]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libcharon/sa/child_sa.h
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
proposal: Move proposal_t from libcharon to libstrongswan
[thirdparty/strongswan.git] / src / libcharon / sa / child_sa.h
CommitLineData
3ebebc5e 1/*
4989aba8 2 * Copyright (C) 2006-2017 Tobias Brunner
3aaf7908 3 * Copyright (C) 2006-2008 Martin Willi
d4aad554 4 * Copyright (C) 2006 Daniel Roethlisberger
4989aba8 5 * HSR Hochschule fuer Technik Rapperswil
3ebebc5e
MW		 6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
552cc11b
MW		 18/**
19 * @defgroup child_sa child_sa
20 * @{ @ingroup sa
21 */
3ebebc5e 22
16b9a73c
MW		 23#ifndef CHILD_SA_H_
24#define CHILD_SA_H_
3ebebc5e 25
382b4817 26typedef enum child_sa_state_t child_sa_state_t;
afbea8ce 27typedef enum child_sa_outbound_state_t child_sa_outbound_state_t;
382b4817
MW		 28typedef struct child_sa_t child_sa_t;
29
db7ef624 30#include <library.h>
68621281 31#include <crypto/prf_plus.h>
3ebebc5e 32#include <encoding/payloads/proposal_substructure.h>
2307bffe 33#include <crypto/proposal/proposal.h>
e0fe7651 34#include <config/child_cfg.h>
3ebebc5e 35
bcb95ced 36/**
552cc11b 37 * States of a CHILD_SA
bcb95ced
MW		 38 */
39enum child_sa_state_t {
7daf5226 40
bcb95ced
MW		 41 /**
42 * Just created, uninstalled CHILD_SA
43 */
44 CHILD_CREATED,
7daf5226 45
45f76a7d
MW		 46 /**
47 * Installed SPD, but no SAD entries
48 */
49 CHILD_ROUTED,
7daf5226 50
ea625fab
TB		 51 /**
52 * Installing an in-use CHILD_SA
53 */
54 CHILD_INSTALLING,
7daf5226 55
83186d3c
TB		 56 /**
57 * Installed both SAs of a CHILD_SA
bcb95ced
MW		 58 */
59 CHILD_INSTALLED,
7daf5226 60
ad3af574
MW		 61 /**
62 * While updating hosts, in update_hosts()
63 */
64 CHILD_UPDATING,
7daf5226 65
bcb95ced
MW		 66 /**
67 * CHILD_SA which is rekeying
68 */
69 CHILD_REKEYING,
7daf5226 70
70728eb1
TB		 71 /**
72 * CHILD_SA that was rekeyed, but stays installed
73 */
74 CHILD_REKEYED,
75
013857ad
MW		 76 /**
77 * CHILD_SA negotiation failed, but gets retried
78 */
79 CHILD_RETRYING,
80
bcb95ced
MW		 81 /**
82 * CHILD_SA in progress of delete
83 */
84 CHILD_DELETING,
7daf5226 85
a985db3f
MW		 86 /**
87 * CHILD_SA object gets destroyed
88 */
89 CHILD_DESTROYING,
bcb95ced
MW		 90};
91
92/**
60356f33 93 * enum strings for child_sa_state_t.
bcb95ced 94 */
60356f33 95extern enum_name_t *child_sa_state_names;
bcb95ced 96
afbea8ce
TB		 97/**
98 * States of the outbound SA of a CHILD_SA
99 */
100enum child_sa_outbound_state_t {
101
102 /**
103 * Outbound SA is not installed
104 */
2c116ef5 105 CHILD_OUTBOUND_NONE = 0,
afbea8ce
TB		 106
107 /**
2c116ef5
TB		 108 * Data for the outbound SA has been registered during a rekeying (not set
109 * once the SA and policies are both installed)
afbea8ce 110 */
2c116ef5 111 CHILD_OUTBOUND_REGISTERED = (1<<0),
afbea8ce
TB		 112
113 /**
2c116ef5 114 * The outbound SA has been installed
afbea8ce 115 */
2c116ef5
TB		 116 CHILD_OUTBOUND_SA = (1<<1),
117
118 /**
119 * The outbound policies have been installed
120 */
121 CHILD_OUTBOUND_POLICIES = (1<<2),
122
123 /**
124 * The outbound SA and policies are both installed
125 */
126 CHILD_OUTBOUND_INSTALLED = (CHILD_OUTBOUND_SA|CHILD_OUTBOUND_POLICIES),
afbea8ce
TB		 127};
128
129/**
130 * enum strings for child_sa_outbound_state_t.
