]>
Commit | Line | Data |
---|---|---|
f9b0c054 TB |
1 | /* |
2 | * Copyright (C) 2012 Tobias Brunner | |
3 | * Copyright (C) 2012 Giuliano Grassi | |
4 | * Copyright (C) 2012 Ralf Sager | |
19ef2aec TB |
5 | * |
6 | * Copyright (C) secunet Security Networks AG | |
f9b0c054 TB |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
17 | */ | |
18 | ||
19 | /** | |
20 | * @defgroup ipsec_sa ipsec_sa | |
21 | * @{ @ingroup libipsec | |
22 | */ | |
23 | ||
24 | #ifndef IPSEC_SA_H_ | |
25 | #define IPSEC_SA_H_ | |
26 | ||
27 | #include "esp_context.h" | |
28 | ||
29 | #include <library.h> | |
2e7cc07e | 30 | #include <networking/host.h> |
f9b0c054 TB |
31 | #include <selectors/traffic_selector.h> |
32 | #include <ipsec/ipsec_types.h> | |
33 | ||
34 | typedef struct ipsec_sa_t ipsec_sa_t; | |
35 | ||
36 | /** | |
37 | * IPsec Security Association (SA) | |
38 | */ | |
39 | struct ipsec_sa_t { | |
40 | ||
41 | /** | |
42 | * Get the source address for this SA | |
43 | * | |
44 | * @return source address of this SA | |
45 | */ | |
46 | host_t *(*get_source)(ipsec_sa_t *this); | |
47 | ||
48 | /** | |
49 | * Get the destination address for this SA | |
50 | * | |
51 | * @return destination address of this SA | |
52 | */ | |
53 | host_t *(*get_destination)(ipsec_sa_t *this); | |
54 | ||
7622c5e9 TB |
55 | /** |
56 | * Set the source address for this SA | |
57 | * | |
58 | * @param addr source address of this SA (gets cloned) | |
59 | */ | |
60 | void (*set_source)(ipsec_sa_t *this, host_t *addr); | |
61 | ||
62 | /** | |
63 | * Set the destination address for this SA | |
64 | * | |
65 | * @param addr destination address of this SA (gets cloned) | |
66 | */ | |
67 | void (*set_destination)(ipsec_sa_t *this, host_t *addr); | |
68 | ||
f9b0c054 TB |
69 | /** |
70 | * Get the SPI for this SA | |
71 | * | |
72 | * @return SPI of this SA | |
73 | */ | |
b12c53ce | 74 | uint32_t (*get_spi)(ipsec_sa_t *this); |
f9b0c054 TB |
75 | |
76 | /** | |
77 | * Get the reqid of this SA | |
78 | * | |
79 | * @return reqid of this SA | |
80 | */ | |
b12c53ce | 81 | uint32_t (*get_reqid)(ipsec_sa_t *this); |
f9b0c054 TB |
82 | |
83 | /** | |
84 | * Get the protocol (e.g. IPPROTO_ESP) of this SA | |
85 | * | |
86 | * @return protocol of this SA | |
87 | */ | |
b12c53ce | 88 | uint8_t (*get_protocol)(ipsec_sa_t *this); |
f9b0c054 TB |
89 | |
90 | /** | |
91 | * Returns whether this SA is inbound or outbound | |
92 | * | |
93 | * @return TRUE if inbound, FALSE if outbound | |
94 | */ | |
95 | bool (*is_inbound)(ipsec_sa_t *this); | |
96 | ||
97 | /** | |
98 | * Get the lifetime information for this SA | |
99 | * Note that this information is always relative to the time when the | |
100 | * SA was installed (i.e. it is not adjusted over time) | |
101 | * | |
102 | * @return lifetime of this SA | |
103 | */ | |
104 | lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this); | |
105 | ||
106 | /** | |
107 | * Get the ESP context for this SA | |
108 | * | |
109 | * @return ESP context of this SA | |
110 | */ | |
111 | esp_context_t *(*get_esp_context)(ipsec_sa_t *this); | |
112 | ||
b08967d6 MW |
113 | /** |
114 | * Get usage statistics for this SA. | |
115 | * | |
116 | * @param bytes receives number of processed bytes, or NULL | |
117 | * @param packets receives number of processed packets, or NULL | |
118 | * @param time receives last use time of this SA, or NULL | |
119 | */ | |
b12c53ce | 120 | void (*get_usestats)(ipsec_sa_t *this, uint64_t *bytes, uint64_t *packets, |
b08967d6 MW |
121 | time_t *time); |
122 | ||
123 | /** | |
124 | * Record en/decryption of a packet to update usage statistics. | |
125 | * | |
126 | * @param bytes length of packet processed | |
