[thirdparty/strongswan.git] / src / libipsec / ipsec_sa.h

/*
 * Copyright (C) 2012 Tobias Brunner
 * Copyright (C) 2012 Giuliano Grassi
 * Copyright (C) 2012 Ralf Sager
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup ipsec_sa ipsec_sa
 * @{ @ingroup libipsec
 */

#ifndef IPSEC_SA_H_
#define IPSEC_SA_H_

#include "esp_context.h"

#include <library.h>
#include <networking/host.h>
#include <selectors/traffic_selector.h>
#include <ipsec/ipsec_types.h>

typedef struct ipsec_sa_t ipsec_sa_t;

/**
 * IPsec Security Association (SA)
 */
struct ipsec_sa_t {

	/**
	 * Get the source address for this SA
	 *
	 * @return			source address of this SA
	 */
	host_t *(*get_source)(ipsec_sa_t *this);

	/**
	 * Get the destination address for this SA
	 *
	 * @return			destination address of this SA
	 */
	host_t *(*get_destination)(ipsec_sa_t *this);

	/**
	 * Set the source address for this SA
	 *
	 * @param addr		source address of this SA (gets cloned)
	 */
	void (*set_source)(ipsec_sa_t *this, host_t *addr);

	/**
	 * Set the destination address for this SA
	 *
	 * @param addr		destination address of this SA (gets cloned)
	 */
	void (*set_destination)(ipsec_sa_t *this, host_t *addr);

	/**
	 * Get the SPI for this SA
	 *
	 * @return			SPI of this SA
	 */
	uint32_t (*get_spi)(ipsec_sa_t *this);

	/**
	 * Get the reqid of this SA
	 *
	 * @return			reqid of this SA
	 */
	uint32_t (*get_reqid)(ipsec_sa_t *this);

	/**
	 * Get the protocol (e.g. IPPROTO_ESP) of this SA
	 *
	 * @return			protocol of this SA
	 */
	uint8_t (*get_protocol)(ipsec_sa_t *this);

	/**
	 * Returns whether this SA is inbound or outbound
	 *
	 * @return			TRUE if inbound, FALSE if outbound
	 */
	bool (*is_inbound)(ipsec_sa_t *this);

	/**
	 * Get the lifetime information for this SA
	 * Note that this information is always relative to the time when the
	 * SA was installed (i.e. it is not adjusted over time)
	 *
	 * @return			lifetime of this SA
	 */
	lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);

	/**
	 * Get the ESP context for this SA
	 *
	 * @return			ESP context of this SA
	 */
	esp_context_t *(*get_esp_context)(ipsec_sa_t *this);

	/**
	 * Get usage statistics for this SA.
	 *
	 * @param bytes		receives number of processed bytes, or NULL
	 * @param packets	receives number of processed packets, or NULL
	 * @param time		receives last use time of this SA, or NULL
	 */
	void (*get_usestats)(ipsec_sa_t *this, uint64_t *bytes, uint64_t *packets,
						 time_t *time);

	/**
	 * Record en/decryption of a packet to update usage statistics.
	 *
	 * @param bytes		length of packet processed
	 */
	void (*update_usestats)(ipsec_sa_t *this, uint32_t bytes);

	/**
	 * Expire this SA, soft or hard.
	 *
	 * A soft expire triggers a rekey, a hard expire blocks the SA and
	 * triggers a delete for the SA.
	 *
	 * @param hard		TRUE for hard, FALSE for soft
	 */
	void (*expire)(ipsec_sa_t *this, bool hard);

	/**
	 * Check if this SA matches all given parameters
	 *
	 * Only matches if the SA has not yet expired.
	 *
	 * @param spi		SPI
	 * @param dst		destination address
	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
	 */
	bool (*match_by_spi_dst)(ipsec_sa_t *this, uint32_t spi, host_t *dst);

	/**
	 * Check if this SA matches all given parameters
	 *
	 * @param spi		SPI
	 * @param src		source address
	 * @param dst		destination address
	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
	 */
	bool (*match_by_spi_src_dst)(ipsec_sa_t *this, uint32_t spi, host_t *src,
								 host_t *dst);

	/**
	 * Check if this SA matches all given parameters
	 *
	 * Only matches if the SA has not yet expired.
	 *
	 * @param reqid		reqid
	 * @param inbound	TRUE for inbound SA, FALSE for outbound
	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
	 */
	bool (*match_by_reqid)(ipsec_sa_t *this, uint32_t reqid, bool inbound);

	/**
	 * Destroy an ipsec_sa_t
	 */
	void (*destroy)(ipsec_sa_t *this);

};

