 extern enum_name_t *child_sa_state_names;
71
72 /**
73 * Represents an IPsec SAs between two hosts.
74 *
75 * A child_sa_t contains two SAs. SAs for both
76 * directions are managed in one child_sa_t object. Both
77 * SAs and the policies have the same reqid.
78 *
79 * The procedure for child sa setup is as follows:
80 * - A gets SPIs for a proposal via child_sa_t.alloc
81 * - A send the updated proposal to B
82 * - B selects a suitable proposal
83 * - B calls child_sa_t.add to add and update the selected proposal
84 * - B sends the updated proposal to A
85 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
86 *
87 * Once SAs are set up, policies can be added using add_policies.
88 */
89 struct child_sa_t {
90
91 /**
92 * Get the name of the config this CHILD_SA uses.
93 *
94 * @return name
95 */
96 char* (*get_name) (child_sa_t *this);
97
98 /**
99 * Get the reqid of the CHILD SA.
100 *
101 * Every CHILD_SA has a reqid. The kernel uses this ID to
102 * identify it.
103 *
104 * @return reqid of the CHILD SA
105 */
106 u_int32_t (*get_reqid)(child_sa_t *this);
107
108 /**
109 * Get the SPI of this CHILD_SA.
110 *
111 * Set the boolean parameter inbound to TRUE to
112 * get the SPI for which we receive packets, use
113 * FALSE to get those we use for sending packets.
114 *
115 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
116 * @return spi of the CHILD SA
117 */
118 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
119
120 /**
121 * Get the protocol which this CHILD_SA uses to protect traffic.
122 *
123 * @return AH | ESP
124 */
125 protocol_id_t (*get_protocol) (child_sa_t *this);
126
127 /**
128 * Get info and statistics about this CHILD_SA.
129 *
130 * @param mode mode this IKE_SA uses
131 * @param encr_algo encryption algorithm used by this CHILD_SA.
132 * @param encr_len key length of the algorithm, if any
133 * @param int_algo integrity algorithm used by this CHILD_SA
134 * @param int_len key length of the algorithm, if any
135 * @param rekey time when rekeying is scheduled
136 * @param use_in time when last traffic was seen coming in
137 * @param use_out time when last traffic was seen going out
138 * @param use_fwd time when last traffic was getting forwarded
139 */
140 void (*get_stats)(child_sa_t *this, mode_t *mode,
141 encryption_algorithm_t *encr, size_t *encr_len,
142 integrity_algorithm_t *int_algo, size_t *int_len,
143 u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
144 u_int32_t *use_fwd);
145
146 /**
147 * Allocate SPIs for given proposals.
148 *
149 * Since the kernel manages SPIs for us, we need
150 * to allocate them. If a proposal contains more
151 * than one protocol, for each protocol an SPI is
152 * allocated. SPIs are stored internally and written
153 * back to the proposal.
154 *
155 * @param proposals list of proposals for which SPIs are allocated
156 */
157 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
158
159 /**
160 * Install the kernel SAs for a proposal, without previous SPI allocation.
161 *
162 * @param proposal proposal for which SPIs are allocated
163 * @param mode mode for the CHILD_SA
164 * @param prf_plus key material to use for key derivation
165 * @return SUCCESS or FAILED
166 */
167 status_t (*add)(child_sa_t *this, proposal_t *proposal, mode_t mode,
168 prf_plus_t *prf_plus);
169
170 /**
171 * Install the kernel SAs for a proposal, after SPIs have been allocated.
172 *
173 * Updates an SA, for which SPIs are already allocated via alloc().
174 *
175 * @param proposal proposal for which SPIs are allocated
176 * @param mode mode for the CHILD_SA
177 * @param prf_plus key material to use for key derivation
178 * @return SUCCESS or FAILED
179 */
180 status_t (*update)(child_sa_t *this, proposal_t *proposal, mode_t mode,
181 prf_plus_t *prf_plus);
182
183 /**
184 * Update the hosts in the kernel SAs and policies.
185 *
186 * The CHILD must be INSTALLED to do this update.
187 *
188 * @param me the new local host
189 * @param other the new remote host
190 * @param TRUE to use UDP encapsulation for NAT traversal
191 * @return SUCCESS or FAILED
192 */
193 status_t (*update_hosts)(child_sa_t *this, host_t *me, host_t *other,
194 bool encap);
195
196 /**
197 * Install the policies using some traffic selectors.
198 *
199 * Supplied lists of traffic_selector_t's specify the policies
200 * to use for this child sa.
201 *
202 * @param my_ts traffic selectors for local site
203 * @param other_ts traffic selectors for remote site
204 * @param mode mode for the SA: tunnel/transport
205 * @return SUCCESS or FAILED
206 */
207 status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
208 linked_list_t *other_ts_list, mode_t mode);
209
210 /**
211 * Get the traffic selectors of added policies of local host.
212 *
213 * @param local TRUE for own traffic selectors, FALSE for remote
214 * @return list of traffic selectors
215 */
216 linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
217
218 /**
219 * Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
220 *
221 * @param inbound query for in- or outbound usage
222 * @param use_time the time
223 * @return SUCCESS or FAILED
224 */
225 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
226
227 /**
228 * Get the state of the CHILD_SA.
229 */
230 child_sa_state_t (*get_state) (child_sa_t *this);
231
232 /**
233 * Set the state of the CHILD_SA.
234 *
235 * @param state state to set on CHILD_SA
236 */
237 void (*set_state) (child_sa_t *this, child_sa_state_t state);
238
239 /**
240 * Get the config used to set up this child sa.
241 *
242 * @return child_cfg
243 */
244 child_cfg_t* (*get_config) (child_sa_t *this);
245
246 /**
247 * Set the virtual IP used received from IRAS.
248 *
249 * To allow proper setup of firewall rules, the virtual IP is required
250 * for filtering.
251 *
252 * @param ip own virtual IP
253 */
254 void (*set_virtual_ip) (child_sa_t *this, host_t *ip);
255
256 /**
257 * Destroys a child_sa.
258 */
259 void (*destroy) (child_sa_t *this);
260 };
261
262 /**
263 * Constructor to create a new child_sa_t.
264 *
265 * @param me own address
266 * @param other remote address
267 * @param my_id id of own peer
268 * @param other_id id of remote peer
269 * @param config config to use for this CHILD_SA
270 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
271 * @param encap TRUE to enable UDP encapsulation (NAT traversal)
272 * @return child_sa_t object
273 */
274 child_sa_t * child_sa_create(host_t *me, host_t *other,
275 identification_t *my_id, identification_t* other_id,
276 child_cfg_t *config, u_int32_t reqid, bool encap);
277
278 #endif /*CHILD_SA_H_ @} */