]>
Commit | Line | Data |
---|---|---|
3ebebc5e | 1 | /* |
ff269f7f | 2 | * Copyright (C) 2006-2023 Tobias Brunner |
3aaf7908 | 3 | * Copyright (C) 2006-2008 Martin Willi |
d4aad554 | 4 | * Copyright (C) 2006 Daniel Roethlisberger |
19ef2aec TB |
5 | * |
6 | * Copyright (C) secunet Security Networks AG | |
3ebebc5e MW |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
17 | */ | |
18 | ||
552cc11b MW |
19 | /** |
20 | * @defgroup child_sa child_sa | |
21 | * @{ @ingroup sa | |
22 | */ | |
3ebebc5e | 23 | |
16b9a73c MW |
24 | #ifndef CHILD_SA_H_ |
25 | #define CHILD_SA_H_ | |
3ebebc5e | 26 | |
382b4817 | 27 | typedef enum child_sa_state_t child_sa_state_t; |
afbea8ce | 28 | typedef enum child_sa_outbound_state_t child_sa_outbound_state_t; |
382b4817 | 29 | typedef struct child_sa_t child_sa_t; |
fafa7698 | 30 | typedef struct child_sa_create_t child_sa_create_t; |
382b4817 | 31 | |
db7ef624 | 32 | #include <library.h> |
3ebebc5e | 33 | #include <encoding/payloads/proposal_substructure.h> |
2307bffe | 34 | #include <crypto/proposal/proposal.h> |
e0fe7651 | 35 | #include <config/child_cfg.h> |
3ebebc5e | 36 | |
bcb95ced | 37 | /** |
552cc11b | 38 | * States of a CHILD_SA |
bcb95ced MW |
39 | */ |
40 | enum child_sa_state_t { | |
7daf5226 | 41 | |
bcb95ced MW |
42 | /** |
43 | * Just created, uninstalled CHILD_SA | |
44 | */ | |
45 | CHILD_CREATED, | |
7daf5226 | 46 | |
45f76a7d MW |
47 | /** |
48 | * Installed SPD, but no SAD entries | |
49 | */ | |
50 | CHILD_ROUTED, | |
7daf5226 | 51 | |
ea625fab TB |
52 | /** |
53 | * Installing an in-use CHILD_SA | |
54 | */ | |
55 | CHILD_INSTALLING, | |
7daf5226 | 56 | |
83186d3c TB |
57 | /** |
58 | * Installed both SAs of a CHILD_SA | |
bcb95ced MW |
59 | */ |
60 | CHILD_INSTALLED, | |
7daf5226 | 61 | |
ad3af574 MW |
62 | /** |
63 | * While updating hosts, in update_hosts() | |
64 | */ | |
65 | CHILD_UPDATING, | |
7daf5226 | 66 | |
bcb95ced MW |
67 | /** |
68 | * CHILD_SA which is rekeying | |
69 | */ | |
70 | CHILD_REKEYING, | |
7daf5226 | 71 | |
70728eb1 TB |
72 | /** |
73 | * CHILD_SA that was rekeyed, but stays installed | |
74 | */ | |
75 | CHILD_REKEYED, | |
76 | ||
013857ad MW |
77 | /** |
78 | * CHILD_SA negotiation failed, but gets retried | |
79 | */ | |
80 | CHILD_RETRYING, | |
81 | ||
bcb95ced MW |
82 | /** |
83 | * CHILD_SA in progress of delete | |
84 | */ | |
85 | CHILD_DELETING, | |
7daf5226 | 86 | |
16898026 TB |
87 | /** |
88 | * CHILD_SA has been deleted, but not yet destroyed | |
89 | */ | |
90 | CHILD_DELETED, | |
91 | ||
a985db3f MW |
92 | /** |
93 | * CHILD_SA object gets destroyed | |
94 | */ | |
95 | CHILD_DESTROYING, | |
bcb95ced MW |
96 | }; |
97 | ||
98 | /** | |
60356f33 | 99 | * enum strings for child_sa_state_t. |
bcb95ced | 100 | */ |
60356f33 | 101 | extern enum_name_t *child_sa_state_names; |
bcb95ced | 102 | |
afbea8ce TB |
103 | /** |
104 | * States of the outbound SA of a CHILD_SA | |
105 | */ | |
106 | enum child_sa_outbound_state_t { | |
107 | ||
108 | /** | |
109 | * Outbound SA is not installed | |
110 | */ | |
2c116ef5 | 111 | CHILD_OUTBOUND_NONE = 0, |
afbea8ce TB |
112 | |
113 | /** | |
2c116ef5 TB |