131 */
132extern enum_name_t *child_sa_outbound_state_names;
133
3ebebc5e 134/**
552cc11b 135 * Represents an IPsec SAs between two hosts.
c3a78360 136 *
1396815a
MW		 137 * A child_sa_t contains two SAs. SAs for both
138 * directions are managed in one child_sa_t object. Both
139 * SAs and the policies have the same reqid.
c3a78360 140 *
a527a426 141 * The procedure for child sa setup is as follows:
3aaf7908
MW		 142 * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
143 * - A send the proposals with the allocated SPIs to B
a527a426 144 * - B selects a suitable proposal
3aaf7908
MW		 145 * - B allocates an SPI for the selected protocol
146 * - B calls child_sa_t.install for both, the allocated and received SPI
147 * - B sends the proposal with the allocated SPI to A
148 * - A calls child_sa_t.install for both, the allocated and recevied SPI
c3a78360 149 *
aa5a35a0 150 * Once SAs are set up, policies can be added using add_policies.
3ebebc5e
MW		 151 */
152struct child_sa_t {
7daf5226 153
9be547c0 154 /**
552cc11b 155 * Get the name of the config this CHILD_SA uses.
9be547c0 156 *
552cc11b 157 * @return name
9be547c0
MW		 158 */
159 char* (*get_name) (child_sa_t *this);
7daf5226 160
9be547c0 161 /**
552cc11b 162 * Get the reqid of the CHILD SA.
c3a78360 163 *
c60c7694
MW		 164 * Every CHILD_SA has a reqid. The kernel uses this ID to
165 * identify it.
32b6500f 166 *
32b6500f
MW		 167 * @return reqid of the CHILD SA
168 */
b12c53ce 169 uint32_t (*get_reqid)(child_sa_t *this);
7daf5226 170
4ec397b8
MW		 171 /**
172 * Get the unique numerical identifier for this CHILD_SA.
173 *
174 * While the same reqid might be shared between multiple SAs, the unique_id
175 * is truly unique for all CHILD_SA instances.
176 *
177 * @return unique CHILD_SA identifier
178 */
b12c53ce 179 uint32_t (*get_unique_id)(child_sa_t *this);
4ec397b8 180
3aaf7908
MW		 181 /**
182 * Get the config used to set up this child sa.
183 *
184 * @return child_cfg
185 */
186 child_cfg_t* (*get_config) (child_sa_t *this);
7daf5226 187
3aaf7908
MW		 188 /**
189 * Get the state of the CHILD_SA.
190 *
191 * @return CHILD_SA state
c3a78360 192 */
afbea8ce
TB		 193 child_sa_state_t (*get_state)(child_sa_t *this);
194
195 /**
196 * Get the state of the outbound SA.
197 *
198 * @return outbound SA state
199 */
200 child_sa_outbound_state_t (*get_outbound_state)(child_sa_t *this);
7daf5226 201
3aaf7908
MW		 202 /**
203 * Set the state of the CHILD_SA.
204 *
205 * @param state state to set on CHILD_SA
c3a78360 206 */
3aaf7908 207 void (*set_state) (child_sa_t *this, child_sa_state_t state);
7daf5226 208
8d77edde 209 /**
552cc11b 210 * Get the SPI of this CHILD_SA.
c3a78360 211 *
8d77edde
MW		 212 * Set the boolean parameter inbound to TRUE to
213 * get the SPI for which we receive packets, use
214 * FALSE to get those we use for sending packets.
