libipsec: Support usage statistics and query_sa() on IPsec SAs
[strongswan.git] / src / libipsec / ipsec_sa.c
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 #include "ipsec_sa.h"
19
20 #include <library.h>
21 #include <utils/debug.h>
22
23 typedef struct private_ipsec_sa_t private_ipsec_sa_t;
24
25 /**
26 * Private additions to ipsec_sa_t.
27 */
28 struct private_ipsec_sa_t {
29
30 /**
31 * Public members
32 */
33 ipsec_sa_t public;
34
35 /**
36 * SPI of this SA
37 */
38 u_int32_t spi;
39
40 /**
41 * Source address
42 */
43 host_t *src;
44
45 /**
46 * Destination address
47 */
48 host_t *dst;
49
50 /**
51 * Protocol
52 */
53 u_int8_t protocol;
54
55 /**
56 * Reqid of this SA
57 */
58 u_int32_t reqid;
59
60 /**
61 * Lifetime configuration
62 */
63 lifetime_cfg_t lifetime;
64
65 /**
66 * IPsec mode
67 */
68 ipsec_mode_t mode;
69
70 /**
71 * TRUE if extended sequence numbers are used
72 */
73 bool esn;
74
75 /**
76 * TRUE if this is an inbound SA
77 */
78 bool inbound;
79
80 /**
81 * ESP context
82 */
83 esp_context_t *esp_context;
84
85 /**
86 * Usage statistics
87 */
88 struct {
89 /** last time of use */
90 time_t time;
91 /** number of packets processed */
92 u_int64_t packets;
93 /** number of bytes processed */
94 u_int64_t bytes;
95 } use;
96 };
97
98 METHOD(ipsec_sa_t, get_source, host_t*,
99 private_ipsec_sa_t *this)
100 {
101 return this->src;
102 }
103
104 METHOD(ipsec_sa_t, get_destination, host_t*,
105 private_ipsec_sa_t *this)
106 {
107 return this->dst;
108 }
109
110 METHOD(ipsec_sa_t, set_source, void,
111 private_ipsec_sa_t *this, host_t *addr)
112 {
113 this->src->destroy(this->src);
114 this->src = addr->clone(addr);
115 }
116
117 METHOD(ipsec_sa_t, set_destination, void,
118 private_ipsec_sa_t *this, host_t *addr)
119 {
120 this->dst->destroy(this->dst);
121 this->dst = addr->clone(addr);
122 }
123
124 METHOD(ipsec_sa_t, get_spi, u_int32_t,
125 private_ipsec_sa_t *this)
126 {
127 return this->spi;
128 }
129
130 METHOD(ipsec_sa_t, get_reqid, u_int32_t,
131 private_ipsec_sa_t *this)
132 {
133 return this->reqid;
134 }
135
136 METHOD(ipsec_sa_t, get_protocol, u_int8_t,
137 private_ipsec_sa_t *this)
138 {
139 return this->protocol;
140 }
141
142 METHOD(ipsec_sa_t, get_lifetime, lifetime_cfg_t*,
143 private_ipsec_sa_t *this)
144 {
145 return &this->lifetime;
146 }
147
148 METHOD(ipsec_sa_t, is_inbound, bool,
149 private_ipsec_sa_t *this)
150 {
151 return this->inbound;
152 }
153
154 METHOD(ipsec_sa_t, get_esp_context, esp_context_t*,
155 private_ipsec_sa_t *this)
156 {
157 return this->esp_context;
158 }
159
160 METHOD(ipsec_sa_t, get_usestats, void,
161 private_ipsec_sa_t *this, u_int64_t *bytes, u_int64_t *packets,
162 time_t *time)
163 {
164 if (bytes)
165 {
166 *bytes = this->use.bytes;
167 }
168 if (packets)
169 {
170 *packets = this->use.packets;
171 }
172 if (time)
173 {
174 *time = this->use.time;
175 }
176 }
177
178 METHOD(ipsec_sa_t, update_usestats, void,
179 private_ipsec_sa_t *this, u_int32_t bytes)
180 {
181 this->use.time = time_monotonic(NULL);
182 this->use.packets++;
183 this->use.bytes += bytes;
184 }
185
186 METHOD(ipsec_sa_t, match_by_spi_dst, bool,
187 private_ipsec_sa_t *this, u_int32_t spi, host_t *dst)
188 {
189 return this->spi == spi && this->dst->ip_equals(this->dst, dst);
190 }
191
192 METHOD(ipsec_sa_t, match_by_spi_src_dst, bool,
193 private_ipsec_sa_t *this, u_int32_t spi, host_t *src, host_t *dst)
194 {
195 return this->spi == spi && this->src->ip_equals(this->src, src) &&
196 this->dst->ip_equals(this->dst, dst);
197 }
198
199 METHOD(ipsec_sa_t, match_by_reqid, bool,
200 private_ipsec_sa_t *this, u_int32_t reqid, bool inbound)
201 {
202 return this->reqid == reqid && this->inbound == inbound;
203 }
204
205 METHOD(ipsec_sa_t, destroy, void,
206 private_ipsec_sa_t *this)
207 {
208 this->src->destroy(this->src);
209 this->dst->destroy(this->dst);
210 DESTROY_IF(this->esp_context);
211 free(this);
212 }
213
214 /**
215 * Described in header.
216 */
217 ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
218 u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
219 lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
220 u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
221 u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
222 traffic_selector_t *src_ts, traffic_selector_t *dst_ts)
223 {
224 private_ipsec_sa_t *this;
225
226 if (protocol != IPPROTO_ESP)
227 {
228 DBG1(DBG_ESP, " IPsec SA: protocol not supported");
229 return NULL;
230 }
231 if (!encap)
232 {
233 DBG1(DBG_ESP, " IPsec SA: only UDP encapsulation is supported");
234 return NULL;
235 }
236 if (esn)
237 {
238 DBG1(DBG_ESP, " IPsec SA: ESN not supported");
239 return NULL;
240 }
241 if (ipcomp != IPCOMP_NONE)
242 {
243 DBG1(DBG_ESP, " IPsec SA: compression not supported");
244 return NULL;
245 }
246 if (mode != MODE_TUNNEL)
247 {
248 DBG1(DBG_ESP, " IPsec SA: unsupported mode");
249 return NULL;
250 }
251
252 INIT(this,
253 .public = {
254 .destroy = _destroy,
255 .get_source = _get_source,
256 .get_destination = _get_destination,
257 .set_source = _set_source,
258 .set_destination = _set_destination,
259 .get_spi = _get_spi,
260 .get_reqid = _get_reqid,
261 .get_protocol = _get_protocol,
262 .get_lifetime = _get_lifetime,
263 .is_inbound = _is_inbound,
264 .match_by_spi_dst = _match_by_spi_dst,
265 .match_by_spi_src_dst = _match_by_spi_src_dst,
266 .match_by_reqid = _match_by_reqid,
267 .get_esp_context = _get_esp_context,
268 .get_usestats = _get_usestats,
269 .update_usestats = _update_usestats,
270 },
271 .spi = spi,
272 .src = src->clone(src),
273 .dst = dst->clone(dst),
274 .lifetime = *lifetime,
275 .protocol = protocol,
276 .reqid = reqid,
277 .mode = mode,
278 .esn = esn,
279 .inbound = inbound,
280 );
281
282 this->esp_context = esp_context_create(enc_alg, enc_key, int_alg, int_key,
283 inbound);
284 if (!this->esp_context)
285 {
286 destroy(this);
287 return NULL;
288 }
289 return &this->public;
290 }