9aa2d941a4ea31e29382ad7577dc20a572050081
[strongswan.git] / src / charon / threads / kernel_interface.h
1 /**
2 * @file kernel_interface.h
3 *
4 * @brief Interface of kernel_interface_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2006 Tobias Brunner, Daniel Roethlisberger
10 * Copyright (C) 2005 Jan Hutter, Martin Willi
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef KERNEL_INTERFACE_H_
25 #define KERNEL_INTERFACE_H_
26
27 #include <linux/xfrm.h>
28
29 #include <utils/host.h>
30 #include <crypto/prf_plus.h>
31 #include <encoding/payloads/proposal_substructure.h>
32
33 typedef struct natt_conf_t natt_conf_t;
34
35 /**
36 * @brief Configuration for NAT-T
37 */
38 struct natt_conf_t {
39 u_int16_t sport, dport;
40 };
41
42 typedef struct kernel_interface_t kernel_interface_t;
43
44 /**
45 * @brief Interface to the kernel.
46 *
47 * The kernel interface handles the communication with the kernel
48 * for SA and policy management. It allows setup of these, and provides
49 * further the handling of kernel events.
50 *
51 * @b Constructors:
52 * - kernel_interface_create()
53 *
54 * @ingroup threads
55 */
56 struct kernel_interface_t {
57
58 /**
59 * @brief Get a SPI from the kernel.
60 *
61 * @warning get_spi() implicitely creates an SA with
62 * the allocated SPI, therefore the replace flag
63 * in add_sa() must be set when installing this SA.
64 *
65 * @param this calling object
66 * @param src source address of SA
67 * @param dst destination address of SA
68 * @param protocol protocol for SA (ESP/AH)
69 * @param reqid unique ID for this SA
70 * @param[out] spi allocated spi
71 * @return
72 * - SUCCESS
73 * - FAILED if kernel comm failed
74 */
75 status_t (*get_spi) (kernel_interface_t *this,
76 host_t *src, host_t *dst,
77 protocol_id_t protocol,
78 u_int32_t reqid,
79 u_int32_t *spi);
80
81 /**
82 * @brief Add an SA to the SAD.
83 *
84 * add_sa() may update an already allocated
85 * SPI (via get_spi). In this case, the replace
86 * flag must be set.
87 * This function does install a single SA for a
88 * single protocol in one direction. The kernel-interface
89 * gets the keys itself from the PRF, as we don't know
90 * his algorithms and key sizes.
91 *
92 * @param this calling object
93 * @param src source address for this SA
94 * @param dst destination address for this SA
95 * @param spi SPI allocated by us or remote peer
96 * @param protocol protocol for this SA (ESP/AH)
97 * @param reqid unique ID for this SA
98 * @param expire_soft lifetime in seconds before rekeying
99 * @param expire_hard lieftime in seconds before delete
100 * @param enc_alg Algorithm to use for encryption (ESP only)
101 * @param int_alg Algorithm to use for integrity protection
102 * @param prf_plus PRF to derive keys
103 * @param natt NAT-T Configuration
104 * @param replace Should an already installed SA be updated?
105 * @return
106 * - SUCCESS
107 * - FAILED if kernel comm failed
108 */
109 status_t (*add_sa)(kernel_interface_t *this,
110 host_t *src, host_t *dst,
111 u_int32_t spi,
112 protocol_id_t protocol,
113 u_int32_t reqid,
114 u_int64_t expire_soft,
115 u_int64_t expire_hard,
116 algorithm_t *enc_alg,
117 algorithm_t *int_alg,
118 prf_plus_t *prf_plus,
119 natt_conf_t *natt,
120 bool replace);
121 /**
122 * @brief Update the hosts on an installed SA. Encapsulation ports are also updated.
123 *
124 * @note We cannot directly update the destination address as the kernel requires the spi,
125 * the protocol AND the destination address (and family) to identify SAs. Therefore if the
126 * destination address changed we create a new SA and delete the old one.
127 *
128 * @param this calling object
129 * @param src source address for this SA
130 * @param dst destination address for this SA
131 * @param new_src new source address for this SA
132 * @param new_dst new destination address for this SA
133 * @param src_changes changes in src
134 * @param dst_changes changes in dst
135 * @param spi SPI allocated by us or remote peer
136 * @param protocol protocol for this SA (ESP/AH)
137 * @return
138 * - SUCCESS
139 * - FAILED if kernel comm failed
140 */
141 status_t (*update_sa_hosts)(kernel_interface_t *this,
142 host_t *src, host_t *dst,
143 host_t *new_src, host_t *new_dst,
144 int src_changes, int dst_changes,
145 u_int32_t spi, protocol_id_t protocol);
146
147 /**
148 * @brief Delete a previusly installed SA from the SAD.
149 *
150 * @param this calling object
151 * @param dst destination address for this SA
152 * @param spi SPI allocated by us or remote peer
153 * @param protocol protocol for this SA (ESP/AH)
154 * @return
155 * - SUCCESS
156 * - FAILED if kernel comm failed
157 */
158 status_t (*del_sa) (kernel_interface_t *this,
159 host_t *dst,
160 u_int32_t spi,
161 protocol_id_t protocol);
162
163 /**
164 * @brief Add a policy to the SPD.
165 *
166 * A policy is always associated to an SA, so
167 * traffic applied to a policy. Traffic which
168 * matches a policy is handled by the SA with the same
169 * reqid.
170 *
171 * @param this calling object
172 * @param me address of local peer
173 * @param other address of remote peer
174 * @param src src address of traffic this policy applies
175 * @param dst dest address of traffic this policy applies
176 * @param src_hostbits subnetmask to use for src address
177 * @param dst_hostbits subnetmask to use for dst address
178 * @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD
179 * @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
180 * @param protocol protocol to use to protect traffic (AH/ESP)
181 * @param reqid uniqe ID of an SA to use to enforce policy
182 * @return
183 * - SUCCESS
184 * - FAILED if kernel comm failed
185 */
186 status_t (*add_policy) (kernel_interface_t *this,
187 host_t *me, host_t *other,
188 host_t *src, host_t *dst,
189 u_int8_t src_hostbits, u_int8_t dst_hostbits,
190 int direction, int upper_proto,
191 protocol_id_t protocol,
192 u_int32_t reqid);
193
194 /**
195 * @brief Remove a policy from the SPD.
196 *
197 * @param this calling object
198 * @param me address of local peer
199 * @param other address of remote peer
200 * @param src src address of traffic this policy applies
201 * @param dst dest address of traffic this policy applies
202 * @param src_hostbits subnetmask to use for src address
203 * @param dst_hostbits subnetmask to use for dst address
204 * @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD
205 * @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...)
206 * @return
207 * - SUCCESS
208 * - FAILED if kernel comm failed
209 */
210 status_t (*del_policy) (kernel_interface_t *this,
211 host_t *me, host_t *other,
212 host_t *src, host_t *dst,
213 u_int8_t src_hostbits, u_int8_t dst_hostbits,
214 int direction, int upper_proto);
215
216 /**
217 * @brief Destroys a kernel_interface object.
218 *
219 * @param kernel_interface_t calling object
220 */
221 void (*destroy) (kernel_interface_t *kernel_interface);
222 };
223
224 /**
225 * @brief Creates an object of type kernel_interface_t.
226 *
227 * @ingroup threads
228 */
229 kernel_interface_t *kernel_interface_create(void);
230
231 #endif /*KERNEL_INTERFACE_H_*/