cleanups in kernel interface code
[strongswan.git] / src / charon / sa / child_sa.h
1 /**
2 * @file child_sa.h
3 *
4 * @brief Interface of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2006 Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 #include <types.h>
29 #include <crypto/prf_plus.h>
30 #include <encoding/payloads/proposal_substructure.h>
31 #include <config/proposal.h>
32 #include <utils/logger.h>
33
34 /**
35 * Where we should start with reqid enumeration
36 */
37 #define REQID_START 2000000000
38
39 typedef enum child_sa_state_t child_sa_state_t;
40
41 /**
42 * @brief States of a CHILD_SA
43 */
44 enum child_sa_state_t {
45
46 /**
47 * Just created, uninstalled CHILD_SA
48 */
49 CHILD_CREATED,
50
51 /**
52 * Installed an in-use CHILD_SA
53 */
54 CHILD_INSTALLED,
55
56 /**
57 * CHILD_SA which is rekeying
58 */
59 CHILD_REKEYING,
60
61 /**
62 * CHILD_SA in progress of delete
63 */
64 CHILD_DELETING,
65 };
66
67 /**
68 * String mappings for child_sa_state_t.
69 */
70 extern mapping_t child_sa_state_m[];
71
72 typedef struct child_sa_t child_sa_t;
73
74 /**
75 * @brief Represents an IPsec SAs between two hosts.
76 *
77 * A child_sa_t contains two SAs. SAs for both
78 * directions are managed in one child_sa_t object. Both
79 * SAs and the policies have the same reqid.
80 *
81 * The procedure for child sa setup is as follows:
82 * - A gets SPIs for a proposal via child_sa_t.alloc
83 * - A send the updated proposal to B
84 * - B selects a suitable proposal
85 * - B calls child_sa_t.add to add and update the selected proposal
86 * - B sends the updated proposal to A
87 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
88 *
89 * Once SAs are set up, policies can be added using add_policies.
90 *
91 *
92 * @b Constructors:
93 * - child_sa_create()
94 *
95 * @ingroup sa
96 */
97 struct child_sa_t {
98
99 /**
100 * @brief Get the unique reqid of the CHILD SA.
101 *
102 * Every CHILD_SA has a unique reqid, which is also
103 * stored down in the kernel.
104 *
105 * @param this calling object
106 * @return reqid of the CHILD SA
107 */
108 u_int32_t (*get_reqid)(child_sa_t *this);
109
110 /**
111 * @brief Get the SPI of this CHILD_SA.
112 *
113 * Set the boolean parameter inbound to TRUE to
114 * get the SPI for which we receive packets, use
115 * FALSE to get those we use for sending packets.
116 *
117 * @param this calling object
118 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
119 * @return spi of the CHILD SA
120 */
121 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
122
123 /**
124 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
125 *
126 * @param this calling object
127 * @return AH | ESP
128 */
129 protocol_id_t (*get_protocol) (child_sa_t *this);
130
131 /**
132 * @brief Allocate SPIs for given proposals.
133 *
134 * Since the kernel manages SPIs for us, we need
135 * to allocate them. If a proposal contains more
136 * than one protocol, for each protocol an SPI is
137 * allocated. SPIs are stored internally and written
138 * back to the proposal.
139 *
140 * @param this calling object
141 * @param proposals list of proposals for which SPIs are allocated
142 */
143 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
144
145 /**
146 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
147 *
148 * @param this calling object
149 * @param proposal proposal for which SPIs are allocated
150 * @param prf_plus key material to use for key derivation
151 * @return SUCCESS or FAILED
152 */
153 status_t (*add)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
154
155 /**
156 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
157 *
158 * Updates an SA, for which SPIs are already allocated via alloc().
