Class representing an IPsec SA added
authorTobias Brunner <tobias@strongswan.org>
Fri, 13 Jul 2012 09:06:35 +0000 (11:06 +0200)
committerTobias Brunner <tobias@strongswan.org>
Wed, 8 Aug 2012 13:41:02 +0000 (15:41 +0200)
The IPsec SA also manages the respective ESP context.

src/libipsec/Android.mk
src/libipsec/Makefile.am
src/libipsec/ipsec_sa.c [new file with mode: 0644]
src/libipsec/ipsec_sa.h [new file with mode: 0644]

index c4cf92d..2c1c1cc 100644 (file)
@@ -5,7 +5,8 @@ include $(CLEAR_VARS)
 LOCAL_SRC_FILES := \
 ipsec.c ipsec.h \
 esp_context.c esp_context.h \
-esp_packet.c esp_packet.h
+esp_packet.c esp_packet.h \
+ipsec_sa.c ipsec_sa.h
 
 # build libipsec ---------------------------------------------------------------
 
index 128de7a..6558496 100644 (file)
@@ -3,7 +3,8 @@ ipseclib_LTLIBRARIES = libipsec.la
 libipsec_la_SOURCES = \
 ipsec.c ipsec.h \
 esp_context.c esp_context.h \
-esp_packet.c esp_packet.h
+esp_packet.c esp_packet.h \
+ipsec_sa.c ipsec_sa.h
 
