]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libcharon/sa/child_sa.h
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
quick-mode: Get a reference when adopting the reqid of a rekeyed CHILD_SA
[thirdparty/strongswan.git] / src / libcharon / sa / child_sa.h
CommitLineData
3ebebc5e 1/*
ff269f7f 2 * Copyright (C) 2006-2023 Tobias Brunner
3aaf7908 3 * Copyright (C) 2006-2008 Martin Willi
d4aad554 4 * Copyright (C) 2006 Daniel Roethlisberger
19ef2aec
TB		 5 *
6 * Copyright (C) secunet Security Networks AG
3ebebc5e
MW		 7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
552cc11b
MW		 19/**
20 * @defgroup child_sa child_sa
21 * @{ @ingroup sa
22 */
3ebebc5e 23
16b9a73c
MW		 24#ifndef CHILD_SA_H_
25#define CHILD_SA_H_
3ebebc5e 26
382b4817 27typedef enum child_sa_state_t child_sa_state_t;
afbea8ce 28typedef enum child_sa_outbound_state_t child_sa_outbound_state_t;
382b4817 29typedef struct child_sa_t child_sa_t;
fafa7698 30typedef struct child_sa_create_t child_sa_create_t;
382b4817 31
db7ef624 32#include <library.h>
3ebebc5e 33#include <encoding/payloads/proposal_substructure.h>
2307bffe 34#include <crypto/proposal/proposal.h>
e0fe7651 35#include <config/child_cfg.h>
3ebebc5e 36
bcb95ced 37/**
552cc11b 38 * States of a CHILD_SA
bcb95ced
MW		 39 */
40enum child_sa_state_t {
7daf5226 41
bcb95ced
MW		 42 /**
43 * Just created, uninstalled CHILD_SA
44 */
45 CHILD_CREATED,
7daf5226 46
45f76a7d
MW		 47 /**
48 * Installed SPD, but no SAD entries
49 */
50 CHILD_ROUTED,
7daf5226 51
ea625fab
TB		 52 /**
53 * Installing an in-use CHILD_SA
54 */
55 CHILD_INSTALLING,
7daf5226 56
83186d3c
TB		 57 /**
58 * Installed both SAs of a CHILD_SA
bcb95ced
MW		 59 */
60 CHILD_INSTALLED,
7daf5226 61
ad3af574
MW		 62 /**
63 * While updating hosts, in update_hosts()
64 */
65 CHILD_UPDATING,
7daf5226 66
bcb95ced
MW		 67 /**
68 * CHILD_SA which is rekeying
69 */
70 CHILD_REKEYING,
7daf5226 71
70728eb1
TB		 72 /**
73 * CHILD_SA that was rekeyed, but stays installed
74 */
75 CHILD_REKEYED,
76
013857ad
MW		 77 /**
78 * CHILD_SA negotiation failed, but gets retried
79 */
80 CHILD_RETRYING,
81
bcb95ced
MW		 82 /**
83 * CHILD_SA in progress of delete
84 */
85 CHILD_DELETING,
7daf5226 86
16898026
TB		 87 /**
88 * CHILD_SA has been deleted, but not yet destroyed
89 */
90 CHILD_DELETED,
91
a985db3f
MW		 92 /**
93 * CHILD_SA object gets destroyed
94 */
95 CHILD_DESTROYING,
bcb95ced
MW		 96};
97
98/**
60356f33 99 * enum strings for child_sa_state_t.
bcb95ced 100 */
60356f33 101extern enum_name_t *child_sa_state_names;
bcb95ced 102
afbea8ce
TB		 103/**
104 * States of the outbound SA of a CHILD_SA
105 */
106enum child_sa_outbound_state_t {
107
108 /**
109 * Outbound SA is not installed
110 */
2c116ef5 111 CHILD_OUTBOUND_NONE = 0,
afbea8ce
TB		 112
113 /**
2c116ef5
TB		 114 * Data for the outbound SA has been registered during a rekeying (not set
115 * once the SA and policies are both installed)
afbea8ce 116 */
2c116ef5 117 CHILD_OUTBOUND_REGISTERED = (1<<0),
afbea8ce
TB		 118
119 /**
2c116ef5 120 * The outbound SA has been installed
afbea8ce 121 */
2c116ef5
TB		 122 CHILD_OUTBOUND_SA = (1<<1),
123
124 /**
125 * The outbound policies have been installed
126 */
127 CHILD_OUTBOUND_POLICIES = (1<<2),
128
129 /**
130 * The outbound SA and policies are both installed
131 */
132 CHILD_OUTBOUND_INSTALLED = (CHILD_OUTBOUND_SA|CHILD_OUTBOUND_POLICIES),
afbea8ce
TB		 133};
134
135/**
136 * enum strings for child_sa_outbound_state_t.
