]> git.ipfire.org Git - thirdparty/strongswan.git/blame - src/libcharon/sa/child_sa.h
projects / thirdparty / strongswan.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
child-sa: Configure interface ID on SAs and policies
[thirdparty/strongswan.git] / src / libcharon / sa / child_sa.h
CommitLineData
3ebebc5e 1/*
a6014d99 2 * Copyright (C) 2006-2019 Tobias Brunner
3aaf7908 3 * Copyright (C) 2006-2008 Martin Willi
d4aad554 4 * Copyright (C) 2006 Daniel Roethlisberger
4989aba8 5 * HSR Hochschule fuer Technik Rapperswil
3ebebc5e
MW		 6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
552cc11b
MW		 18/**
19 * @defgroup child_sa child_sa
20 * @{ @ingroup sa
21 */
3ebebc5e 22
16b9a73c
MW		 23#ifndef CHILD_SA_H_
24#define CHILD_SA_H_
3ebebc5e 25
382b4817 26typedef enum child_sa_state_t child_sa_state_t;
afbea8ce 27typedef enum child_sa_outbound_state_t child_sa_outbound_state_t;
382b4817
MW		 28typedef struct child_sa_t child_sa_t;
29
db7ef624 30#include <library.h>
68621281 31#include <crypto/prf_plus.h>
3ebebc5e 32#include <encoding/payloads/proposal_substructure.h>
2307bffe 33#include <crypto/proposal/proposal.h>
e0fe7651 34#include <config/child_cfg.h>
3ebebc5e 35
bcb95ced 36/**
552cc11b 37 * States of a CHILD_SA
bcb95ced
MW		 38 */
39enum child_sa_state_t {
7daf5226 40
bcb95ced
MW		 41 /**
42 * Just created, uninstalled CHILD_SA
43 */
44 CHILD_CREATED,
7daf5226 45
45f76a7d
MW		 46 /**
47 * Installed SPD, but no SAD entries
48 */
49 CHILD_ROUTED,
7daf5226 50
ea625fab
TB		 51 /**
52 * Installing an in-use CHILD_SA
53 */
54 CHILD_INSTALLING,
7daf5226 55
83186d3c
TB		 56 /**
57 * Installed both SAs of a CHILD_SA
bcb95ced
MW		 58 */
59 CHILD_INSTALLED,
7daf5226 60
ad3af574
MW		 61 /**
62 * While updating hosts, in update_hosts()
63 */
64 CHILD_UPDATING,
7daf5226 65
bcb95ced
MW		 66 /**
67 * CHILD_SA which is rekeying
68 */
69 CHILD_REKEYING,
7daf5226 70
70728eb1
TB		 71 /**
72 * CHILD_SA that was rekeyed, but stays installed
73 */
74 CHILD_REKEYED,
75
013857ad
MW		 76 /**
77 * CHILD_SA negotiation failed, but gets retried
78 */
79 CHILD_RETRYING,
80
bcb95ced
MW		 81 /**
82 * CHILD_SA in progress of delete
83 */
84 CHILD_DELETING,
7daf5226 85
16898026
TB		 86 /**
87 * CHILD_SA has been deleted, but not yet destroyed
88 */
89 CHILD_DELETED,
90
a985db3f
MW		 91 /**
92 * CHILD_SA object gets destroyed
93 */
94 CHILD_DESTROYING,
bcb95ced
MW		 95};
96
97/**
60356f33 98 * enum strings for child_sa_state_t.
bcb95ced 99 */
60356f33 100extern enum_name_t *child_sa_state_names;
bcb95ced 101
afbea8ce
TB		 102/**
103 * States of the outbound SA of a CHILD_SA
104 */
105enum child_sa_outbound_state_t {
106
107 /**
108 * Outbound SA is not installed
109 */
2c116ef5 110 CHILD_OUTBOUND_NONE = 0,
afbea8ce
TB		 111
112 /**
2c116ef5
TB		 113 * Data for the outbound SA has been registered during a rekeying (not set
114 * once the SA and policies are both installed)
afbea8ce 115 */
2c116ef5 116 CHILD_OUTBOUND_REGISTERED = (1<<0),
afbea8ce
TB		 117
118 /**
2c116ef5 119 * The outbound SA has been installed
afbea8ce 120 */
2c116ef5
TB		 121 CHILD_OUTBOUND_SA = (1<<1),
122
123 /**
124 * The outbound policies have been installed
125 */
126 CHILD_OUTBOUND_POLICIES = (1<<2),
127
128 /**
129 * The outbound SA and policies are both installed
130 */
131 CHILD_OUTBOUND_INSTALLED = (CHILD_OUTBOUND_SA|CHILD_OUTBOUND_POLICIES),
afbea8ce
TB		 132};
133
134/**
135 * enum strings for child_sa_outbound_state_t.
