further mobike improvements, regarding to NAT-T
[strongswan.git] / src / charon / sa / child_sa.h
1 /**
2 * @file child_sa.h
3 *
4 * @brief Interface of child_sa_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006-2007 Martin Willi
10 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24
25 #ifndef CHILD_SA_H_
26 #define CHILD_SA_H_
27
28 typedef enum child_sa_state_t child_sa_state_t;
29 typedef struct child_sa_t child_sa_t;
30
31 #include <library.h>
32 #include <crypto/prf_plus.h>
33 #include <encoding/payloads/proposal_substructure.h>
34 #include <config/proposal.h>
35 #include <config/child_cfg.h>
36
37 /**
38 * @brief States of a CHILD_SA
39 */
40 enum child_sa_state_t {
41
42 /**
43 * Just created, uninstalled CHILD_SA
44 */
45 CHILD_CREATED,
46
47 /**
48 * Installed SPD, but no SAD entries
49 */
50 CHILD_ROUTED,
51
52 /**
53 * Installed an in-use CHILD_SA
54 */
55 CHILD_INSTALLED,
56
57 /**
58 * CHILD_SA which is rekeying
59 */
60 CHILD_REKEYING,
61
62 /**
63 * CHILD_SA in progress of delete
64 */
65 CHILD_DELETING,
66 };
67
68 /**
69 * enum strings for child_sa_state_t.
70 */
71 extern enum_name_t *child_sa_state_names;
72
73 /**
74 * @brief Represents an IPsec SAs between two hosts.
75 *
76 * A child_sa_t contains two SAs. SAs for both
77 * directions are managed in one child_sa_t object. Both
78 * SAs and the policies have the same reqid.
79 *
80 * The procedure for child sa setup is as follows:
81 * - A gets SPIs for a proposal via child_sa_t.alloc
82 * - A send the updated proposal to B
83 * - B selects a suitable proposal
84 * - B calls child_sa_t.add to add and update the selected proposal
85 * - B sends the updated proposal to A
86 * - A calls child_sa_t.update to update the already allocated SPIs with the chosen proposal
87 *
88 * Once SAs are set up, policies can be added using add_policies.
89 *
90 *
91 * @b Constructors:
92 * - child_sa_create()
93 *
94 * @ingroup sa
95 */
96 struct child_sa_t {
97
98 /**
99 * @brief Get the name of the config this CHILD_SA uses.
100 *
101 * @param this calling object
102 * @return name
103 */
104 char* (*get_name) (child_sa_t *this);
105
106 /**
107 * @brief Get the reqid of the CHILD SA.
108 *
109 * Every CHILD_SA has a reqid. The kernel uses this ID to
110 * identify it.
111 *
112 * @param this calling object
113 * @return reqid of the CHILD SA
114 */
115 u_int32_t (*get_reqid)(child_sa_t *this);
116
117 /**
118 * @brief Get the SPI of this CHILD_SA.
119 *
120 * Set the boolean parameter inbound to TRUE to
121 * get the SPI for which we receive packets, use
122 * FALSE to get those we use for sending packets.
123 *
124 * @param this calling object
125 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
126 * @return spi of the CHILD SA
127 */
128 u_int32_t (*get_spi) (child_sa_t *this, bool inbound);
129
130 /**
131 * @brief Get the protocol which this CHILD_SA uses to protect traffic.
132 *
133 * @param this calling object
134 * @return AH | ESP
135 */
136 protocol_id_t (*get_protocol) (child_sa_t *this);
137
138 /**
139 * @brief Get info and statistics about this CHILD_SA.
140 *
141 * @param mode mode this IKE_SA uses
142 * @param encr_algo encryption algorithm used by this CHILD_SA.
143 * @param encr_len key length of the algorithm, if any
144 * @param int_algo integrity algorithm used by this CHILD_SA
145 * @param int_len key length of the algorithm, if any
146 * @param rekey time when rekeying is scheduled
147 * @param use_in time when last traffic was seen coming in
148 * @param use_out time when last traffic was seen going out
149 * @param use_fwd time when last traffic was getting forwarded
150 */
151 void (*get_stats)(child_sa_t *this, mode_t *mode,
152 encryption_algorithm_t *encr, size_t *encr_len,
153 integrity_algorithm_t *int_algo, size_t *int_len,
154 u_int32_t *rekey, u_int32_t *use_in, u_int32_t *use_out,
155 u_int32_t *use_fwd);
156
157 /**
158 * @brief Allocate SPIs for given proposals.
159 *
160 * Since the kernel manages SPIs for us, we need
161 * to allocate them. If a proposal contains more
162 * than one protocol, for each protocol an SPI is
163 * allocated. SPIs are stored internally and written
164 * back to the proposal.