137 */
138extern enum_name_t *child_sa_outbound_state_names;
139
3ebebc5e 140/**
552cc11b 141 * Represents an IPsec SAs between two hosts.
c3a78360 142 *
1396815a
MW		 143 * A child_sa_t contains two SAs. SAs for both
144 * directions are managed in one child_sa_t object. Both
145 * SAs and the policies have the same reqid.
c3a78360 146 *
a527a426 147 * The procedure for child sa setup is as follows:
3aaf7908
MW		 148 * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
149 * - A send the proposals with the allocated SPIs to B
a527a426 150 * - B selects a suitable proposal
3aaf7908
MW		 151 * - B allocates an SPI for the selected protocol
152 * - B calls child_sa_t.install for both, the allocated and received SPI
153 * - B sends the proposal with the allocated SPI to A
2db6d5b8 154 * - A calls child_sa_t.install for both, the allocated and received SPI
c3a78360 155 *
aa5a35a0 156 * Once SAs are set up, policies can be added using add_policies.
3ebebc5e
MW		 157 */
158struct child_sa_t {
7daf5226 159
9be547c0 160 /**
552cc11b 161 * Get the name of the config this CHILD_SA uses.
9be547c0 162 *
552cc11b 163 * @return name
9be547c0
MW		 164 */
165 char* (*get_name) (child_sa_t *this);
7daf5226 166
9be547c0 167 /**
552cc11b 168 * Get the reqid of the CHILD SA.
c3a78360 169 *
c60c7694
MW		 170 * Every CHILD_SA has a reqid. The kernel uses this ID to
171 * identify it.
32b6500f 172 *
32b6500f
MW		 173 * @return reqid of the CHILD SA
174 */
b12c53ce 175 uint32_t (*get_reqid)(child_sa_t *this);
7daf5226 176
ff269f7f
TB		 177 /**
178 * Get an additional reference to the allocated reqid of this CHILD SA.
179 *
180 * For static reqids or until the reqid is allocated (if none was passed
181 * in the constructor), this returns 0. The returned reqid must be released
182 * via kernel_interface_t::release_reqid().
183 *
184 * @return allocated reqid of the CHILD SA, 0 if reqid is static or
185 * not allocated yet
186 */
187 uint32_t (*get_reqid_ref)(child_sa_t *this);
188
4ec397b8
MW		 189 /**
190 * Get the unique numerical identifier for this CHILD_SA.
191 *
192 * While the same reqid might be shared between multiple SAs, the unique_id
193 * is truly unique for all CHILD_SA instances.
194 *
195 * @return unique CHILD_SA identifier
196 */
b12c53ce 197 uint32_t (*get_unique_id)(child_sa_t *this);
4ec397b8 198
3aaf7908
MW		 199 /**
200 * Get the config used to set up this child sa.
201 *
202 * @return child_cfg
203 */
204 child_cfg_t* (*get_config) (child_sa_t *this);
7daf5226 205
3aaf7908
MW		 206 /**
207 * Get the state of the CHILD_SA.
208 *
209 * @return CHILD_SA state
c3a78360 210 */
afbea8ce
TB		 211 child_sa_state_t (*get_state)(child_sa_t *this);
212
213 /**
214 * Get the state of the outbound SA.
215 *
216 * @return outbound SA state
217 */
218 child_sa_outbound_state_t (*get_outbound_state)(child_sa_t *this);
7daf5226 219
3aaf7908
MW		 220 /**
221 * Set the state of the CHILD_SA.
222 *
223 * @param state state to set on CHILD_SA
c3a78360 224 */
3aaf7908 225 void (*set_state) (child_sa_t *this, child_sa_state_t state);
7daf5226 226
8d77edde 227 /**
552cc11b 228 * Get the SPI of this CHILD_SA.
c3a78360 229 *
8d77edde
MW		 230 * Set the boolean parameter inbound to TRUE to
231 * get the SPI for which we receive packets, use
232 * FALSE to get those we use for sending packets.
233 *
8d77edde 234 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
66da78b4 235 * @return SPI of the CHILD SA
8d77edde 236 */
b12c53ce 237 uint32_t (*get_spi) (child_sa_t *this, bool inbound);
7daf5226 238
66da78b4
AS		 239 /**
240 * Get the CPI of this CHILD_SA.
c3a78360 241 *
66da78b4 242 * Set the boolean parameter inbound to TRUE to
32f5ee15 243 * get the CPI for which we receive packets, use
66da78b4
AS		 244 * FALSE to get those we use for sending packets.