/**
 * Create an ipsec_sa_t instance
 *
 * @param spi			SPI for this SA
 * @param src			source address for this SA (gets cloned)
 * @param dst			destination address for this SA (gets cloned)
 * @param protocol		protocol for this SA (only ESP is supported)
 * @param reqid			reqid for this SA
 * @param mark			mark for this SA (ignored)
 * @param tfc			Traffic Flow Confidentiality (currently not supported)
 * @param lifetime		lifetime for this SA
 * @param enc_alg		encryption algorithm for this SA
 * @param enc_key		encryption key for this SA
 * @param int_alg		integrity protection algorithm
 * @param int_key		integrity protection key
 * @param mode			mode for this SA (only tunnel mode is supported)
 * @param ipcomp		IPcomp transform (not supported, use IPCOMP_NONE)
 * @param cpi			CPI for IPcomp (ignored)
 * @param encap			enable UDP encapsulation (must be TRUE)
 * @param esn			Extended Sequence Numbers (currently not supported)
 * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
 * @return				the IPsec SA, or NULL if the creation failed
 */
ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst,
							uint8_t protocol, uint32_t reqid, mark_t mark,
							uint32_t tfc, lifetime_cfg_t *lifetime,
							uint16_t enc_alg, chunk_t enc_key,
							uint16_t int_alg, chunk_t int_key,
							ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi,
							bool encap, bool esn, bool inbound);