165 *
166 * @param this calling object
167 * @param proposals list of proposals for which SPIs are allocated
168 */
169 status_t (*alloc)(child_sa_t *this, linked_list_t* proposals);
170
171 /**
172 * @brief Install the kernel SAs for a proposal, without previous SPI allocation.
173 *
174 * @param this calling object
175 * @param proposal proposal for which SPIs are allocated
176 * @param mode mode for the CHILD_SA
177 * @param prf_plus key material to use for key derivation
178 * @return SUCCESS or FAILED
179 */
180 status_t (*add)(child_sa_t *this, proposal_t *proposal, mode_t mode,
181 prf_plus_t *prf_plus);
182
183 /**
184 * @brief Install the kernel SAs for a proposal, after SPIs have been allocated.
185 *
186 * Updates an SA, for which SPIs are already allocated via alloc().
187 *
188 * @param this calling object
189 * @param proposal proposal for which SPIs are allocated
190 * @param mode mode for the CHILD_SA
191 * @param prf_plus key material to use for key derivation
192 * @return SUCCESS or FAILED
193 */
194 status_t (*update)(child_sa_t *this, proposal_t *proposal, mode_t mode,
195 prf_plus_t *prf_plus);
196
197 /**
198 * @brief Update the hosts in the kernel SAs and policies.
199 *
200 * The CHILD must be INSTALLED to do this update.
201 *
202 * @param this calling object
203 * @param me the new local host
204 * @param other the new remote host
205 * @param TRUE to use UDP encapsulation for NAT traversal
206 * @return SUCCESS or FAILED
207 */
208 status_t (*update_hosts)(child_sa_t *this, host_t *me, host_t *other,
209 bool encap);
210
211 /**
212 * @brief Install the policies using some traffic selectors.
213 *
214 * Supplied lists of traffic_selector_t's specify the policies
215 * to use for this child sa.
216 *
217 * @param this calling object
218 * @param my_ts traffic selectors for local site
219 * @param other_ts traffic selectors for remote site
220 * @param mode mode for the SA: tunnel/transport
221 * @return SUCCESS or FAILED
222 */
223 status_t (*add_policies)(child_sa_t *this, linked_list_t *my_ts_list,
224 linked_list_t *other_ts_list, mode_t mode);
225
226 /**
227 * @brief Get the traffic selectors of added policies of local host.
228 *
229 * @param this calling object
230 * @param local TRUE for own traffic selectors, FALSE for remote
231 * @return list of traffic selectors
232 */
233 linked_list_t* (*get_traffic_selectors) (child_sa_t *this, bool local);
234
235 /**
236 * @brief Get the time of this child_sa_t's last use (i.e. last use of any of its policies)
237 *
238 * @param this calling object
239 * @param inbound query for in- or outbound usage
240 * @param use_time the time
241 * @return SUCCESS or FAILED
242 */
243 status_t (*get_use_time) (child_sa_t *this, bool inbound, time_t *use_time);
244
245 /**
246 * @brief Get the state of the CHILD_SA.
247 *
248 * @param this calling object
249 */
250 child_sa_state_t (*get_state) (child_sa_t *this);
251
252 /**
253 * @brief Set the state of the CHILD_SA.
254 *
255 * @param this calling object
256 */
257 void (*set_state) (child_sa_t *this, child_sa_state_t state);
258
259 /**
260 * @brief Get the config used to set up this child sa.
261 *
262 * @param this calling object
263 * @return child_cfg
264 */
265 child_cfg_t* (*get_config) (child_sa_t *this);
266
267 /**
268 * @brief Set the virtual IP used received from IRAS.
269 *
270 * To allow proper setup of firewall rules, the virtual IP is required
271 * for filtering.
272 *
273 * @param this calling object
274 * @param ip own virtual IP
275 */
276 void (*set_virtual_ip) (child_sa_t *this, host_t *ip);
277
278 /**
279 * @brief Destroys a child_sa.
280 *
281 * @param this calling object
282 */
283 void (*destroy) (child_sa_t *this);
284 };
285
286 /**
287 * @brief Constructor to create a new child_sa_t.
288 *
289 * @param me own address
290 * @param other remote address
291 * @param my_id id of own peer
292 * @param other_id id of remote peer
293 * @param config config to use for this CHILD_SA
294 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
295 * @param encap TRUE to enable UDP encapsulation (NAT traversal)
296 * @return child_sa_t object
297 *
298 * @ingroup sa
299 */
300 child_sa_t * child_sa_create(host_t *me, host_t *other,
301 identification_t *my_id, identification_t* other_id,
302 child_cfg_t *config, u_int32_t reqid, bool encap);
303
304 #endif /*CHILD_SA_H_*/