136 */
137extern enum_name_t *child_sa_outbound_state_names;
138
3ebebc5e 139/**
552cc11b 140 * Represents an IPsec SAs between two hosts.
c3a78360 141 *
1396815a
MW		 142 * A child_sa_t contains two SAs. SAs for both
143 * directions are managed in one child_sa_t object. Both
144 * SAs and the policies have the same reqid.
c3a78360 145 *
a527a426 146 * The procedure for child sa setup is as follows:
3aaf7908
MW		 147 * - A gets SPIs for a all protocols in its proposals via child_sa_t.alloc
148 * - A send the proposals with the allocated SPIs to B
a527a426 149 * - B selects a suitable proposal
3aaf7908
MW		 150 * - B allocates an SPI for the selected protocol
151 * - B calls child_sa_t.install for both, the allocated and received SPI
152 * - B sends the proposal with the allocated SPI to A
2db6d5b8 153 * - A calls child_sa_t.install for both, the allocated and received SPI
c3a78360 154 *
aa5a35a0 155 * Once SAs are set up, policies can be added using add_policies.
3ebebc5e
MW		 156 */
157struct child_sa_t {
7daf5226 158
9be547c0 159 /**
552cc11b 160 * Get the name of the config this CHILD_SA uses.
9be547c0 161 *
552cc11b 162 * @return name
9be547c0
MW		 163 */
164 char* (*get_name) (child_sa_t *this);
7daf5226 165
9be547c0 166 /**
552cc11b 167 * Get the reqid of the CHILD SA.
c3a78360 168 *
c60c7694
MW		 169 * Every CHILD_SA has a reqid. The kernel uses this ID to
170 * identify it.
32b6500f 171 *
32b6500f
MW		 172 * @return reqid of the CHILD SA
173 */
b12c53ce 174 uint32_t (*get_reqid)(child_sa_t *this);
7daf5226 175
4ec397b8
MW		 176 /**
177 * Get the unique numerical identifier for this CHILD_SA.
178 *
179 * While the same reqid might be shared between multiple SAs, the unique_id
180 * is truly unique for all CHILD_SA instances.
181 *
182 * @return unique CHILD_SA identifier
183 */
b12c53ce 184 uint32_t (*get_unique_id)(child_sa_t *this);
4ec397b8 185
3aaf7908
MW		 186 /**
187 * Get the config used to set up this child sa.
188 *
189 * @return child_cfg
190 */
191 child_cfg_t* (*get_config) (child_sa_t *this);
7daf5226 192
3aaf7908
MW		 193 /**
194 * Get the state of the CHILD_SA.
195 *
196 * @return CHILD_SA state
c3a78360 197 */
afbea8ce
TB		 198 child_sa_state_t (*get_state)(child_sa_t *this);
199
200 /**
201 * Get the state of the outbound SA.
202 *
203 * @return outbound SA state
204 */
205 child_sa_outbound_state_t (*get_outbound_state)(child_sa_t *this);
7daf5226 206
3aaf7908
MW		 207 /**
208 * Set the state of the CHILD_SA.
209 *
210 * @param state state to set on CHILD_SA
c3a78360 211 */
3aaf7908 212 void (*set_state) (child_sa_t *this, child_sa_state_t state);
7daf5226 213
8d77edde 214 /**
552cc11b 215 * Get the SPI of this CHILD_SA.
c3a78360 216 *
8d77edde
MW		 217 * Set the boolean parameter inbound to TRUE to
218 * get the SPI for which we receive packets, use
219 * FALSE to get those we use for sending packets.
220 *
8d77edde 221 * @param inbound TRUE to get inbound SPI, FALSE for outbound.
66da78b4 222 * @return SPI of the CHILD SA
8d77edde 223 */
b12c53ce 224 uint32_t (*get_spi) (child_sa_t *this, bool inbound);
7daf5226 225
66da78b4
AS		 226 /**
227 * Get the CPI of this CHILD_SA.
c3a78360 228 *
66da78b4 229 * Set the boolean parameter inbound to TRUE to
32f5ee15 230 * get the CPI for which we receive packets, use
66da78b4
AS		 231 * FALSE to get those we use for sending packets.