114 | * Data for the outbound SA has been registered during a rekeying (not set |
115 | * once the SA and policies are both installed) | |
afbea8ce | 116 | */ |
2c116ef5 | 117 | CHILD_OUTBOUND_REGISTERED = (1<<0), |
afbea8ce TB |
118 | |
119 | /** | |
2c116ef5 | 120 | * The outbound SA has been installed |
afbea8ce | 121 | */ |
2c116ef5 TB |
122 | CHILD_OUTBOUND_SA = (1<<1), |
123 | ||
124 | /** | |
125 | * The outbound policies have been installed | |
126 | */ | |
127 | CHILD_OUTBOUND_POLICIES = (1<<2), | |
128 | ||
129 | /** | |
130 | * The outbound SA and policies are both installed | |
131 | */ | |
132 | CHILD_OUTBOUND_INSTALLED = (CHILD_OUTBOUND_SA|CHILD_OUTBOUND_POLICIES), | |
afbea8ce TB |
133 | }; |
134 | ||
135 | /** | |
136 | * enum strings for child_sa_outbound_state_t. | |
137 | */ | |
138 | extern enum_name_t *child_sa_outbound_state_names; | |
139 | ||
3ebebc5e | 140 | /** |
552cc11b | 141 | * Represents an IPsec SAs between two hosts. |
c3a78360 | 142 | * |
1396815a MW |
143 | * A child_sa_t contains two SAs. SAs for both |
144 | * directions are managed in one child_sa_t object. Both | |
145 | * SAs and the policies have the same reqid. | |
c3a78360 | 146 | * |
a527a426 | 147 | * The procedure for child sa setup is as follows: |
3aaf7908 MW |
148 | * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc |
149 | * - A send the proposals with the allocated SPIs to B | |
a527a426 | 150 | * - B selects a suitable proposal |
3aaf7908 MW |
151 | * - B allocates an SPI for the selected protocol |
152 | * - B calls child_sa_t.install for both, the allocated and received SPI | |
153 | * - B sends the proposal with the allocated SPI to A | |
2db6d5b8 | 154 | * - A calls child_sa_t.install for both, the allocated and received SPI |
c3a78360 | 155 | * |
aa5a35a0 | 156 | * Once SAs are set up, policies can be added using add_policies. |
3ebebc5e MW |
157 | */ |
158 | struct child_sa_t { | |
7daf5226 | 159 | |
9be547c0 | 160 | /** |
552cc11b | 161 | * Get the name of the config this CHILD_SA uses. |
9be547c0 | 162 | * |
552cc11b | 163 | * @return name |
9be547c0 MW |
164 | */ |
165 | char* (*get_name) (child_sa_t *this); | |
7daf5226 | 166 | |
9be547c0 | 167 | /** |
552cc11b | 168 | * Get the reqid of the CHILD SA. |
c3a78360 | 169 | * |
c60c7694 MW |
170 | * Every CHILD_SA has a reqid. The kernel uses this ID to |
171 | * identify it. | |
32b6500f | 172 | * |
32b6500f MW |
173 | * @return reqid of the CHILD SA |
174 | */ | |
b12c53ce | 175 | uint32_t (*get_reqid)(child_sa_t *this); |
7daf5226 | 176 | |
ff269f7f TB |
177 | /** |
178 | * Get an additional reference to the allocated reqid of this CHILD SA. | |
179 | * | |
180 | * For static reqids or until the reqid is allocated (if none was passed | |
181 | * in the constructor), this returns 0. The returned reqid must be released | |
182 | * via kernel_interface_t::release_reqid(). | |
183 | * | |
184 | * @return allocated reqid of the CHILD SA, 0 if reqid is static or | |
185 | * not allocated yet | |
186 | */ | |
187 | uint32_t (*get_reqid_ref)(child_sa_t *this); | |
188 | ||
4ec397b8 MW |
189 | /** |