#endif /** IPSEC_SA_H_ @}*/
Commit	Line	Data
f9b0c054 TB	1	/*
	2	* Copyright (C) 2012 Tobias Brunner
	3	* Copyright (C) 2012 Giuliano Grassi
	4	* Copyright (C) 2012 Ralf Sager
19ef2aec TB	5	*
19ef2aec TB	6	* Copyright (C) secunet Security Networks AG
f9b0c054 TB	7	*
	8	* This program is free software; you can redistribute it and/or modify it
	9	* under the terms of the GNU General Public License as published by the
	10	* Free Software Foundation; either version 2 of the License, or (at your
	11	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	12	*
	13	* This program is distributed in the hope that it will be useful, but
	14	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	15	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	16	* for more details.
	17	*/
	18
	19	/**
	20	* @defgroup ipsec_sa ipsec_sa
	21	* @{ @ingroup libipsec
	22	*/
	23
	24	#ifndef IPSEC_SA_H_
	25	#define IPSEC_SA_H_
	26
	27	#include "esp_context.h"
	28
	29	#include <library.h>
2e7cc07e	30	#include <networking/host.h>
f9b0c054 TB	31	#include <selectors/traffic_selector.h>
	32	#include <ipsec/ipsec_types.h>
	33
	34	typedef struct ipsec_sa_t ipsec_sa_t;
	35
	36	/**
	37	* IPsec Security Association (SA)
	38	*/
	39	struct ipsec_sa_t {
	40
	41	/**
	42	* Get the source address for this SA
	43	*
	44	* @return source address of this SA
	45	*/
	46	host_t (get_source)(ipsec_sa_t *this);
	47
	48	/**
	49	* Get the destination address for this SA
	50	*
	51	* @return destination address of this SA
	52	*/
	53	host_t (get_destination)(ipsec_sa_t *this);
	54
7622c5e9 TB	55	/**
	56	* Set the source address for this SA
	57	*
	58	* @param addr source address of this SA (gets cloned)
	59	*/
	60	void (set_source)(ipsec_sa_t this, host_t *addr);
	61
	62	/**
	63	* Set the destination address for this SA
	64	*
	65	* @param addr destination address of this SA (gets cloned)
	66	*/
	67	void (set_destination)(ipsec_sa_t this, host_t *addr);
	68
f9b0c054 TB	69	/**
	70	* Get the SPI for this SA
	71	*
	72	* @return SPI of this SA
	73	*/
b12c53ce	74	uint32_t (get_spi)(ipsec_sa_t this);
f9b0c054 TB	75
	76	/**
	77	* Get the reqid of this SA
	78	*
	79	* @return reqid of this SA
	80	*/
b12c53ce	81	uint32_t (get_reqid)(ipsec_sa_t this);
f9b0c054 TB	82
	83	/**
	84	* Get the protocol (e.g. IPPROTO_ESP) of this SA
	85	*
	86	* @return protocol of this SA
	87	*/
b12c53ce	88	uint8_t (get_protocol)(ipsec_sa_t this);
f9b0c054 TB	89
	90	/**
	91	* Returns whether this SA is inbound or outbound
	92	*
	93	* @return TRUE if inbound, FALSE if outbound
	94	*/
	95	bool (is_inbound)(ipsec_sa_t this);
	96
	97	/**
	98	* Get the lifetime information for this SA
	99	* Note that this information is always relative to the time when the
	100	* SA was installed (i.e. it is not adjusted over time)
	101	*
	102	* @return lifetime of this SA
	103	*/
	104	lifetime_cfg_t (get_lifetime)(ipsec_sa_t *this);
	105
	106	/**
	107	* Get the ESP context for this SA
	108	*
	109	* @return ESP context of this SA
	110	*/
	111	esp_context_t (get_esp_context)(ipsec_sa_t *this);
	112
b08967d6 MW	113	/**
	114	* Get usage statistics for this SA.
	115	*
	116	* @param bytes receives number of processed bytes, or NULL
	117	* @param packets receives number of processed packets, or NULL
	118	* @param time receives last use time of this SA, or NULL
	119	*/
b12c53ce	120	void (get_usestats)(ipsec_sa_t this, uint64_t bytes, uint64_t packets,
b08967d6 MW	121	time_t *time);
	122
	123	/**
	124	* Record en/decryption of a packet to update usage statistics.
	125	*
	126	* @param bytes length of packet processed
	127	*/
b12c53ce	128	void (update_usestats)(ipsec_sa_t this, uint32_t bytes);
b08967d6	129
d53002f0 MW	130	/**
	131	* Expire this SA, soft or hard.
	132	*
	133	* A soft expire triggers a rekey, a hard expire blocks the SA and
	134	* triggers a delete for the SA.
	135	*
	136	* @param hard TRUE for hard, FALSE for soft
	137	*/
	138	void (expire)(ipsec_sa_t this, bool hard);
	139
9f7e1899 TB	140	/**
	141	* Check if this SA matches all given parameters
	142	*
d53002f0 MW	143	* Only matches if the SA has not yet expired.
d53002f0 MW	144	*
9f7e1899 TB	145	* @param spi SPI
	146	* @param dst destination address
	147	* @return TRUE if this SA matches all parameters, FALSE otherwise
	148	*/
b12c53ce	149	bool (match_by_spi_dst)(ipsec_sa_t this, uint32_t spi, host_t *dst);
9f7e1899 TB	150
	151	/**
	152	* Check if this SA matches all given parameters
	153	*
	154	* @param spi SPI
	155	* @param src source address
	156	* @param dst destination address
	157	* @return TRUE if this SA matches all parameters, FALSE otherwise
	158	*/
b12c53ce	159	bool (match_by_spi_src_dst)(ipsec_sa_t this, uint32_t spi, host_t *src,
9f7e1899 TB	160	host_t *dst);
	161
	162	/**
	163	* Check if this SA matches all given parameters
	164	*
d53002f0 MW	165	* Only matches if the SA has not yet expired.
d53002f0 MW	166	*
9f7e1899 TB	167	* @param reqid reqid
	168	* @param inbound TRUE for inbound SA, FALSE for outbound
	169	* @return TRUE if this SA matches all parameters, FALSE otherwise
	170	*/
b12c53ce	171	bool (match_by_reqid)(ipsec_sa_t this, uint32_t reqid, bool inbound);
9f7e1899	172
f9b0c054 TB	173	/**
	174	* Destroy an ipsec_sa_t
	175	*/
	176	void (destroy)(ipsec_sa_t this);
	177
	178	};
	179
	180	/**
	181	* Create an ipsec_sa_t instance
	182	*
	183	* @param spi SPI for this SA
	184	* @param src source address for this SA (gets cloned)
	185	* @param dst destination address for this SA (gets cloned)
	186	* @param protocol protocol for this SA (only ESP is supported)
	187	* @param reqid reqid for this SA
	188	* @param mark mark for this SA (ignored)
	189	* @param tfc Traffic Flow Confidentiality (currently not supported)
	190	* @param lifetime lifetime for this SA
	191	* @param enc_alg encryption algorithm for this SA
	192	* @param enc_key encryption key for this SA
	193	* @param int_alg integrity protection algorithm
	194	* @param int_key integrity protection key
	195	* @param mode mode for this SA (only tunnel mode is supported)
	196	* @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
	197	* @param cpi CPI for IPcomp (ignored)
	198	* @param encap enable UDP encapsulation (must be TRUE)
	199	* @param esn Extended Sequence Numbers (currently not supported)
	200	* @param inbound TRUE if this is an inbound SA, FALSE otherwise
f9b0c054 TB	201	* @return the IPsec SA, or NULL if the creation failed
f9b0c054 TB	202	*/
b12c53ce AS	203	ipsec_sa_t ipsec_sa_create(uint32_t spi, host_t src, host_t *dst,
	204	uint8_t protocol, uint32_t reqid, mark_t mark,
	205	uint32_t tfc, lifetime_cfg_t *lifetime,
	206	uint16_t enc_alg, chunk_t enc_key,
	207	uint16_t int_alg, chunk_t int_key,
	208	ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi,
fd941760	209	bool encap, bool esn, bool inbound);
f9b0c054 TB	210
f9b0c054 TB	211	#endif /** IPSEC_SA_H_ @}*/