245 *
246 * @param inbound TRUE to get inbound CPI, FALSE for outbound.
247 * @return CPI of the CHILD SA
248 */
b12c53ce 249 uint16_t (*get_cpi) (child_sa_t *this, bool inbound);
66da78b4 250
8d77edde 251 /**
552cc11b 252 * Get the protocol which this CHILD_SA uses to protect traffic.
8d77edde 253 *
8d77edde
MW		 254 * @return AH | ESP
255 */
256 protocol_id_t (*get_protocol) (child_sa_t *this);
7daf5226 257
3aaf7908
MW		 258 /**
259 * Set the negotiated protocol to use for this CHILD_SA.
260 *
261 * @param protocol AH | ESP
262 */
263 void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
7daf5226 264
a3ce4bc2 265 /**
6e10aead 266 * Get the IPsec mode of this CHILD_SA.
a3ce4bc2 267 *
6e10aead 268 * @return TUNNEL | TRANSPORT | BEET
a3ce4bc2 269 */
6e10aead 270 ipsec_mode_t (*get_mode)(child_sa_t *this);
7daf5226 271
3aaf7908
MW		 272 /**
273 * Set the negotiated IPsec mode to use.
274 *
2db6d5b8 275 * @param mode TUNNEL | TRANSPORT | BEET
3aaf7908
MW		 276 */
277 void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
7daf5226 278
82d20c05
MW		 279 /**
280 * Get the used IPComp algorithm.
281 *
282 * @return IPComp compression algorithm.
283 */
284 ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
7daf5226 285
3aaf7908
MW		 286 /**
287 * Set the IPComp algorithm to use.
c3a78360 288 *
3aaf7908
MW		 289 * @param ipcomp the IPComp transform to use
290 */
291 void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
7daf5226 292
4c401ea2
MW		 293 /**
294 * Get the action to enforce if the remote peer closes the CHILD_SA.
295 *
296 * @return close action
297 */
298 action_t (*get_close_action)(child_sa_t *this);
299
300 /**
301 * Override the close action specified by the CHILD_SA config.
302 *
303 * @param close action to enforce
304 */
305 void (*set_close_action)(child_sa_t *this, action_t action);
306
307 /**
308 * Get the action to enforce if the peer is considered dead.
309 *
310 * @return dpd action
311 */
312 action_t (*get_dpd_action)(child_sa_t *this);
313
314 /**
315 * Override the DPD action specified by the CHILD_SA config.
316 *
0ceb2888 317 * @param dpd action to enforce
4c401ea2
MW		 318 */
319 void (*set_dpd_action)(child_sa_t *this, action_t action);
320
3aaf7908
MW		 321 /**
322 * Get the selected proposal.
323 *
324 * @return selected proposal
325 */
326 proposal_t* (*get_proposal)(child_sa_t *this);
7daf5226 327
3aaf7908
MW		 328 /**
329 * Set the negotiated proposal.
330 *
331 * @param proposal selected proposal
332 */
c3a78360 333 void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
7daf5226 334
82d20c05
MW		 335 /**
336 * Check if this CHILD_SA uses UDP encapsulation.
337 *
338 * @return TRUE if SA encapsulates ESP packets
339 */
340 bool (*has_encap)(child_sa_t *this);
7daf5226 341
6e10aead 342 /**
e3c7e729 343 * Get the absolute time when the CHILD_SA expires or gets rekeyed.
6e10aead
MW		 344 *
345 * @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
e3c7e729 346 * @return absolute time
6e10aead 347 */
e3c7e729 348 time_t (*get_lifetime)(child_sa_t *this, bool hard);
7daf5226 349
763e0353
MW		 350 /**
351 * Get the absolute time when this SA has been installed.
352 *
353 * @return monotonic absolute install time
354 */
355 time_t (*get_installtime)(child_sa_t *this);
356
6e10aead 357 /**
c3a78360 358 * Get last use time and the number of bytes processed.
2ad51539 359 *
3f720dc7 360 * @param inbound TRUE for inbound traffic, FALSE for outbound
c3a78360
TB		 361 * @param[out] time time of last use in seconds (NULL to ignore)
362 * @param[out] bytes number of processed bytes (NULL to ignore)
d954a208 363 * @param[out] packets number of processed packets (NULL to ignore)
2ad51539 364 */
c3a78360 365 void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
b12c53ce 366 uint64_t *bytes, uint64_t *packets);
7daf5226 367
79f39ecf
MW		 368 /**
369 * Get the mark used with this CHILD_SA.