232 *
233 * @param inbound TRUE to get inbound CPI, FALSE for outbound.
234 * @return CPI of the CHILD SA
235 */
b12c53ce 236 uint16_t (*get_cpi) (child_sa_t *this, bool inbound);
66da78b4 237
8d77edde 238 /**
552cc11b 239 * Get the protocol which this CHILD_SA uses to protect traffic.
8d77edde 240 *
8d77edde
MW		 241 * @return AH | ESP
242 */
243 protocol_id_t (*get_protocol) (child_sa_t *this);
7daf5226 244
3aaf7908
MW		 245 /**
246 * Set the negotiated protocol to use for this CHILD_SA.
247 *
248 * @param protocol AH | ESP
249 */
250 void (*set_protocol)(child_sa_t *this, protocol_id_t protocol);
7daf5226 251
a3ce4bc2 252 /**
6e10aead 253 * Get the IPsec mode of this CHILD_SA.
a3ce4bc2 254 *
6e10aead 255 * @return TUNNEL | TRANSPORT | BEET
a3ce4bc2 256 */
6e10aead 257 ipsec_mode_t (*get_mode)(child_sa_t *this);
7daf5226 258
3aaf7908
MW		 259 /**
260 * Set the negotiated IPsec mode to use.
261 *
2db6d5b8 262 * @param mode TUNNEL | TRANSPORT | BEET
3aaf7908
MW		 263 */
264 void (*set_mode)(child_sa_t *this, ipsec_mode_t mode);
7daf5226 265
82d20c05
MW		 266 /**
267 * Get the used IPComp algorithm.
268 *
269 * @return IPComp compression algorithm.
270 */
271 ipcomp_transform_t (*get_ipcomp)(child_sa_t *this);
7daf5226 272
3aaf7908
MW		 273 /**
274 * Set the IPComp algorithm to use.
c3a78360 275 *
3aaf7908
MW		 276 * @param ipcomp the IPComp transform to use
277 */
278 void (*set_ipcomp)(child_sa_t *this, ipcomp_transform_t ipcomp);
7daf5226 279
4c401ea2
MW		 280 /**
281 * Get the action to enforce if the remote peer closes the CHILD_SA.
282 *
283 * @return close action
284 */
285 action_t (*get_close_action)(child_sa_t *this);
286
287 /**
288 * Override the close action specified by the CHILD_SA config.
289 *
290 * @param close action to enforce
291 */
292 void (*set_close_action)(child_sa_t *this, action_t action);
293
294 /**
295 * Get the action to enforce if the peer is considered dead.
296 *
297 * @return dpd action
298 */
299 action_t (*get_dpd_action)(child_sa_t *this);
300
301 /**
302 * Override the DPD action specified by the CHILD_SA config.
303 *
0ceb2888 304 * @param dpd action to enforce
4c401ea2
MW		 305 */
306 void (*set_dpd_action)(child_sa_t *this, action_t action);
307
3aaf7908
MW		 308 /**
309 * Get the selected proposal.
310 *
311 * @return selected proposal
312 */
313 proposal_t* (*get_proposal)(child_sa_t *this);
7daf5226 314
3aaf7908
MW		 315 /**
316 * Set the negotiated proposal.
317 *
318 * @param proposal selected proposal
319 */
c3a78360 320 void (*set_proposal)(child_sa_t *this, proposal_t *proposal);
7daf5226 321
82d20c05
MW		 322 /**
323 * Check if this CHILD_SA uses UDP encapsulation.
324 *
325 * @return TRUE if SA encapsulates ESP packets
326 */
327 bool (*has_encap)(child_sa_t *this);
7daf5226 328
6e10aead 329 /**
e3c7e729 330 * Get the absolute time when the CHILD_SA expires or gets rekeyed.
6e10aead
MW		 331 *
332 * @param hard TRUE for hard lifetime, FALSE for soft (rekey) lifetime
e3c7e729 333 * @return absolute time
6e10aead 334 */
e3c7e729 335 time_t (*get_lifetime)(child_sa_t *this, bool hard);
7daf5226 336
763e0353
MW		 337 /**
338 * Get the absolute time when this SA has been installed.
339 *
340 * @return monotonic absolute install time
341 */
342 time_t (*get_installtime)(child_sa_t *this);
343
6e10aead 344 /**
c3a78360 345 * Get last use time and the number of bytes processed.