190 | * Get the unique numerical identifier for this CHILD_SA. | |
191 | * | |
192 | * While the same reqid might be shared between multiple SAs, the unique_id | |
193 | * is truly unique for all CHILD_SA instances. | |
194 | * | |
195 | * @return unique CHILD_SA identifier | |
196 | */ | |
b12c53ce | 197 | uint32_t (*get_unique_id)(child_sa_t *this); |
4ec397b8 | 198 | |
3aaf7908 MW |
199 | /** |
200 | * Get the config used to set up this child sa. | |
201 | * | |
202 | * @return child_cfg | |
203 | */ | |
204 | child_cfg_t* (*get_config) (child_sa_t *this); | |
7daf5226 | 205 | |
3aaf7908 MW |
206 | /** |
207 | * Get the state of the CHILD_SA. | |
208 | * | |
209 | * @return CHILD_SA state | |
c3a78360 | 210 | */ |
afbea8ce TB |
211 | child_sa_state_t (*get_state)(child_sa_t *this); |
212 | ||
213 | /** | |
214 | * Get the state of the outbound SA. | |
215 | * | |
216 | * @return outbound SA state | |
217 | */ | |
218 | child_sa_outbound_state_t (*get_outbound_state)(child_sa_t *this); | |
7daf5226 | 219 | |
3aaf7908 MW |
220 | /** |
221 | * Set the state of the CHILD_SA. | |
222 | * | |
223 | * @param state state to set on CHILD_SA | |
c3a78360 | 224 | */ |
3aaf7908 | 225 | void (*set_state) (child_sa_t *this, child_sa_state_t state); |
7daf5226 | 226 | |
8d77edde | 227 | /** |
552cc11b | 228 | * Get the SPI of this CHILD_SA. |
c3a78360 | 229 | * |
8d77edde MW |
230 | * Set the boolean parameter inbound to TRUE to |
231 | * get the SPI for which we receive packets, use | |
232 | * FALSE to get those we use for sending packets. | |
233 | * | |
8d77edde | 234 | * @param inbound TRUE to get inbound SPI, FALSE for outbound. |
66da78b4 | 235 | * @return SPI of the CHILD SA |
8d77edde | 236 | */ |
b12c53ce | 237 | uint32_t (*get_spi) (child_sa_t *this, bool inbound); |
7daf5226 | 238 | |
66da78b4 AS |
239 | /** |
240 | * Get the CPI of this CHILD_SA. | |
c3a78360 | 241 | * |
66da78b4 | 242 | * Set the boolean parameter inbound to TRUE to |
32f5ee15 | 243 | * get the CPI for which we receive packets, use |
66da78b4 AS |
244 | * FALSE to get those we use for sending packets. |
245 | * | |
246 | * @param inbound TRUE to get inbound CPI, FALSE for outbound. | |
247 | * @return CPI of the CHILD SA | |
248 | */ | |
b12c53ce | 249 | uint16_t (*get_cpi) (child_sa_t *this, bool inbound); |
66da78b4 | 250 | |
8d77edde | 251 | /** |
552cc11b | 252 | * Get the protocol which this CHILD_SA uses to protect traffic. |
8d77edde | 253 | * |
8d77edde MW |
254 | * @return AH | ESP |
255 | */ | |
256 | protocol_id_t (*get_protocol) (child_sa_t *this); | |
7daf5226 | 257 | |
3aaf7908 MW |
258 | /** |
259 | * Set the negotiated protocol to use for this CHILD_SA. | |
260 | * | |
261 | * @param protocol AH | ESP | |
262 | */ | |
263 | void (*set_protocol)(child_sa_t *this, protocol_id_t protocol); | |
7daf5226 | 264 | |
a3ce4bc2 | 265 | /** |
6e10aead | 266 | * Get the IPsec mode of this CHILD_SA. |
a3ce4bc2 | 267 | * |
6e10aead | 268 | * @return TUNNEL | TRANSPORT | BEET |
a3ce4bc2 | 269 | */ |
6e10aead | 270 | ipsec_mode_t (*get_mode)(child_sa_t *this); |
7daf5226 | 271 | |
3aaf7908 MW |
272 | /** |
273 | * Set the negotiated IPsec mode to use. | |