370 *
371 * @param inbound TRUE to get inbound mark, FALSE for outbound
372 * @return mark used with this CHILD_SA
373 */
374 mark_t (*get_mark)(child_sa_t *this, bool inbound);
375
a6014d99
TB		 376 /**
377 * Get the interface ID used with this CHILD_SA.
378 *
379 * @param inbound TRUE to get inbound ID, FALSE for outbound
380 * @return interface ID used with this CHILD_SA
381 */
382 uint32_t (*get_if_id)(child_sa_t *this, bool inbound);
383
139d6558
TB		 384 /**
385 * Get the security label used with this CHILD_SA.
386 *
387 * This might be different than the configured label.
388 *
389 * @return security label used with this CHILD_SA
390 */
391 sec_label_t *(*get_label)(child_sa_t *this);
392
144f676c 393 /**
553bb787 394 * Create an enumerator over traffic selectors of one side.
a527a426 395 *
553bb787
MW		 396 * @param local TRUE for own traffic selectors, FALSE for remote.
397 * @return enumerator over traffic_selector_t*
c3a78360 398 */
553bb787 399 enumerator_t* (*create_ts_enumerator)(child_sa_t *this, bool local);
7daf5226 400
a527a426 401 /**
3aaf7908 402 * Create an enumerator over installed policies.
a527a426 403 *
553bb787
MW		 404 * The enumerated traffic selectors is a full mesh of compatible local
405 * and remote traffic selectors.
406 *
407 * @return enumerator over a pair of traffic_selector_t*
a527a426 408 */
3aaf7908 409 enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
7daf5226 410
a527a426 411 /**
3aaf7908 412 * Allocate an SPI to include in a proposal.
a527a426 413 *
3aaf7908
MW		 414 * @param protocol protocol to allocate SPI for (ESP|AH)
415 * @param spi SPI output pointer
416 * @return SPI, 0 on failure
a527a426 417 */
b12c53ce 418 uint32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
7daf5226 419
80853d84 420 /**
3aaf7908 421 * Allocate a CPI to use for IPComp.
80853d84 422 *
3aaf7908 423 * @return CPI, 0 on failure
80853d84 424 */
b12c53ce 425 uint16_t (*alloc_cpi)(child_sa_t *this);
7daf5226 426
1396815a 427 /**
3aaf7908 428 * Install an IPsec SA for one direction.
1396815a 429 *
4989aba8
TB		 430 * set_policies() should be called before calling this.
431 *
3aaf7908
MW		 432 * @param encr encryption key, if any
433 * @param integ integrity key
434 * @param spi SPI to use, allocated for inbound
435 * @param cpi CPI to use, allocated for outbound
a8c94544 436 * @param initiator TRUE if initiator of exchange resulting in this SA
3aaf7908 437 * @param inbound TRUE to install an inbound SA, FALSE for outbound
55df72e6 438 * @param tfcv3 TRUE if peer supports ESPv3 TFC
2b3100b5 439 * @return SUCCESS or FAILED
1396815a 440 */
3aaf7908 441 status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
b12c53ce 442 uint32_t spi, uint16_t cpi,
4989aba8
TB		 443 bool initiator, bool inbound, bool tfcv3);
444
8a3a389e
TB		 445 /**
446 * Register data for the installation of an outbound SA as responder during
447 * a rekeying.
448 *
a146b4c9
TB		 449 * If the kernel is able to handle SPIs on policies the SA is installed
450 * immediately, if not it won't be installed until install_outbound() is
451 * called.
8a3a389e
TB		 452 *
453 * @param encr encryption key, if any (cloned)
454 * @param integ integrity key (cloned)
455 * @param spi SPI to use, allocated for inbound
456 * @param cpi CPI to use, allocated for outbound
639af09b 457 * @param initiator TRUE if initiator of exchange resulting in this SA
8a3a389e 458 * @param tfcv3 TRUE if peer supports ESPv3 TFC
a146b4c9 459 * @return SUCCESS or FAILED
8a3a389e 460 */
a146b4c9 461 status_t (*register_outbound)(child_sa_t *this, chunk_t encr, chunk_t integ,
639af09b
TB		 462 uint32_t spi, uint16_t cpi, bool initiator,
463 bool tfcv3);
8a3a389e
TB		 464
465 /**
a146b4c9
TB		 466 * Install the outbound policies and, if not already done, the outbound SA
467 * as responder during a rekeying.