 libipsec_la_LIBADD =
 
diff --git a/src/libipsec/ipsec_sa.c b/src/libipsec/ipsec_sa.c
new file mode 100644 (file)
index 0000000..02fa813
--- /dev/null
@@ -0,0 +1,212 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+#include "ipsec_sa.h"
+
+#include <library.h>
+#include <debug.h>
+
+typedef struct private_ipsec_sa_t private_ipsec_sa_t;
+
+/**
+ * Private additions to ipsec_sa_t.
+ */
+struct private_ipsec_sa_t {
+
+       /**
+        * Public members
+        */
+       ipsec_sa_t public;
+
+       /**
+        * SPI of this SA
+        */
+       u_int32_t spi;
+
+       /**
+        * Source address
+        */
+       host_t *src;
+
+       /**
+        * Destination address
+        */
+       host_t *dst;
+
+       /**
+        * Protocol
+        */
+       u_int8_t protocol;
+
+       /**
+        * Reqid of this SA
+        */
+       u_int32_t reqid;
+
+       /**
+        * Lifetime configuration
+        */
+       lifetime_cfg_t lifetime;
+
+       /**
+        * IPsec mode
+        */
+       ipsec_mode_t mode;
+
+       /**
+        * TRUE if extended sequence numbers are used
+        */
+       bool esn;
+
+       /**
+        * TRUE if this is an inbound SA
+        */
+       bool inbound;
+
+       /**
+        * ESP context
+        */
+       esp_context_t *esp_context;
+};
+
+METHOD(ipsec_sa_t, get_source, host_t*,
+       private_ipsec_sa_t *this)
+{
+       return this->src;
+}
+
+METHOD(ipsec_sa_t, get_destination, host_t*,
+       private_ipsec_sa_t *this)
+{
+       return this->dst;
+}
+
+METHOD(ipsec_sa_t, get_spi, u_int32_t,
+       private_ipsec_sa_t *this)
+{
+       return this->spi;
+}
+
+METHOD(ipsec_sa_t, get_reqid, u_int32_t,
+       private_ipsec_sa_t *this)
+{
+       return this->reqid;
+}
+
+METHOD(ipsec_sa_t, get_protocol, u_int8_t,
+       private_ipsec_sa_t *this)
+{
+       return this->protocol;
+}
+
+METHOD(ipsec_sa_t, get_lifetime, lifetime_cfg_t*,
+       private_ipsec_sa_t *this)
+{
+       return &this->lifetime;
+}
+
+METHOD(ipsec_sa_t, is_inbound, bool,
+       private_ipsec_sa_t *this)
+{
+       return this->inbound;
+}
+
+METHOD(ipsec_sa_t, get_esp_context, esp_context_t*,
+       private_ipsec_sa_t *this)
+{
+       return this->esp_context;
+}
+
+METHOD(ipsec_sa_t, destroy, void,
+       private_ipsec_sa_t *this)
+{
+       this->src->destroy(this->src);
+       this->dst->destroy(this->dst);
+       DESTROY_IF(this->esp_context);
+       free(this);
+}
+
+/**
+ * Described in header.
+ */
+ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
+               u_int8_t protocol, u_int32_t reqid, mark_t mark, u_int32_t tfc,
+               lifetime_cfg_t *lifetime, u_int16_t enc_alg, chunk_t enc_key,
+               u_int16_t int_alg, chunk_t int_key, ipsec_mode_t mode,
+               u_int16_t ipcomp, u_int16_t cpi, bool encap, bool esn, bool inbound,
+               traffic_selector_t *src_ts,     traffic_selector_t *dst_ts)
+{
+       private_ipsec_sa_t *this;
+
+       if (protocol != IPPROTO_ESP)
+       {
+               DBG1(DBG_ESP, "  IPsec SA: protocol not supported");
+               return NULL;
+       }
+       if (!encap)
+       {
+               DBG1(DBG_ESP, "  IPsec SA: only UDP encapsulation is supported");
+               return NULL;
+       }
+       if (esn)
+       {
+               DBG1(DBG_ESP, "  IPsec SA: ESN not supported");
+               return NULL;
+       }
+       if (ipcomp != IPCOMP_NONE)
+       {
+               DBG1(DBG_ESP, "  IPsec SA: compression not supported");
+               return NULL;
+       }
+       if (mode != MODE_TUNNEL)
+       {
+               DBG1(DBG_ESP, "  IPsec SA: unsupported mode");
+               return NULL;
+       }
+
+       INIT(this,
+               .public = {
+                       .destroy = _destroy,
+                       .get_source = _get_source,
+                       .get_destination = _get_destination,
+                       .get_spi = _get_spi,
+                       .get_reqid = _get_reqid,
+                       .get_protocol = _get_protocol,
+                       .get_lifetime = _get_lifetime,
+                       .is_inbound = _is_inbound,
+                       .get_esp_context = _get_esp_context,
+               },
+               .spi = spi,
+               .src = src->clone(src),
+               .dst = dst->clone(dst),
+               .lifetime = *lifetime,
+               .protocol = protocol,
+               .reqid = reqid,
+               .mode = mode,
+               .esn = esn,
+               .inbound = inbound,
+       );
+
+       this->esp_context = esp_context_create(enc_alg, enc_key, int_alg, int_key,
+                                                                                  inbound);
+       if (!this->esp_context)
+       {
+               destroy(this);
+               return NULL;
+       }
+       return &this->public;
+}