159 *
160 * @param this calling object
161 * @param proposal proposal for which SPIs are allocated
162 * @param prf_plus key material to use for key derivation
163 * @return SUCCESS or FAILED
164 */
165 status_t (*update)(child_sa_t *this, proposal_t *proposal, prf_plus_t *prf_plus);
166
167 /**
168 * @brief Update the hosts in the kernel SAs and policies
169 *
170 * @warning only call this after update() has been called.
171 *
172 * @param this calling object
173 * @param new_me the new local host
174 * @param new_other the new remote host
175 * @param my_diff differences to apply for me
176 * @param other_diff differences to apply for other
177 * @return SUCCESS or FAILED
178 */
179 status_t (*update_hosts) (child_sa_t *this, host_t *new_me, host_t *new_other,
180 host_diff_t my_diff, host_diff_t other_diff);
181
182 /**
183 * @brief Install the policies using some traffic selectors.
184 *
185 * Supplied lists of traffic_selector_t's specify the policies
186 * to use for this child sa.
187 *
188 * @param this calling object
189 * @param my_ts traffic selectors for local site
190 * @param other_ts traffic selectors for remote site
191 * @return SUCCESS or FAILED
192 */
193 status_t (*add_policies) (child_sa_t *this, linked_list_t *my_ts_list, linked_list_t *other_ts_list);
194
195 /**
196 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
197 *
198 * @param this calling object
199 * @param inbound query for in- or outbound usage
200 * @param use_time the time
201 * @return SUCCESS or FAILED
202 */
203 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
204
205 /**
206 * @brief Get the state of the CHILD_SA.
207 *
208 * @param this calling object
209 */
210 child_sa_state_t (*get_state) (child_sa_t *this);
211
212 /**
213 * @brief Set the state of the CHILD_SA.
214 *
215 * @param this calling object
216 */
217 void (*set_state) (child_sa_t *this, child_sa_state_t state);
218
219 /**
220 * @brief Set the transaction which rekeys this CHILD_SA.
221 *
222 * Since either end may initiate CHILD_SA rekeying, we must detect
223 * such situations to handle them cleanly. A rekeying transaction
224 * registers itself to the CHILD_SA, and checks later if another
225 * transaction is in progress of a rekey.
226 *
227 * @todo Fix include problematics to allow inclusion of
228 * the create_child_sa_t transaction.
229 *
230 * @param this calling object
231 */
232 void (*set_rekeying_transaction) (child_sa_t *this, void *transaction);
233
234 /**
235 * @brief Get the transaction which rekeys this CHILD_SA.
236 *
237 * @see set_rekeying_transactoin().
238 *
239 * @param this calling object
240 */
241 void* (*get_rekeying_transaction) (child_sa_t *this);
242
243 /**
244 * @brief Log the status of a child_sa to a logger.
245 *
246 * The status of ESP/AH SAs is logged with the supplied logger in
247 * a human readable form.
248 * Supplying NULL as logger uses the internal child_sa logger
249 * to do the logging. The name is only a log-prefix without further
250 * meaning.
251 *
252 * @param this calling object
253 * @param logger logger to use for logging
254 * @param name connection name
255 */
256 void (*log_status) (child_sa_t *this, logger_t *logger, char *name);
257
258 /**
259 * @brief Destroys a child_sa.
260 *
261 * @param this calling object
262 */
263 void (*destroy) (child_sa_t *this);
264 };
265
266 /**
267 * @brief Constructor to create a new child_sa_t.
268 *
269 * @param rekey_reqid reqid of old CHILD_SA when rekeying, 0 otherwise
270 * @param me own address
271 * @param other remote address
272 * @param soft_lifetime time before rekeying
273 * @param hard_lifteime time before delete
274 * @param use_natt TRUE if NAT traversal is used
275 * @return child_sa_t object
276 *
277 * @ingroup sa
278 */
279 child_sa_t * child_sa_create(u_int32_t rekey_reqid, host_t *me, host_t *other,
280 u_int32_t soft_lifetime, u_int32_t hard_lifetime,
281 bool use_natt);
282
283 #endif /*CHILD_SA_H_*/