8a3a389e
TB		 468 *
469 * @return SUCCESS or FAILED
470 */
471 status_t (*install_outbound)(child_sa_t *this);
472
c5fed4cd
TB		 473 /**
474 * Remove the outbound SA and the outbound policies after a rekeying.
475 */
476 void (*remove_outbound)(child_sa_t *this);
477
a527a426 478 /**
4989aba8 479 * Configure the policies using some traffic selectors.
8d77edde 480 *
7881ac14 481 * Supplied lists of traffic_selector_t's specify the policies
a527a426
MW		 482 * to use for this child sa.
483 *
4989aba8
TB		 484 * Install the policies by calling install_policies().
485 *
486 * This should be called before calling install() so the traffic selectors
487 * may be passed to the kernel interface when installing the SAs.
488 *
489 * @param my_ts traffic selectors for local site (cloned)
490 * @param other_ts traffic selectors for remote site (cloned)
491 */
492 void (*set_policies)(child_sa_t *this, linked_list_t *my_ts_list,
493 linked_list_t *other_ts_list);
494
495 /**
496 * Install the configured policies.
497 *
8a3a389e
TB		 498 * If register_outbound() was called previously this only installs the
499 * inbound and forward policies, the outbound policies are installed when
500 * install_outbound() is called.
501 *
a527a426 502 * @return SUCCESS or FAILED
c3a78360 503 */
4989aba8
TB		 504 status_t (*install_policies)(child_sa_t *this);
505
cad13450
TB		 506 /**
507 * Set the outbound SPI of the CHILD_SA that replaced this CHILD_SA during
508 * a rekeying.
509 *
510 * @param spi outbound SPI of the CHILD_SA that replaced this CHILD_SA
511 */
512 void (*set_rekey_spi)(child_sa_t *this, uint32_t spi);
513
514 /**
515 * Get the outbound SPI of the CHILD_SA that replaced this CHILD_SA during
516 * a rekeying.
517 *
518 * @return outbound SPI of the CHILD_SA that replaced this CHILD_SA
519 */
520 uint32_t (*get_rekey_spi)(child_sa_t *this);
521
1df106bf 522 /**
b3ab7a48 523 * Update hosts and ecapsulation mode in the kernel SAs and policies.
1df106bf 524 *
3aaf7908
MW		 525 * @param me the new local host
526 * @param other the new remote host
101d26ba 527 * @param vips list of local virtual IPs
0ceb2888 528 * @param encap TRUE to use UDP encapsulation for NAT traversal
3aaf7908 529 * @return SUCCESS or FAILED
d4aad554 530 */
3aaf7908 531 status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
101d26ba 532 linked_list_t *vips, bool encap);
3ebebc5e 533 /**
552cc11b 534 * Destroys a child_sa.
3ebebc5e
MW		 535 */
536 void (*destroy) (child_sa_t *this);
537};
538
fafa7698
TB		 539/**
540 * Data passed to the constructor of a child_sa_t object.
541 */
542struct child_sa_create_t {
543 /** Optional reqid of old CHILD_SA when rekeying */
544 uint32_t reqid;
545 /** Optional inbound mark when rekeying */
546 uint32_t mark_in;
547 /** Optional outbound mark when rekeying */
548 uint32_t mark_out;
549 /** Optional inbound interface ID when rekeying */
550 uint32_t if_id_in;
551 /** Optional outbound interface ID when rekeying */
552 uint32_t if_id_out;
553 /** Optional default inbound interface ID, if neither if_id_in, nor config
554 * sets one */
555 uint32_t if_id_in_def;
556 /** Optional default outbound interface ID, if neither if_id_out, nor config
557 * sets one */
558 uint32_t if_id_out_def;
139d6558
TB		 559 /** Optional security label to apply on SAs (cloned) */
560 sec_label_t *label;
fafa7698
TB		 561 /** TRUE to enable UDP encapsulation (NAT traversal) */
562 bool encap;
563};
564
3ebebc5e 565/**
34d240a6 566 * Constructor to create a child SA negotiated with IKE.
aeeb4f4f 567 *
d487b4b7
AS		 568 * @param me own address
569 * @param other remote address
d487b4b7 570 * @param config config to use for this CHILD_SA
fafa7698 571 * @param data data for this CHILD_SA
d487b4b7 572 * @return child_sa_t object
3ebebc5e 573 */
139d6558 574child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
fafa7698 575 child_sa_create_t *data);
5b97779f 576
1490ff4d 577#endif /** CHILD_SA_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.