274 | * | |
2db6d5b8 | 275 | * @param mode TUNNEL | TRANSPORT | BEET |
3aaf7908 MW |
276 | */ |
277 | void (*set_mode)(child_sa_t *this, ipsec_mode_t mode); | |
7daf5226 | 278 | |
82d20c05 MW |
279 | /** |
280 | * Get the used IPComp algorithm. | |
281 | * | |
282 | * @return IPComp compression algorithm. | |
283 | */ | |
284 | ipcomp_transform_t (*get_ipcomp)(child_sa_t *this); | |
7daf5226 | 285 | |
3aaf7908 MW |
286 | /** |
287 | * Set the IPComp algorithm to use. | |
c3a78360 | 288 | * |
3aaf7908 MW |
289 | * @param ipcomp the IPComp transform to use |
290 | */ | |
291 | void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp); | |
7daf5226 | 292 | |
4c401ea2 MW |
293 | /** |
294 | * Get the action to enforce if the remote peer closes the CHILD_SA. | |
295 | * | |
296 | * @return close action | |
297 | */ | |
298 | action_t (*get_close_action)(child_sa_t *this); | |
299 | ||
300 | /** | |
301 | * Override the close action specified by the CHILD_SA config. | |
302 | * | |
303 | * @param close action to enforce | |
304 | */ | |
305 | void (*set_close_action)(child_sa_t *this, action_t action); | |
306 | ||
307 | /** | |
308 | * Get the action to enforce if the peer is considered dead. | |
309 | * | |
310 | * @return dpd action | |
311 | */ | |
312 | action_t (*get_dpd_action)(child_sa_t *this); | |
313 | ||
314 | /** | |
315 | * Override the DPD action specified by the CHILD_SA config. | |
316 | * | |
0ceb2888 | 317 | * @param dpd action to enforce |
4c401ea2 MW |
318 | */ |
319 | void (*set_dpd_action)(child_sa_t *this, action_t action); | |
320 | ||
3aaf7908 MW |
321 | /** |
322 | * Get the selected proposal. | |
323 | * | |
324 | * @return selected proposal | |
325 | */ | |
326 | proposal_t* (*get_proposal)(child_sa_t *this); | |
7daf5226 | 327 | |
3aaf7908 MW |
328 | /** |
329 | * Set the negotiated proposal. | |
330 | * | |
331 | * @param proposal selected proposal | |
332 | */ | |
c3a78360 | 333 | void (*set_proposal)(child_sa_t *this, proposal_t *proposal); |
7daf5226 | 334 | |
82d20c05 MW |
335 | /** |
336 | * Check if this CHILD_SA uses UDP encapsulation. | |
337 | * | |
338 | * @return TRUE if SA encapsulates ESP packets | |
339 | */ | |
340 | bool (*has_encap)(child_sa_t *this); | |
7daf5226 | 341 | |
6e10aead | 342 | /** |
e3c7e729 | 343 | * Get the absolute time when the CHILD_SA expires or gets rekeyed. |
6e10aead MW |
344 | * |
345 | * @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime | |
e3c7e729 | 346 | * @return absolute time |
6e10aead | 347 | */ |
e3c7e729 | 348 | time_t (*get_lifetime)(child_sa_t *this, bool hard); |
7daf5226 | 349 | |
763e0353 MW |
350 | /** |
351 | * Get the absolute time when this SA has been installed. | |
352 | * | |
353 | * @return monotonic absolute install time | |
354 | */ | |
355 | time_t (*get_installtime)(child_sa_t *this); | |
356 | ||
6e10aead | 357 | /** |
c3a78360 | 358 | * Get last use time and the number of bytes processed. |
2ad51539 | 359 | * |
3f720dc7 | 360 | * @param inbound TRUE for inbound traffic, FALSE for outbound |
c3a78360 TB |
361 | * @param[out] time time of last use in seconds (NULL to ignore) |