215 *
8d77edde 216 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
66da78b4 217 * @return SPI of the CHILD SA
8d77edde 218 */
b12c53ce 219 uint32_t (*get_spi) (child_sa_t *this, bool inbound);
7daf5226 220
66da78b4
AS		 221 /**
222 * Get the CPI of this CHILD_SA.
c3a78360 223 *
66da78b4 224 * Set the boolean parameter inbound to TRUE to
32f5ee15 225 * get the CPI for which we receive packets, use
66da78b4
AS		 226 * FALSE to get those we use for sending packets.
227 *
228 * @param inbound TRUE to get inbound CPI, FALSE for outbound.
229 * @return CPI of the CHILD SA
230 */
b12c53ce 231 uint16_t (*get_cpi) (child_sa_t *this, bool inbound);
66da78b4 232
8d77edde 233 /**
552cc11b 234 * Get the protocol which this CHILD_SA uses to protect traffic.
8d77edde 235 *
8d77edde
MW		 236 * @return AH | ESP
237 */
238 protocol_id_t (*get_protocol) (child_sa_t *this);
7daf5226 239
3aaf7908
MW		 240 /**
241 * Set the negotiated protocol to use for this CHILD_SA.
242 *
243 * @param protocol AH | ESP
244 */
245 void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
7daf5226 246
a3ce4bc2 247 /**
6e10aead 248 * Get the IPsec mode of this CHILD_SA.
a3ce4bc2 249 *
6e10aead 250 * @return TUNNEL | TRANSPORT | BEET
a3ce4bc2 251 */
6e10aead 252 ipsec_mode_t (*get_mode)(child_sa_t *this);
7daf5226 253
3aaf7908
MW		 254 /**
255 * Set the negotiated IPsec mode to use.
256 *
257 * @param mode TUNNEL | TRANPORT | BEET
258 */
259 void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
7daf5226 260
82d20c05
MW		 261 /**
262 * Get the used IPComp algorithm.
263 *
264 * @return IPComp compression algorithm.
265 */
266 ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
7daf5226 267
3aaf7908
MW		 268 /**
269 * Set the IPComp algorithm to use.
c3a78360 270 *
3aaf7908
MW		 271 * @param ipcomp the IPComp transform to use
272 */
273 void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
7daf5226 274
4c401ea2
MW		 275 /**
276 * Get the action to enforce if the remote peer closes the CHILD_SA.
277 *
278 * @return close action
279 */
280 action_t (*get_close_action)(child_sa_t *this);
281
282 /**
283 * Override the close action specified by the CHILD_SA config.
284 *
285 * @param close action to enforce
286 */
287 void (*set_close_action)(child_sa_t *this, action_t action);
288
289 /**
290 * Get the action to enforce if the peer is considered dead.
291 *
292 * @return dpd action
293 */
294 action_t (*get_dpd_action)(child_sa_t *this);
295
296 /**
297 * Override the DPD action specified by the CHILD_SA config.
298 *
0ceb2888 299 * @param dpd action to enforce
4c401ea2
MW		 300 */
301 void (*set_dpd_action)(child_sa_t *this, action_t action);
302
3aaf7908
MW		 303 /**
304 * Get the selected proposal.
305 *
306 * @return selected proposal
307 */
308 proposal_t* (*get_proposal)(child_sa_t *this);
7daf5226 309
3aaf7908
MW		 310 /**
311 * Set the negotiated proposal.
312 *
313 * @param proposal selected proposal
314 */
c3a78360 315 void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
7daf5226 316
82d20c05
MW		 317 /**
318 * Check if this CHILD_SA uses UDP encapsulation.
319 *
320 * @return TRUE if SA encapsulates ESP packets
321 */
322 bool (*has_encap)(child_sa_t *this);
7daf5226 323
6e10aead 324 /**
e3c7e729 325 * Get the absolute time when the CHILD_SA expires or gets rekeyed.
6e10aead
MW		 326 *
327 * @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
e3c7e729 328 * @return absolute time
6e10aead 329 */
e3c7e729 330 time_t (*get_lifetime)(child_sa_t *this, bool hard);
7daf5226 331
763e0353
MW		 332 /**
333 * Get the absolute time when this SA has been installed.