diff --git a/src/libipsec/ipsec_sa.h b/src/libipsec/ipsec_sa.h
new file mode 100644 (file)
index 0000000..5cf559a
--- /dev/null
@@ -0,0 +1,140 @@
+/*
+ * Copyright (C) 2012 Tobias Brunner
+ * Copyright (C) 2012 Giuliano Grassi
+ * Copyright (C) 2012 Ralf Sager
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
+ * for more details.
+ */
+
+/**
+ * @defgroup ipsec_sa ipsec_sa
+ * @{ @ingroup libipsec
+ */
+
+#ifndef IPSEC_SA_H_
+#define IPSEC_SA_H_
+
+#include "esp_context.h"
+
+#include <library.h>
+#include <utils/host.h>
+#include <selectors/traffic_selector.h>
+#include <ipsec/ipsec_types.h>
+
+typedef struct ipsec_sa_t ipsec_sa_t;
+
+/**
+ * IPsec Security Association (SA)
+ */
+struct ipsec_sa_t {
+
+       /**
+        * Get the source address for this SA
+        *
+        * @return                      source address of this SA
+        */
+       host_t *(*get_source)(ipsec_sa_t *this);
+
+       /**
+        * Get the destination address for this SA
+        *
+        * @return                      destination address of this SA
+        */
+       host_t *(*get_destination)(ipsec_sa_t *this);
+
+       /**
+        * Get the SPI for this SA
+        *
+        * @return                      SPI of this SA
+        */
+       u_int32_t (*get_spi)(ipsec_sa_t *this);
+
+       /**
+        * Get the reqid of this SA
+        *
+        * @return                      reqid of this SA
+        */
+       u_int32_t (*get_reqid)(ipsec_sa_t *this);
+
+       /**
+        * Get the protocol (e.g. IPPROTO_ESP) of this SA
+        *
+        * @return                      protocol of this SA
+        */
+       u_int8_t (*get_protocol)(ipsec_sa_t *this);
+
+       /**
+        * Returns whether this SA is inbound or outbound
+        *
+        * @return                      TRUE if inbound, FALSE if outbound
+        */
+       bool (*is_inbound)(ipsec_sa_t *this);
+
+       /**
+        * Get the lifetime information for this SA
+        * Note that this information is always relative to the time when the
+        * SA was installed (i.e. it is not adjusted over time)
+        *
+        * @return                      lifetime of this SA
+        */
+       lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);
+
+       /**
+        * Get the ESP context for this SA
+        *
+        * @return                      ESP context of this SA
+        */
+       esp_context_t *(*get_esp_context)(ipsec_sa_t *this);
+
+       /**
+        * Destroy an ipsec_sa_t
+        */
+       void (*destroy)(ipsec_sa_t *this);
+
+};
+
+/**
+ * Create an ipsec_sa_t instance
+ *
+ * @param spi                  SPI for this SA
+ * @param src                  source address for this SA (gets cloned)
+ * @param dst                  destination address for this SA (gets cloned)
+ * @param protocol             protocol for this SA (only ESP is supported)
+ * @param reqid                        reqid for this SA
+ * @param mark                 mark for this SA (ignored)
+ * @param tfc                  Traffic Flow Confidentiality (currently not supported)
+ * @param lifetime             lifetime for this SA
+ * @param enc_alg              encryption algorithm for this SA
+ * @param enc_key              encryption key for this SA
+ * @param int_alg              integrity protection algorithm
+ * @param int_key              integrity protection key
+ * @param mode                 mode for this SA (only tunnel mode is supported)
+ * @param ipcomp               IPcomp transform (not supported, use IPCOMP_NONE)
+ * @param cpi                  CPI for IPcomp (ignored)
+ * @param encap                        enable UDP encapsulation (must be TRUE)
+ * @param esn                  Extended Sequence Numbers (currently not supported)
+ * @param inbound              TRUE if this is an inbound SA, FALSE otherwise
+ * @param src_ts               source traffic selector
+ * @param dst_ts               destination traffic selector
+ * @return                             the IPsec SA, or NULL if the creation failed
+ */
+ipsec_sa_t *ipsec_sa_create(u_int32_t spi, host_t *src, host_t *dst,
+                                                       u_int8_t protocol, u_int32_t reqid, mark_t mark,
+                                                       u_int32_t tfc, lifetime_cfg_t *lifetime,
+                                                       u_int16_t enc_alg, chunk_t enc_key,
+                                                       u_int16_t int_alg, chunk_t int_key,
+                                                       ipsec_mode_t mode, u_int16_t ipcomp, u_int16_t cpi,
+                                                       bool encap, bool esn, bool inbound,
+                                                       traffic_selector_t *src_ts,
+                                                       traffic_selector_t *dst_ts);
+
+#endif /** IPSEC_SA_H_ @}*/