2ad51539 346 *
3f720dc7 347 * @param inbound TRUE for inbound traffic, FALSE for outbound
c3a78360
TB		 348 * @param[out] time time of last use in seconds (NULL to ignore)
349 * @param[out] bytes number of processed bytes (NULL to ignore)
d954a208 350 * @param[out] packets number of processed packets (NULL to ignore)
2ad51539 351 */
c3a78360 352 void (*get_usestats)(child_sa_t *this, bool inbound, time_t *time,
b12c53ce 353 uint64_t *bytes, uint64_t *packets);
7daf5226 354
79f39ecf
MW		 355 /**
356 * Get the mark used with this CHILD_SA.
357 *
358 * @param inbound TRUE to get inbound mark, FALSE for outbound
359 * @return mark used with this CHILD_SA
360 */
361 mark_t (*get_mark)(child_sa_t *this, bool inbound);
362
a6014d99
TB		 363 /**
364 * Get the interface ID used with this CHILD_SA.
365 *
366 * @param inbound TRUE to get inbound ID, FALSE for outbound
367 * @return interface ID used with this CHILD_SA
368 */
369 uint32_t (*get_if_id)(child_sa_t *this, bool inbound);
370
144f676c 371 /**
553bb787 372 * Create an enumerator over traffic selectors of one side.
a527a426 373 *
553bb787
MW		 374 * @param local TRUE for own traffic selectors, FALSE for remote.
375 * @return enumerator over traffic_selector_t*
c3a78360 376 */
553bb787 377 enumerator_t* (*create_ts_enumerator)(child_sa_t *this, bool local);
7daf5226 378
a527a426 379 /**
3aaf7908 380 * Create an enumerator over installed policies.
a527a426 381 *
553bb787
MW		 382 * The enumerated traffic selectors is a full mesh of compatible local
383 * and remote traffic selectors.
384 *
385 * @return enumerator over a pair of traffic_selector_t*
a527a426 386 */
3aaf7908 387 enumerator_t* (*create_policy_enumerator)(child_sa_t *this);
7daf5226 388
a527a426 389 /**
3aaf7908 390 * Allocate an SPI to include in a proposal.
a527a426 391 *
3aaf7908
MW		 392 * @param protocol protocol to allocate SPI for (ESP|AH)
393 * @param spi SPI output pointer
394 * @return SPI, 0 on failure
a527a426 395 */
b12c53ce 396 uint32_t (*alloc_spi)(child_sa_t *this, protocol_id_t protocol);
7daf5226 397
80853d84 398 /**
3aaf7908 399 * Allocate a CPI to use for IPComp.
80853d84 400 *
3aaf7908 401 * @return CPI, 0 on failure
80853d84 402 */
b12c53ce 403 uint16_t (*alloc_cpi)(child_sa_t *this);
7daf5226 404
1396815a 405 /**
3aaf7908 406 * Install an IPsec SA for one direction.
1396815a 407 *
4989aba8
TB		 408 * set_policies() should be called before calling this.
409 *
3aaf7908
MW		 410 * @param encr encryption key, if any
411 * @param integ integrity key
412 * @param spi SPI to use, allocated for inbound
413 * @param cpi CPI to use, allocated for outbound
a8c94544 414 * @param initiator TRUE if initiator of exchange resulting in this SA
3aaf7908 415 * @param inbound TRUE to install an inbound SA, FALSE for outbound
55df72e6 416 * @param tfcv3 TRUE if peer supports ESPv3 TFC
2b3100b5 417 * @return SUCCESS or FAILED
1396815a 418 */
3aaf7908 419 status_t (*install)(child_sa_t *this, chunk_t encr, chunk_t integ,
b12c53ce 420 uint32_t spi, uint16_t cpi,
4989aba8
TB		 421 bool initiator, bool inbound, bool tfcv3);
422
8a3a389e
TB		 423 /**
424 * Register data for the installation of an outbound SA as responder during
425 * a rekeying.
426 *
a146b4c9
TB		 427 * If the kernel is able to handle SPIs on policies the SA is installed
428 * immediately, if not it won't be installed until install_outbound() is
429 * called.
8a3a389e
TB		 430 *
431 * @param encr encryption key, if any (cloned)
432 * @param integ integrity key (cloned)
433 * @param spi SPI to use, allocated for inbound
434 * @param cpi CPI to use, allocated for outbound
435 * @param tfcv3 TRUE if peer supports ESPv3 TFC
a146b4c9 436 * @return SUCCESS or FAILED
8a3a389e 437 */
a146b4c9
TB		 438 status_t (*register_outbound)(child_sa_t *this, chunk_t encr, chunk_t integ,
439 uint32_t spi, uint16_t cpi, bool tfcv3);
8a3a389e
TB		 440
441 /**
a146b4c9
TB		 442 * Install the outbound policies and, if not already done, the outbound SA
443 * as responder during a rekeying.
