Add methods to easily compare IPsec SAs
[strongswan.git] / src / libipsec / ipsec_sa.h
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2012 Giuliano Grassi
4 * Copyright (C) 2012 Ralf Sager
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ipsec_sa ipsec_sa
20 * @{ @ingroup libipsec
21 */
22
23 #ifndef IPSEC_SA_H_
24 #define IPSEC_SA_H_
25
26 #include "esp_context.h"
27
28 #include <library.h>
29 #include <utils/host.h>
30 #include <selectors/traffic_selector.h>
31 #include <ipsec/ipsec_types.h>
32
33 typedef struct ipsec_sa_t ipsec_sa_t;
34
35 /**
36 * IPsec Security Association (SA)
37 */
38 struct ipsec_sa_t {
39
40 /**
41 * Get the source address for this SA
42 *
43 * @return source address of this SA
44 */
45 host_t *(*get_source)(ipsec_sa_t *this);
46
47 /**
48 * Get the destination address for this SA
49 *
50 * @return destination address of this SA
51 */
52 host_t *(*get_destination)(ipsec_sa_t *this);
53
54 /**
55 * Get the SPI for this SA
56 *
57 * @return SPI of this SA
58 */
59 u_int32_t (*get_spi)(ipsec_sa_t *this);
60
61 /**
62 * Get the reqid of this SA
63 *
64 * @return reqid of this SA
65 */
66 u_int32_t (*get_reqid)(ipsec_sa_t *this);
67
68 /**
69 * Get the protocol (e.g. IPPROTO_ESP) of this SA
70 *
71 * @return protocol of this SA
72 */
73 u_int8_t (*get_protocol)(ipsec_sa_t *this);
74
75 /**
76 * Returns whether this SA is inbound or outbound
77 *
78 * @return TRUE if inbound, FALSE if outbound
79 */
80 bool (*is_inbound)(ipsec_sa_t *this);
81
82 /**
83 * Get the lifetime information for this SA
84 * Note that this information is always relative to the time when the
85 * SA was installed (i.e. it is not adjusted over time)
86 *
87 * @return lifetime of this SA
88 */
89 lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);
90
91 /**
92 * Get the ESP context for this SA
93 *
94 * @return ESP context of this SA
95 */
96 esp_context_t *(*get_esp_context)(ipsec_sa_t *this);
97
98 /**
99 * Check if this SA matches all given parameters
100 *
101 * @param spi SPI
102 * @param dst destination address
103 * @return TRUE if this SA matches all parameters, FALSE otherwise
104 */
105 bool (*match_by_spi_dst)(ipsec_sa_t *this, u_int32_t spi, host_t *dst);
106
107 /**
108 * Check if this SA matches all given parameters
109 *
110 * @param spi SPI
111 * @param src source address
112 * @param dst destination address
113 * @return TRUE if this SA matches all parameters, FALSE otherwise
114 */
115 bool (*match_by_spi_src_dst)(ipsec_sa_t *this, u_int32_t spi, host_t *src,
116 host_t *dst);
117
118 /**
119 * Check if this SA matches all given parameters
120 *
121 * @param reqid reqid
122 * @param inbound TRUE for inbound SA, FALSE for outbound
123 * @return TRUE if this SA matches all parameters, FALSE otherwise
124 */
125 bool (*match_by_reqid)(ipsec_sa_t *this, u_int32_t reqid, bool inbound);
126
127 /**
128 * Destroy an ipsec_sa_t
129 */
130 void (*destroy)(ipsec_sa_t *this);
131
132 };
133
134 /**
135 * Create an ipsec_sa_t instance
136 *
137 * @param spi SPI for this SA
138 * @param src source address for this SA (gets cloned)
139 * @param dst destination address for this SA (gets cloned)
140 * @param protocol protocol for this SA (only ESP is supported)
141 * @param reqid reqid for this SA
142 * @param mark mark for this SA (ignored)
143 * @param tfc Traffic Flow Confidentiality (currently not supported)
144 * @param lifetime lifetime for this SA
145 * @param enc_alg encryption algorithm for this SA
146 * @param enc_key encryption key for this SA
147 * @param int_alg integrity protection algorithm
148 * @param int_key integrity protection key
149 * @param mode mode for this SA (only tunnel mode is supported)
150 * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
151 * @param cpi CPI for IPcomp (ignored)
152 * @param encap enable UDP encapsulation (must be TRUE)
153 * @param esn Extended Sequence Numbers (currently not supported)
154 * @param inbound TRUE if this is an inbound SA, FALSE otherwise
155 * @param src_ts source traffic selector
156 * @param dst_ts destination traffic selector
157 * @return the IPsec SA, or NULL if the creation failed
158 */
159 ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
160 u_int8_t protocol, u_int32_t reqid, mark_t mark,
161 u_int32_t tfc, lifetime_cfg_t *lifetime,
162 u_int16_t enc_alg, chunk_t enc_key,
163 u_int16_t int_alg, chunk_t int_key,
164 ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
165 bool encap, bool esn, bool inbound,
166 traffic_selector_t *src_ts,
167 traffic_selector_t *dst_ts);
168
169 #endif /** IPSEC_SA_H_ @}*/