362 | * @param[out] bytes number of processed bytes (NULL to ignore) | |
d954a208 | 363 | * @param[out] packets number of processed packets (NULL to ignore) |
2ad51539 | 364 | */ |
c3a78360 | 365 | void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time, |
b12c53ce | 366 | uint64_t *bytes, uint64_t *packets); |
7daf5226 | 367 | |
79f39ecf MW |
368 | /** |
369 | * Get the mark used with this CHILD_SA. | |
370 | * | |
371 | * @param inbound TRUE to get inbound mark, FALSE for outbound | |
372 | * @return mark used with this CHILD_SA | |
373 | */ | |
374 | mark_t (*get_mark)(child_sa_t *this, bool inbound); | |
375 | ||
a6014d99 TB |
376 | /** |
377 | * Get the interface ID used with this CHILD_SA. | |
378 | * | |
379 | * @param inbound TRUE to get inbound ID, FALSE for outbound | |
380 | * @return interface ID used with this CHILD_SA | |
381 | */ | |
382 | uint32_t (*get_if_id)(child_sa_t *this, bool inbound); | |
383 | ||
139d6558 TB |
384 | /** |
385 | * Get the security label used with this CHILD_SA. | |
386 | * | |
387 | * This might be different than the configured label. | |
388 | * | |
389 | * @return security label used with this CHILD_SA | |
390 | */ | |
391 | sec_label_t *(*get_label)(child_sa_t *this); | |
392 | ||
144f676c | 393 | /** |
553bb787 | 394 | * Create an enumerator over traffic selectors of one side. |
a527a426 | 395 | * |
553bb787 MW |
396 | * @param local TRUE for own traffic selectors, FALSE for remote. |
397 | * @return enumerator over traffic_selector_t* | |
c3a78360 | 398 | */ |
553bb787 | 399 | enumerator_t* (*create_ts_enumerator)(child_sa_t *this, bool local); |
7daf5226 | 400 | |
a527a426 | 401 | /** |
3aaf7908 | 402 | * Create an enumerator over installed policies. |
a527a426 | 403 | * |
553bb787 MW |
404 | * The enumerated traffic selectors is a full mesh of compatible local |
405 | * and remote traffic selectors. | |
406 | * | |
407 | * @return enumerator over a pair of traffic_selector_t* | |
a527a426 | 408 | */ |
3aaf7908 | 409 | enumerator_t* (*create_policy_enumerator)(child_sa_t *this); |
7daf5226 | 410 | |
a527a426 | 411 | /** |
3aaf7908 | 412 | * Allocate an SPI to include in a proposal. |
a527a426 | 413 | * |
3aaf7908 MW |
414 | * @param protocol protocol to allocate SPI for (ESP|AH) |
415 | * @param spi SPI output pointer | |
416 | * @return SPI, 0 on failure | |
a527a426 | 417 | */ |
b12c53ce | 418 | uint32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol); |
7daf5226 | 419 | |
80853d84 | 420 | /** |
3aaf7908 | 421 | * Allocate a CPI to use for IPComp. |
80853d84 | 422 | * |
3aaf7908 | 423 | * @return CPI, 0 on failure |
80853d84 | 424 | */ |
b12c53ce | 425 | uint16_t (*alloc_cpi)(child_sa_t *this); |
7daf5226 | 426 | |
1396815a | 427 | /** |
3aaf7908 | 428 | * Install an IPsec SA for one direction. |
1396815a | 429 | * |
4989aba8 TB |
430 | * set_policies() should be called before calling this. |
431 | * | |
3aaf7908 MW |
432 | * @param encr encryption key, if any |
433 | * @param integ integrity key | |
434 | * @param spi SPI to use, allocated for inbound | |
435 | * @param cpi CPI to use, allocated for outbound | |