8a3a389e
TB		 444 *
445 * @return SUCCESS or FAILED
446 */
447 status_t (*install_outbound)(child_sa_t *this);
448
c5fed4cd
TB		 449 /**
450 * Remove the outbound SA and the outbound policies after a rekeying.
451 */
452 void (*remove_outbound)(child_sa_t *this);
453
a527a426 454 /**
4989aba8 455 * Configure the policies using some traffic selectors.
8d77edde 456 *
7881ac14 457 * Supplied lists of traffic_selector_t's specify the policies
a527a426
MW		 458 * to use for this child sa.
459 *
4989aba8
TB		 460 * Install the policies by calling install_policies().
461 *
462 * This should be called before calling install() so the traffic selectors
463 * may be passed to the kernel interface when installing the SAs.
464 *
465 * @param my_ts traffic selectors for local site (cloned)
466 * @param other_ts traffic selectors for remote site (cloned)
467 */
468 void (*set_policies)(child_sa_t *this, linked_list_t *my_ts_list,
469 linked_list_t *other_ts_list);
470
471 /**
472 * Install the configured policies.
473 *
8a3a389e
TB		 474 * If register_outbound() was called previously this only installs the
475 * inbound and forward policies, the outbound policies are installed when
476 * install_outbound() is called.
477 *
a527a426 478 * @return SUCCESS or FAILED
c3a78360 479 */
4989aba8
TB		 480 status_t (*install_policies)(child_sa_t *this);
481
cad13450
TB		 482 /**
483 * Set the outbound SPI of the CHILD_SA that replaced this CHILD_SA during
484 * a rekeying.
485 *
486 * @param spi outbound SPI of the CHILD_SA that replaced this CHILD_SA
487 */
488 void (*set_rekey_spi)(child_sa_t *this, uint32_t spi);
489
490 /**
491 * Get the outbound SPI of the CHILD_SA that replaced this CHILD_SA during
492 * a rekeying.
493 *
494 * @return outbound SPI of the CHILD_SA that replaced this CHILD_SA
495 */
496 uint32_t (*get_rekey_spi)(child_sa_t *this);
497
1df106bf 498 /**
3aaf7908 499 * Update hosts and ecapulation mode in the kernel SAs and policies.
1df106bf 500 *
3aaf7908
MW		 501 * @param me the new local host
502 * @param other the new remote host
101d26ba 503 * @param vips list of local virtual IPs
0ceb2888 504 * @param encap TRUE to use UDP encapsulation for NAT traversal
3aaf7908 505 * @return SUCCESS or FAILED
d4aad554 506 */
3aaf7908 507 status_t (*update)(child_sa_t *this, host_t *me, host_t *other,
101d26ba 508 linked_list_t *vips, bool encap);
3ebebc5e 509 /**
552cc11b 510 * Destroys a child_sa.
3ebebc5e
MW		 511 */
512 void (*destroy) (child_sa_t *this);
513};
514
515/**
34d240a6 516 * Constructor to create a child SA negotiated with IKE.
aeeb4f4f 517 *
d487b4b7
AS		 518 * @param me own address
519 * @param other remote address
d487b4b7
AS		 520 * @param config config to use for this CHILD_SA
521 * @param reqid reqid of old CHILD_SA when rekeying, 0 otherwise
522 * @param encap TRUE to enable UDP encapsulation (NAT traversal)
85b23888
MW		 523 * @param mark_in explicit inbound mark value to use, 0 for config
524 * @param mark_out explicit outbound mark value to use, 0 for config
a6014d99
TB		 525 * @param if_id_in explicit inbound interface ID to use, 0 for config
526 * @param if_id_out explicit outbound interface ID to use, 0 for config
d487b4b7 527 * @return child_sa_t object
3ebebc5e 528 */
ad3af574 529child_sa_t * child_sa_create(host_t *me, host_t *other, child_cfg_t *config,
b12c53ce 530 uint32_t reqid, bool encap,
a6014d99
TB		 531 uint32_t mark_in, uint32_t mark_out,
532 uint32_t if_id_in, uint32_t if_id_out);
5b97779f 533
1490ff4d 534#endif /** CHILD_SA_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.