libipsec: Support usage statistics and query_sa() on IPsec SAs
[strongswan.git] / src / libipsec / ipsec_sa.h
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ipsec_sa ipsec_sa
20 * @{ @ingroup libipsec
21 */
22
23 #ifndef IPSEC_SA_H_
24 #define IPSEC_SA_H_
25
26 #include "esp_context.h"
27
28 #include <library.h>
29 #include <networking/host.h>
30 #include <selectors/traffic_selector.h>
31 #include <ipsec/ipsec_types.h>
32
33 typedef struct ipsec_sa_t ipsec_sa_t;
34
35 /**
36 * IPsec Security Association (SA)
37 */
38 struct ipsec_sa_t {
39
40 /**
41 * Get the source address for this SA
42 *
43 * @return source address of this SA
44 */
45 host_t *(*get_source)(ipsec_sa_t *this);
46
47 /**
48 * Get the destination address for this SA
49 *
50 * @return destination address of this SA
51 */
52 host_t *(*get_destination)(ipsec_sa_t *this);
53
54 /**
55 * Set the source address for this SA
56 *
57 * @param addr source address of this SA (gets cloned)
58 */
59 void (*set_source)(ipsec_sa_t *this, host_t *addr);
60
61 /**
62 * Set the destination address for this SA
63 *
64 * @param addr destination address of this SA (gets cloned)
65 */
66 void (*set_destination)(ipsec_sa_t *this, host_t *addr);
67
68 /**
69 * Get the SPI for this SA
70 *
71 * @return SPI of this SA
72 */
73 u_int32_t (*get_spi)(ipsec_sa_t *this);
74
75 /**
76 * Get the reqid of this SA
77 *
78 * @return reqid of this SA
79 */
80 u_int32_t (*get_reqid)(ipsec_sa_t *this);
81
82 /**
83 * Get the protocol (e.g. IPPROTO_ESP) of this SA
84 *
85 * @return protocol of this SA
86 */
87 u_int8_t (*get_protocol)(ipsec_sa_t *this);
88
89 /**
90 * Returns whether this SA is inbound or outbound
91 *
92 * @return TRUE if inbound, FALSE if outbound
93 */
94 bool (*is_inbound)(ipsec_sa_t *this);
95
96 /**
97 * Get the lifetime information for this SA
98 * Note that this information is always relative to the time when the
99 * SA was installed (i.e. it is not adjusted over time)
100 *
101 * @return lifetime of this SA
102 */
103 lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);
104
105 /**
106 * Get the ESP context for this SA
107 *
108 * @return ESP context of this SA
109 */
110 esp_context_t *(*get_esp_context)(ipsec_sa_t *this);
111
112 /**
113 * Get usage statistics for this SA.
114 *
115 * @param bytes receives number of processed bytes, or NULL
116 * @param packets receives number of processed packets, or NULL
117 * @param time receives last use time of this SA, or NULL
118 */
119 void (*get_usestats)(ipsec_sa_t *this, u_int64_t *bytes, u_int64_t *packets,
120 time_t *time);
121
122 /**
123 * Record en/decryption of a packet to update usage statistics.
124 *
125 * @param bytes length of packet processed
126 */
127 void (*update_usestats)(ipsec_sa_t *this, u_int32_t bytes);
128
129 /**
130 * Check if this SA matches all given parameters
131 *
132 * @param spi SPI
133 * @param dst destination address
134 * @return TRUE if this SA matches all parameters, FALSE otherwise
135 */
136 bool (*match_by_spi_dst)(ipsec_sa_t *this, u_int32_t spi, host_t *dst);
137
138 /**
139 * Check if this SA matches all given parameters
140 *
141 * @param spi SPI
142 * @param src source address
143 * @param dst destination address
144 * @return TRUE if this SA matches all parameters, FALSE otherwise
145 */
146 bool (*match_by_spi_src_dst)(ipsec_sa_t *this, u_int32_t spi, host_t *src,
147 host_t *dst);
148
149 /**
150 * Check if this SA matches all given parameters
151 *
152 * @param reqid reqid
153 * @param inbound TRUE for inbound SA, FALSE for outbound
154 * @return TRUE if this SA matches all parameters, FALSE otherwise
155 */
156 bool (*match_by_reqid)(ipsec_sa_t *this, u_int32_t reqid, bool inbound);
157
158 /**
159 * Destroy an ipsec_sa_t
160 */
161 void (*destroy)(ipsec_sa_t *this);
162
163 };
164
165 /**
166 * Create an ipsec_sa_t instance
167 *
168 * @param spi SPI for this SA
169 * @param src source address for this SA (gets cloned)
170 * @param dst destination address for this SA (gets cloned)
171 * @param protocol protocol for this SA (only ESP is supported)
172 * @param reqid reqid for this SA
173 * @param mark mark for this SA (ignored)
174 * @param tfc Traffic Flow Confidentiality (currently not supported)
175 * @param lifetime lifetime for this SA
176 * @param enc_alg encryption algorithm for this SA
177 * @param enc_key encryption key for this SA
178 * @param int_alg integrity protection algorithm
179 * @param int_key integrity protection key
180 * @param mode mode for this SA (only tunnel mode is supported)
181 * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
182 * @param cpi CPI for IPcomp (ignored)
183 * @param encap enable UDP encapsulation (must be TRUE)
184 * @param esn Extended Sequence Numbers (currently not supported)
185 * @param inbound TRUE if this is an inbound SA, FALSE otherwise
186 * @param src_ts source traffic selector
187 * @param dst_ts destination traffic selector
188 * @return the IPsec SA, or NULL if the creation failed
189 */
190 ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
191 u_int8_t protocol, u_int32_t reqid, mark_t mark,
192 u_int32_t tfc, lifetime_cfg_t *lifetime,
193 u_int16_t enc_alg, chunk_t enc_key,
194 u_int16_t int_alg, chunk_t int_key,
195 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
196 bool encap, bool esn, bool inbound,
197 traffic_selector_t *src_ts,
198 traffic_selector_t *dst_ts);
199
200 #endif /** IPSEC_SA_H_ @}*/