a8c94544 | 436 | * @param initiator TRUE if initiator of exchange resulting in this SA |
3aaf7908 | 437 | * @param inbound TRUE to install an inbound SA, FALSE for outbound |
55df72e6 | 438 | * @param tfcv3 TRUE if peer supports ESPv3 TFC |
2b3100b5 | 439 | * @return SUCCESS or FAILED |
1396815a | 440 | */ |
3aaf7908 | 441 | status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ, |
b12c53ce | 442 | uint32_t spi, uint16_t cpi, |
4989aba8 TB |
443 | bool initiator, bool inbound, bool tfcv3); |
444 | ||
8a3a389e TB |
445 | /** |
446 | * Register data for the installation of an outbound SA as responder during | |
447 | * a rekeying. | |
448 | * | |
a146b4c9 TB |
449 | * If the kernel is able to handle SPIs on policies the SA is installed |
450 | * immediately, if not it won't be installed until install_outbound() is | |
451 | * called. | |
8a3a389e TB |
452 | * |
453 | * @param encr encryption key, if any (cloned) | |
454 | * @param integ integrity key (cloned) | |
455 | * @param spi SPI to use, allocated for inbound | |
456 | * @param cpi CPI to use, allocated for outbound | |
639af09b | 457 | * @param initiator TRUE if initiator of exchange resulting in this SA |
8a3a389e | 458 | * @param tfcv3 TRUE if peer supports ESPv3 TFC |
a146b4c9 | 459 | * @return SUCCESS or FAILED |
8a3a389e | 460 | */ |
a146b4c9 | 461 | status_t (*register_outbound)(child_sa_t *this, chunk_t encr, chunk_t integ, |
639af09b TB |
462 | uint32_t spi, uint16_t cpi, bool initiator, |
463 | bool tfcv3); | |
8a3a389e TB |
464 | |
465 | /** | |
a146b4c9 TB |
466 | * Install the outbound policies and, if not already done, the outbound SA |
467 | * as responder during a rekeying. | |
8a3a389e TB |
468 | * |
469 | * @return SUCCESS or FAILED | |
470 | */ | |
471 | status_t (*install_outbound)(child_sa_t *this); | |
472 | ||
c5fed4cd TB |
473 | /** |
474 | * Remove the outbound SA and the outbound policies after a rekeying. | |
475 | */ | |
476 | void (*remove_outbound)(child_sa_t *this); | |
477 | ||
a527a426 | 478 | /** |
4989aba8 | 479 | * Configure the policies using some traffic selectors. |
8d77edde | 480 | * |
7881ac14 | 481 | * Supplied lists of traffic_selector_t's specify the policies |
a527a426 MW |
482 | * to use for this child sa. |
483 | * | |
4989aba8 TB |
484 | * Install the policies by calling install_policies(). |
485 | * | |
486 | * This should be called before calling install() so the traffic selectors | |
487 | * may be passed to the kernel interface when installing the SAs. | |
488 | * | |
489 | * @param my_ts traffic selectors for local site (cloned) | |
490 | * @param other_ts traffic selectors for remote site (cloned) | |
491 | */ | |
492 | void (*set_policies)(child_sa_t *this, linked_list_t *my_ts_list, | |
493 | linked_list_t *other_ts_list); | |
494 | ||
495 | /** | |
496 | * Install the configured policies. | |
497 | * | |
8a3a389e TB |
498 | * If register_outbound() was called previously this only installs the |
499 | * inbound and forward policies, the outbound policies are installed when | |
500 | * install_outbound() is called. | |
501 | * | |
a527a426 | 502 | * @return SUCCESS or FAILED |