334 *
335 * @return monotonic absolute install time
336 */
337 time_t (*get_installtime)(child_sa_t *this);
338
6e10aead 339 /**
c3a78360 340 * Get last use time and the number of bytes processed.
2ad51539 341 *
3f720dc7 342 * @param inbound TRUE for inbound traffic, FALSE for outbound
c3a78360
TB		 343 * @param[out] time time of last use in seconds (NULL to ignore)
344 * @param[out] bytes number of processed bytes (NULL to ignore)
d954a208 345 * @param[out] packets number of processed packets (NULL to ignore)
2ad51539 346 */
c3a78360 347 void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
b12c53ce 348 uint64_t *bytes, uint64_t *packets);
7daf5226 349
79f39ecf
MW		 350 /**
351 * Get the mark used with this CHILD_SA.
352 *
353 * @param inbound TRUE to get inbound mark, FALSE for outbound
354 * @return mark used with this CHILD_SA
355 */
356 mark_t (*get_mark)(child_sa_t *this, bool inbound);
357
144f676c 358 /**
553bb787 359 * Create an enumerator over traffic selectors of one side.
a527a426 360 *
553bb787
MW		 361 * @param local TRUE for own traffic selectors, FALSE for remote.
362 * @return enumerator over traffic_selector_t*
c3a78360 363 */
553bb787 364 enumerator_t* (*create_ts_enumerator)(child_sa_t *this, bool local);
7daf5226 365
a527a426 366 /**
3aaf7908 367 * Create an enumerator over installed policies.
a527a426 368 *
553bb787
MW		 369 * The enumerated traffic selectors is a full mesh of compatible local
370 * and remote traffic selectors.
371 *
372 * @return enumerator over a pair of traffic_selector_t*
a527a426 373 */
3aaf7908 374 enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
7daf5226 375
a527a426 376 /**
3aaf7908 377 * Allocate an SPI to include in a proposal.
a527a426 378 *
3aaf7908
MW		 379 * @param protocol protocol to allocate SPI for (ESP|AH)
380 * @param spi SPI output pointer
381 * @return SPI, 0 on failure
a527a426 382 */
b12c53ce 383 uint32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
7daf5226 384
80853d84 385 /**
3aaf7908 386 * Allocate a CPI to use for IPComp.
80853d84 387 *
3aaf7908 388 * @return CPI, 0 on failure
80853d84 389 */
b12c53ce 390 uint16_t (*alloc_cpi)(child_sa_t *this);
7daf5226 391
1396815a 392 /**
3aaf7908 393 * Install an IPsec SA for one direction.
1396815a 394 *
4989aba8
TB		 395 * set_policies() should be called before calling this.
396 *
3aaf7908
MW		 397 * @param encr encryption key, if any
398 * @param integ integrity key
399 * @param spi SPI to use, allocated for inbound
400 * @param cpi CPI to use, allocated for outbound
a8c94544 401 * @param initiator TRUE if initiator of exchange resulting in this SA
3aaf7908 402 * @param inbound TRUE to install an inbound SA, FALSE for outbound
55df72e6 403 * @param tfcv3 TRUE if peer supports ESPv3 TFC
2b3100b5 404 * @return SUCCESS or FAILED
1396815a 405 */
3aaf7908 406 status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
b12c53ce 407 uint32_t spi, uint16_t cpi,
4989aba8
TB		 408 bool initiator, bool inbound, bool tfcv3);
409
8a3a389e
TB		 410 /**
411 * Register data for the installation of an outbound SA as responder during
412 * a rekeying.
413 *
a146b4c9
TB		 414 * If the kernel is able to handle SPIs on policies the SA is installed
415 * immediately, if not it won't be installed until install_outbound() is
416 * called.
