merged tasking branch into trunk
[strongswan.git] / src / charon / sa / child_sa.h
1 /**
2 * @file child_sa.h
3 *
4 * @brief Interface of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Martin Willi
10 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 typedef enum child_sa_state_t child_sa_state_t;
29 typedef struct child_sa_t child_sa_t;
30
31 #include <library.h>
32 #include <crypto/prf_plus.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <config/proposal.h>
35 #include <config/policies/policy.h>
36
37 /**
38 * Where we should start with reqid enumeration
39 */
40 #define REQID_START 2000000000
41
42 /**
43 * @brief States of a CHILD_SA
44 */
45 enum child_sa_state_t {
46
47 /**
48 * Just created, uninstalled CHILD_SA
49 */
50 CHILD_CREATED,
51
52 /**
53 * Installed SPD, but no SAD entries
54 */
55 CHILD_ROUTED,
56
57 /**
58 * Installed an in-use CHILD_SA
59 */
60 CHILD_INSTALLED,
61
62 /**
63 * CHILD_SA which is rekeying
64 */
65 CHILD_REKEYING,
66
67 /**
68 * CHILD_SA in progress of delete
69 */
70 CHILD_DELETING,
71 };
72
73 /**
74 * enum strings for child_sa_state_t.
75 */
76 extern enum_name_t *child_sa_state_names;
77
78 /**
79 * @brief Represents an IPsec SAs between two hosts.
80 *
81 * A child_sa_t contains two SAs. SAs for both
82 * directions are managed in one child_sa_t object. Both
83 * SAs and the policies have the same reqid.
84 *
85 * The procedure for child sa setup is as follows:
86 * - A gets SPIs for a proposal via child_sa_t.alloc
87 * - A send the updated proposal to B
88 * - B selects a suitable proposal
89 * - B calls child_sa_t.add to add and update the selected proposal
90 * - B sends the updated proposal to A
91 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
92 *
93 * Once SAs are set up, policies can be added using add_policies.
94 *
95 *
96 * @b Constructors:
97 * - child_sa_create()
98 *
99 * @ingroup sa
100 */
101 struct child_sa_t {
102
103 /**
104 * @brief Get the name of the policy this CHILD_SA uses.
105 *
106 * @param this calling object
107 * @return name
108 */
109 char* (*get_name) (child_sa_t *this);
110
111 /**
112 * @brief Get the reqid of the CHILD SA.
113 *
114 * Every CHILD_SA has a reqid. The kernel uses this ID to
115 * identify it.
116 *
117 * @param this calling object
118 * @return reqid of the CHILD SA
119 */
120 u_int32_t (*get_reqid)(child_sa_t *this);
121
122 /**
123 * @brief Get the SPI of this CHILD_SA.
124 *
125 * Set the boolean parameter inbound to TRUE to
126 * get the SPI for which we receive packets, use
127 * FALSE to get those we use for sending packets.
128 *
129 * @param this calling object
130 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
131 * @return spi of the CHILD SA
132 */
133 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
134
135 /**
136 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
137 *
138 * @param this calling object
139 * @return AH | ESP
140 */
141 protocol_id_t (*get_protocol) (child_sa_t *this);
142
143 /**
144 * @brief Allocate SPIs for given proposals.
145 *
146 * Since the kernel manages SPIs for us, we need
147 * to allocate them. If a proposal contains more
148 * than one protocol, for each protocol an SPI is
149 * allocated. SPIs are stored internally and written
150 * back to the proposal.
151 *
152 * @param this calling object
153 * @param proposals list of proposals for which SPIs are allocated
154 */
155 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
156
157 /**
158 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
159 *
160 * @param this calling object
161 * @param proposal proposal for which SPIs are allocated
162 * @param mode mode for the CHILD_SA
163 * @param prf_plus key material to use for key derivation
164 * @return SUCCESS or FAILED
165 */
166 status_t (*add)(child_sa_t *this, proposal_t *proposal, mode_t mode,
167 prf_plus_t *prf_plus);
168
169 /**
170 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
171 *
172 * Updates an SA, for which SPIs are already allocated via alloc().
173 *
174 * @param this calling object
175 * @param proposal proposal for which SPIs are allocated
176 * @param mode mode for the CHILD_SA
177 * @param prf_plus key material to use for key derivation
178 * @return SUCCESS or FAILED
179 */
180 status_t (*update)(child_sa_t *this, proposal_t *proposal, mode_t mode,
181 prf_plus_t *prf_plus);
182
183 /**
184 * @brief Update the hosts in the kernel SAs and policies
185 *
186 * @warning only call this after update() has been called.
187 *
188 * @param this calling object
189 * @param new_me the new local host
190 * @param new_other the new remote host
191 * @param my_diff differences to apply for me
192 * @param other_diff differences to apply for other
193 * @return SUCCESS or FAILED
194 */
195 status_t (*update_hosts)(child_sa_t *this, host_t *new_me, host_t *new_other,
196 host_diff_t my_diff, host_diff_t other_diff);
197
198 /**
199 * @brief Install the policies using some traffic selectors.
200 *
201 * Supplied lists of traffic_selector_t's specify the policies
202 * to use for this child sa.
203 *
204 * @param this calling object
205 * @param my_ts traffic selectors for local site
206 * @param other_ts traffic selectors for remote site
207 * @param mode mode for the SA: tunnel/transport
208 * @return SUCCESS or FAILED
209 */
210 status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
211 linked_list_t *other_ts_list, mode_t mode);
212
213 /**
214 * @brief Get the traffic selectors of added policies of local host.
215 *
216 * @param this calling object
217 * @return list of traffic selectors
218 */
219 linked_list_t* (*get_my_traffic_selectors) (child_sa_t *this);
220
221 /**
222 * @brief Get the traffic selectors of added policies of remote host.
223 *
224 * @param this calling object
225 * @return list of traffic selectors
226 */
227 linked_list_t* (*get_other_traffic_selectors) (child_sa_t *this);
228
229 /**
230 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
231 *
232 * @param this calling object
233 * @param inbound query for in- or outbound usage
234 * @param use_time the time
235 * @return SUCCESS or FAILED
236 */
237 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
238
239 /**
240 * @brief Get the state of the CHILD_SA.
241 *
242 * @param this calling object
243 */
244 child_sa_state_t (*get_state) (child_sa_t *this);
245
246 /**
247 * @brief Set the state of the CHILD_SA.
248 *
249 * @param this calling object
250 */
251 void (*set_state) (child_sa_t *this, child_sa_state_t state);
252
253 /**
254 * @brief Get the policy used to set up this child sa.
255 *
256 * @param this calling object
257 * @return policy
258 */
259 policy_t* (*get_policy) (child_sa_t *this);
260
261 /**
262 * @brief Destroys a child_sa.
263 *
264 * @param this calling object
265 */
266 void (*destroy) (child_sa_t *this);
267 };
268
269 /**
270 * @brief Constructor to create a new child_sa_t.
271 *
272 * @param me own address
273 * @param other remote address
274 * @param my_id id of own peer
275 * @param other_id id of remote peer
276 * @param policy policy this CHILD_SA instantiates
277 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
278 * @param use_natt TRUE if NAT traversal is used
279 * @return child_sa_t object
280 *
281 * @ingroup sa
282 */
283 child_sa_t * child_sa_create(host_t *me, host_t *other,
284 identification_t *my_id, identification_t* other_id,
285 policy_t *policy, u_int32_t reqid, bool use_natt);
286
287 #endif /*CHILD_SA_H_*/