c3a78360 | 503 | */ |
4989aba8 TB |
504 | status_t (*install_policies)(child_sa_t *this); |
505 | ||
cad13450 TB |
506 | /** |
507 | * Set the outbound SPI of the CHILD_SA that replaced this CHILD_SA during | |
508 | * a rekeying. | |
509 | * | |
510 | * @param spi outbound SPI of the CHILD_SA that replaced this CHILD_SA | |
511 | */ | |
512 | void (*set_rekey_spi)(child_sa_t *this, uint32_t spi); | |
513 | ||
514 | /** | |
515 | * Get the outbound SPI of the CHILD_SA that replaced this CHILD_SA during | |
516 | * a rekeying. | |
517 | * | |
518 | * @return outbound SPI of the CHILD_SA that replaced this CHILD_SA | |
519 | */ | |
520 | uint32_t (*get_rekey_spi)(child_sa_t *this); | |
521 | ||
1df106bf | 522 | /** |
b3ab7a48 | 523 | * Update hosts and ecapsulation mode in the kernel SAs and policies. |
1df106bf | 524 | * |
3aaf7908 MW |
525 | * @param me the new local host |
526 | * @param other the new remote host | |
101d26ba | 527 | * @param vips list of local virtual IPs |
0ceb2888 | 528 | * @param encap TRUE to use UDP encapsulation for NAT traversal |
3aaf7908 | 529 | * @return SUCCESS or FAILED |
d4aad554 | 530 | */ |
3aaf7908 | 531 | status_t (*update)(child_sa_t *this, host_t *me, host_t *other, |
101d26ba | 532 | linked_list_t *vips, bool encap); |
3ebebc5e | 533 | /** |
552cc11b | 534 | * Destroys a child_sa. |
3ebebc5e MW |
535 | */ |
536 | void (*destroy) (child_sa_t *this); | |
537 | }; | |
538 | ||
fafa7698 TB |
539 | /** |
540 | * Data passed to the constructor of a child_sa_t object. | |
541 | */ | |
542 | struct child_sa_create_t { | |
543 | /** Optional reqid of old CHILD_SA when rekeying */ | |
544 | uint32_t reqid; | |
545 | /** Optional inbound mark when rekeying */ | |
546 | uint32_t mark_in; | |
547 | /** Optional outbound mark when rekeying */ | |
548 | uint32_t mark_out; | |
549 | /** Optional inbound interface ID when rekeying */ | |
550 | uint32_t if_id_in; | |
551 | /** Optional outbound interface ID when rekeying */ | |
552 | uint32_t if_id_out; | |
553 | /** Optional default inbound interface ID, if neither if_id_in, nor config | |
554 | * sets one */ | |
555 | uint32_t if_id_in_def; | |
556 | /** Optional default outbound interface ID, if neither if_id_out, nor config | |
557 | * sets one */ | |
558 | uint32_t if_id_out_def; | |
139d6558 TB |
559 | /** Optional security label to apply on SAs (cloned) */ |
560 | sec_label_t *label; | |
fafa7698 TB |
561 | /** TRUE to enable UDP encapsulation (NAT traversal) */ |
562 | bool encap; | |
563 | }; | |
564 | ||
3ebebc5e | 565 | /** |
34d240a6 | 566 | * Constructor to create a child SA negotiated with IKE. |
aeeb4f4f | 567 | * |
d487b4b7 AS |
568 | * @param me own address |
569 | * @param other remote address | |
d487b4b7 | 570 | * @param config config to use for this CHILD_SA |
fafa7698 | 571 | * @param data data for this CHILD_SA |
d487b4b7 | 572 | * @return child_sa_t object |
3ebebc5e | 573 | */ |
139d6558 | 574 | child_sa_t *child_sa_create(host_t *me, host_t *other, child_cfg_t *config, |
fafa7698 | 575 | child_sa_create_t *data); |
5b97779f | 576 | |
1490ff4d | 577 | #endif /** CHILD_SA_H_ @}*/ |