8a3a389e
TB		 417 *
418 * @param encr encryption key, if any (cloned)
419 * @param integ integrity key (cloned)
420 * @param spi SPI to use, allocated for inbound
421 * @param cpi CPI to use, allocated for outbound
422 * @param tfcv3 TRUE if peer supports ESPv3 TFC
a146b4c9 423 * @return SUCCESS or FAILED
8a3a389e 424 */
a146b4c9
TB		 425 status_t (*register_outbound)(child_sa_t *this, chunk_t encr, chunk_t integ,
426 uint32_t spi, uint16_t cpi, bool tfcv3);
8a3a389e
TB		 427
428 /**
a146b4c9
TB		 429 * Install the outbound policies and, if not already done, the outbound SA
430 * as responder during a rekeying.
8a3a389e
TB		 431 *
432 * @return SUCCESS or FAILED
433 */
434 status_t (*install_outbound)(child_sa_t *this);
435
c5fed4cd
TB		 436 /**
437 * Remove the outbound SA and the outbound policies after a rekeying.
438 */
439 void (*remove_outbound)(child_sa_t *this);
440
a527a426 441 /**
4989aba8 442 * Configure the policies using some traffic selectors.
8d77edde 443 *
7881ac14 444 * Supplied lists of traffic_selector_t's specify the policies
a527a426
MW		 445 * to use for this child sa.
446 *
4989aba8
TB		 447 * Install the policies by calling install_policies().
448 *
449 * This should be called before calling install() so the traffic selectors
450 * may be passed to the kernel interface when installing the SAs.
451 *
452 * @param my_ts traffic selectors for local site (cloned)
453 * @param other_ts traffic selectors for remote site (cloned)
454 */
455 void (*set_policies)(child_sa_t *this, linked_list_t *my_ts_list,
456 linked_list_t *other_ts_list);
457
458 /**
459 * Install the configured policies.
460 *
8a3a389e
TB		 461 * If register_outbound() was called previously this only installs the
462 * inbound and forward policies, the outbound policies are installed when
463 * install_outbound() is called.
464 *
a527a426 465 * @return SUCCESS or FAILED
c3a78360 466 */
4989aba8
TB		 467 status_t (*install_policies)(child_sa_t *this);
468
cad13450
TB		 469 /**
470 * Set the outbound SPI of the CHILD_SA that replaced this CHILD_SA during
471 * a rekeying.
472 *
473 * @param spi outbound SPI of the CHILD_SA that replaced this CHILD_SA
474 */
475 void (*set_rekey_spi)(child_sa_t *this, uint32_t spi);
476
477 /**
478 * Get the outbound SPI of the CHILD_SA that replaced this CHILD_SA during
479 * a rekeying.
480 *
481 * @return outbound SPI of the CHILD_SA that replaced this CHILD_SA
482 */
483 uint32_t (*get_rekey_spi)(child_sa_t *this);
484
1df106bf 485 /**
3aaf7908 486 * Update hosts and ecapulation mode in the kernel SAs and policies.
1df106bf 487 *
3aaf7908
MW		 488 * @param me the new local host
489 * @param other the new remote host
101d26ba 490 * @param vips list of local virtual IPs
0ceb2888 491 * @param encap TRUE to use UDP encapsulation for NAT traversal
3aaf7908 492 * @return SUCCESS or FAILED
d4aad554 493 */
3aaf7908 494 status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
101d26ba 495 linked_list_t *vips, bool encap);
3ebebc5e 496 /**
552cc11b 497 * Destroys a child_sa.
3ebebc5e
MW		 498 */
499 void (*destroy) (child_sa_t *this);
500};
501
502/**
34d240a6 503 * Constructor to create a child SA negotiated with IKE.
aeeb4f4f 504 *
d487b4b7
AS		 505 * @param me own address
506 * @param other remote address
d487b4b7
AS		 507 * @param config config to use for this CHILD_SA
508 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
509 * @param encap TRUE to enable UDP encapsulation (NAT traversal)
85b23888
MW		 510 * @param mark_in explicit inbound mark value to use, 0 for config
511 * @param mark_out explicit outbound mark value to use, 0 for config
d487b4b7 512 * @return child_sa_t object
3ebebc5e 513 */
ad3af574 514child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
b12c53ce 515 uint32_t reqid, bool encap,
85b23888 516 u_int mark_in, u_int mark_out);
5b97779f 517
1490ff4d 518#endif /** CHILD_SA_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.