kernel-netlink: Check return value of both halfs when installing default route in...
[strongswan.git] / src / libipsec / ipsec_sa.h
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ipsec_sa ipsec_sa
20 * @{ @ingroup libipsec
21 */
22
23 #ifndef IPSEC_SA_H_
24 #define IPSEC_SA_H_
25
26 #include "esp_context.h"
27
28 #include <library.h>
29 #include <networking/host.h>
30 #include <selectors/traffic_selector.h>
31 #include <ipsec/ipsec_types.h>
32
33 typedef struct ipsec_sa_t ipsec_sa_t;
34
35 /**
36 * IPsec Security Association (SA)
37 */
38 struct ipsec_sa_t {
39
40 /**
41 * Get the source address for this SA
42 *
43 * @return source address of this SA
44 */
45 host_t *(*get_source)(ipsec_sa_t *this);
46
47 /**
48 * Get the destination address for this SA
49 *
50 * @return destination address of this SA
51 */
52 host_t *(*get_destination)(ipsec_sa_t *this);
53
54 /**
55 * Set the source address for this SA
56 *
57 * @param addr source address of this SA (gets cloned)
58 */
59 void (*set_source)(ipsec_sa_t *this, host_t *addr);
60
61 /**
62 * Set the destination address for this SA
63 *
64 * @param addr destination address of this SA (gets cloned)
65 */
66 void (*set_destination)(ipsec_sa_t *this, host_t *addr);
67
68 /**
69 * Get the SPI for this SA
70 *
71 * @return SPI of this SA
72 */
73 uint32_t (*get_spi)(ipsec_sa_t *this);
74
75 /**
76 * Get the reqid of this SA
77 *
78 * @return reqid of this SA
79 */
80 uint32_t (*get_reqid)(ipsec_sa_t *this);
81
82 /**
83 * Get the protocol (e.g. IPPROTO_ESP) of this SA
84 *
85 * @return protocol of this SA
86 */
87 uint8_t (*get_protocol)(ipsec_sa_t *this);
88
89 /**
90 * Returns whether this SA is inbound or outbound
91 *
92 * @return TRUE if inbound, FALSE if outbound
93 */
94 bool (*is_inbound)(ipsec_sa_t *this);
95
96 /**
97 * Get the lifetime information for this SA
98 * Note that this information is always relative to the time when the
99 * SA was installed (i.e. it is not adjusted over time)
100 *
101 * @return lifetime of this SA
102 */
103 lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);
104
105 /**
106 * Get the ESP context for this SA
107 *
108 * @return ESP context of this SA
109 */
110 esp_context_t *(*get_esp_context)(ipsec_sa_t *this);
111
112 /**
113 * Get usage statistics for this SA.
114 *
115 * @param bytes receives number of processed bytes, or NULL
116 * @param packets receives number of processed packets, or NULL
117 * @param time receives last use time of this SA, or NULL
118 */
119 void (*get_usestats)(ipsec_sa_t *this, uint64_t *bytes, uint64_t *packets,
120 time_t *time);
121
122 /**
123 * Record en/decryption of a packet to update usage statistics.
124 *
125 * @param bytes length of packet processed
126 */
127 void (*update_usestats)(ipsec_sa_t *this, uint32_t bytes);
128
129 /**
130 * Expire this SA, soft or hard.
131 *
132 * A soft expire triggers a rekey, a hard expire blocks the SA and
133 * triggers a delete for the SA.
134 *
135 * @param hard TRUE for hard, FALSE for soft
136 */
137 void (*expire)(ipsec_sa_t *this, bool hard);
138
139 /**
140 * Check if this SA matches all given parameters
141 *
142 * Only matches if the SA has not yet expired.
143 *
144 * @param spi SPI
145 * @param dst destination address
146 * @return TRUE if this SA matches all parameters, FALSE otherwise
147 */
148 bool (*match_by_spi_dst)(ipsec_sa_t *this, uint32_t spi, host_t *dst);
149
150 /**
151 * Check if this SA matches all given parameters
152 *
153 * @param spi SPI
154 * @param src source address
155 * @param dst destination address
156 * @return TRUE if this SA matches all parameters, FALSE otherwise
157 */
158 bool (*match_by_spi_src_dst)(ipsec_sa_t *this, uint32_t spi, host_t *src,
159 host_t *dst);
160
161 /**
162 * Check if this SA matches all given parameters
163 *
164 * Only matches if the SA has not yet expired.
165 *
166 * @param reqid reqid
167 * @param inbound TRUE for inbound SA, FALSE for outbound
168 * @return TRUE if this SA matches all parameters, FALSE otherwise
169 */
170 bool (*match_by_reqid)(ipsec_sa_t *this, uint32_t reqid, bool inbound);
171
172 /**
173 * Destroy an ipsec_sa_t
174 */
175 void (*destroy)(ipsec_sa_t *this);
176
177 };
178
179 /**
180 * Create an ipsec_sa_t instance
181 *
182 * @param spi SPI for this SA
183 * @param src source address for this SA (gets cloned)
184 * @param dst destination address for this SA (gets cloned)
185 * @param protocol protocol for this SA (only ESP is supported)
186 * @param reqid reqid for this SA
187 * @param mark mark for this SA (ignored)
188 * @param tfc Traffic Flow Confidentiality (currently not supported)
189 * @param lifetime lifetime for this SA
190 * @param enc_alg encryption algorithm for this SA
191 * @param enc_key encryption key for this SA
192 * @param int_alg integrity protection algorithm
193 * @param int_key integrity protection key
194 * @param mode mode for this SA (only tunnel mode is supported)
195 * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
196 * @param cpi CPI for IPcomp (ignored)
197 * @param encap enable UDP encapsulation (must be TRUE)
198 * @param esn Extended Sequence Numbers (currently not supported)
199 * @param inbound TRUE if this is an inbound SA, FALSE otherwise
200 * @return the IPsec SA, or NULL if the creation failed
201 */
202 ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst,
203 uint8_t protocol, uint32_t reqid, mark_t mark,
204 uint32_t tfc, lifetime_cfg_t *lifetime,
205 uint16_t enc_alg, chunk_t enc_key,
206 uint16_t int_alg, chunk_t int_key,
207 ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi,
208 bool encap, bool esn, bool inbound);
209
210 #endif /** IPSEC_SA_H_ @}*/