127 | */ | |
b12c53ce | 128 | void (*update_usestats)(ipsec_sa_t *this, uint32_t bytes); |
b08967d6 | 129 | |
d53002f0 MW |
130 | /** |
131 | * Expire this SA, soft or hard. | |
132 | * | |
133 | * A soft expire triggers a rekey, a hard expire blocks the SA and | |
134 | * triggers a delete for the SA. | |
135 | * | |
136 | * @param hard TRUE for hard, FALSE for soft | |
137 | */ | |
138 | void (*expire)(ipsec_sa_t *this, bool hard); | |
139 | ||
9f7e1899 TB |
140 | /** |
141 | * Check if this SA matches all given parameters | |
142 | * | |
d53002f0 MW |
143 | * Only matches if the SA has not yet expired. |
144 | * | |
9f7e1899 TB |
145 | * @param spi SPI |
146 | * @param dst destination address | |
147 | * @return TRUE if this SA matches all parameters, FALSE otherwise | |
148 | */ | |
b12c53ce | 149 | bool (*match_by_spi_dst)(ipsec_sa_t *this, uint32_t spi, host_t *dst); |
9f7e1899 TB |
150 | |
151 | /** | |
152 | * Check if this SA matches all given parameters | |
153 | * | |
154 | * @param spi SPI | |
155 | * @param src source address | |
156 | * @param dst destination address | |
157 | * @return TRUE if this SA matches all parameters, FALSE otherwise | |
158 | */ | |
b12c53ce | 159 | bool (*match_by_spi_src_dst)(ipsec_sa_t *this, uint32_t spi, host_t *src, |
9f7e1899 TB |
160 | host_t *dst); |
161 | ||
162 | /** | |
163 | * Check if this SA matches all given parameters | |
164 | * | |
d53002f0 MW |
165 | * Only matches if the SA has not yet expired. |
166 | * | |
9f7e1899 TB |
167 | * @param reqid reqid |
168 | * @param inbound TRUE for inbound SA, FALSE for outbound | |
169 | * @return TRUE if this SA matches all parameters, FALSE otherwise | |
170 | */ | |
b12c53ce | 171 | bool (*match_by_reqid)(ipsec_sa_t *this, uint32_t reqid, bool inbound); |
9f7e1899 | 172 | |
f9b0c054 TB |
173 | /** |
174 | * Destroy an ipsec_sa_t | |
175 | */ | |
176 | void (*destroy)(ipsec_sa_t *this); | |
177 | ||
178 | }; | |
179 | ||
180 | /** | |
181 | * Create an ipsec_sa_t instance | |
182 | * | |
183 | * @param spi SPI for this SA | |
184 | * @param src source address for this SA (gets cloned) | |
185 | * @param dst destination address for this SA (gets cloned) | |
186 | * @param protocol protocol for this SA (only ESP is supported) | |
187 | * @param reqid reqid for this SA | |
188 | * @param mark mark for this SA (ignored) | |
189 | * @param tfc Traffic Flow Confidentiality (currently not supported) | |
190 | * @param lifetime lifetime for this SA | |
191 | * @param enc_alg encryption algorithm for this SA | |
192 | * @param enc_key encryption key for this SA | |
193 | * @param int_alg integrity protection algorithm | |
194 | * @param int_key integrity protection key | |
195 | * @param mode mode for this SA (only tunnel mode is supported) | |
196 | * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE) | |
197 | * @param cpi CPI for IPcomp (ignored) | |
198 | * @param encap enable UDP encapsulation (must be TRUE) | |
199 | * @param esn Extended Sequence Numbers (currently not supported) | |
200 | * @param inbound TRUE if this is an inbound SA, FALSE otherwise | |
f9b0c054 TB |
201 | * @return the IPsec SA, or NULL if the creation failed |
202 | */ | |
b12c53ce AS |
203 | ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst, |
204 | uint8_t protocol, uint32_t reqid, mark_t mark, | |
205 | uint32_t tfc, lifetime_cfg_t *lifetime, | |
206 | uint16_t enc_alg, chunk_t enc_key, | |
207 | uint16_t int_alg, chunk_t int_key, | |
208 | ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi, | |
fd941760 | 209 | bool encap, bool esn, bool inbound); |
f9b0c054 TB |
210 | |
211 | #endif /** IPSEC_SA_H_ @}*/ |