2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
19 * @defgroup ipsec_sa ipsec_sa
20 * @{ @ingroup libipsec
26 #include "esp_context.h"
29 #include <networking/host.h>
30 #include <selectors/traffic_selector.h>
31 #include <ipsec/ipsec_types.h>
33 typedef struct ipsec_sa_t ipsec_sa_t
;
36 * IPsec Security Association (SA)
41 * Get the source address for this SA
43 * @return source address of this SA
45 host_t
*(*get_source
)(ipsec_sa_t
*this);
48 * Get the destination address for this SA
50 * @return destination address of this SA
52 host_t
*(*get_destination
)(ipsec_sa_t
*this);
55 * Set the source address for this SA
57 * @param addr source address of this SA (gets cloned)
59 void (*set_source
)(ipsec_sa_t
*this, host_t
*addr
);
62 * Set the destination address for this SA
64 * @param addr destination address of this SA (gets cloned)
66 void (*set_destination
)(ipsec_sa_t
*this, host_t
*addr
);
69 * Get the SPI for this SA
71 * @return SPI of this SA
73 u_int32_t (*get_spi
)(ipsec_sa_t
*this);
76 * Get the reqid of this SA
78 * @return reqid of this SA
80 u_int32_t (*get_reqid
)(ipsec_sa_t
*this);
83 * Get the protocol (e.g. IPPROTO_ESP) of this SA
85 * @return protocol of this SA
87 u_int8_t (*get_protocol
)(ipsec_sa_t
*this);
90 * Returns whether this SA is inbound or outbound
92 * @return TRUE if inbound, FALSE if outbound
94 bool (*is_inbound
)(ipsec_sa_t
*this);
97 * Get the lifetime information for this SA
98 * Note that this information is always relative to the time when the
99 * SA was installed (i.e. it is not adjusted over time)
101 * @return lifetime of this SA
103 lifetime_cfg_t
*(*get_lifetime
)(ipsec_sa_t
*this);
106 * Get the ESP context for this SA
108 * @return ESP context of this SA
110 esp_context_t
*(*get_esp_context
)(ipsec_sa_t
*this);
113 * Get usage statistics for this SA.
115 * @param bytes receives number of processed bytes, or NULL
116 * @param packets receives number of processed packets, or NULL
117 * @param time receives last use time of this SA, or NULL
119 void (*get_usestats
)(ipsec_sa_t
*this, u_int64_t
*bytes
, u_int64_t
*packets
,
123 * Record en/decryption of a packet to update usage statistics.
125 * @param bytes length of packet processed
127 void (*update_usestats
)(ipsec_sa_t
*this, u_int32_t bytes
);
130 * Check if this SA matches all given parameters
133 * @param dst destination address
134 * @return TRUE if this SA matches all parameters, FALSE otherwise
136 bool (*match_by_spi_dst
)(ipsec_sa_t
*this, u_int32_t spi
, host_t
*dst
);
139 * Check if this SA matches all given parameters
142 * @param src source address
143 * @param dst destination address
144 * @return TRUE if this SA matches all parameters, FALSE otherwise
146 bool (*match_by_spi_src_dst
)(ipsec_sa_t
*this, u_int32_t spi
, host_t
*src
,
150 * Check if this SA matches all given parameters
153 * @param inbound TRUE for inbound SA, FALSE for outbound
154 * @return TRUE if this SA matches all parameters, FALSE otherwise
156 bool (*match_by_reqid
)(ipsec_sa_t
*this, u_int32_t reqid
, bool inbound
);
159 * Destroy an ipsec_sa_t
161 void (*destroy
)(ipsec_sa_t
*this);
166 * Create an ipsec_sa_t instance
168 * @param spi SPI for this SA
169 * @param src source address for this SA (gets cloned)
170 * @param dst destination address for this SA (gets cloned)
171 * @param protocol protocol for this SA (only ESP is supported)
172 * @param reqid reqid for this SA
173 * @param mark mark for this SA (ignored)
174 * @param tfc Traffic Flow Confidentiality (currently not supported)
175 * @param lifetime lifetime for this SA
176 * @param enc_alg encryption algorithm for this SA
177 * @param enc_key encryption key for this SA
178 * @param int_alg integrity protection algorithm
179 * @param int_key integrity protection key
180 * @param mode mode for this SA (only tunnel mode is supported)
181 * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
182 * @param cpi CPI for IPcomp (ignored)
183 * @param encap enable UDP encapsulation (must be TRUE)
184 * @param esn Extended Sequence Numbers (currently not supported)
185 * @param inbound TRUE if this is an inbound SA, FALSE otherwise
186 * @param src_ts source traffic selector
187 * @param dst_ts destination traffic selector
188 * @return the IPsec SA, or NULL if the creation failed
190 ipsec_sa_t
*ipsec_sa_create(u_int32_t spi
, host_t
*src
, host_t
*dst
,
191 u_int8_t protocol
, u_int32_t reqid
, mark_t mark
,
192 u_int32_t tfc
, lifetime_cfg_t
*lifetime
,
193 u_int16_t enc_alg
, chunk_t enc_key
,
194 u_int16_t int_alg
, chunk_t int_key
,
195 ipsec_mode_t mode
, u_int16_t ipcomp
, u_int16_t cpi
,
196 bool encap
, bool esn
, bool inbound
,
197 traffic_selector_t
*src_ts
,
198 traffic_selector_t
*dst_ts
);
200 #endif /** IPSEC_SA_H_ @}*/
projects / strongswan.git / blob