summaryrefslogtreecommitdiff
path: root/src/charon/kernel/kernel_ipsec.h
diff options
context:
space:
mode:
authorRene Mayrhofer <rene@mayrhofer.eu.org>2008-10-29 20:30:44 +0000
committerRene Mayrhofer <rene@mayrhofer.eu.org>2008-10-29 20:30:44 +0000
commit74f0bbfc53cb5fa519e4e27ece53735ab51b397c (patch)
tree0dbab9c835be15577ff05b474b6361bb326d66ce /src/charon/kernel/kernel_ipsec.h
parent5c1fa2516bda1ccf8eb00178c0beb196c2020a94 (diff)
downloadvyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.tar.gz
vyos-strongswan-74f0bbfc53cb5fa519e4e27ece53735ab51b397c.zip
- New upstream release.
Diffstat (limited to 'src/charon/kernel/kernel_ipsec.h')
-rw-r--r--src/charon/kernel/kernel_ipsec.h266
1 files changed, 266 insertions, 0 deletions
diff --git a/src/charon/kernel/kernel_ipsec.h b/src/charon/kernel/kernel_ipsec.h
new file mode 100644
index 000000000..67786a74f
--- /dev/null
+++ b/src/charon/kernel/kernel_ipsec.h
@@ -0,0 +1,266 @@
+/*
+ * Copyright (C) 2006-2008 Tobias Brunner
+ * Copyright (C) 2006 Daniel Roethlisberger
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ *
+ * $Id: kernel_ipsec.h 4358 2008-09-25 13:56:23Z tobias $
+ */
+
+/**
+ * @defgroup kernel_ipsec kernel_ipsec
+ * @{ @ingroup kernel
+ */
+
+#ifndef KERNEL_IPSEC_H_
+#define KERNEL_IPSEC_H_
+
+typedef enum ipsec_mode_t ipsec_mode_t;
+typedef enum policy_dir_t policy_dir_t;
+typedef struct kernel_ipsec_t kernel_ipsec_t;
+
+#include <utils/host.h>
+#include <crypto/prf_plus.h>
+#include <encoding/payloads/proposal_substructure.h>
+
+/**
+ * Mode of an CHILD_SA.
+ *
+ * These are equal to those defined in XFRM, so don't change.
+ */
+enum ipsec_mode_t {
+ /** transport mode, no inner address */
+ MODE_TRANSPORT = 0,
+ /** tunnel mode, inner and outer addresses */
+ MODE_TUNNEL = 1,
+ /** BEET mode, tunnel mode but fixed, bound inner addresses */
+ MODE_BEET = 4,
+};
+
+/**
+ * enum names for ipsec_mode_t.
+ */
+extern enum_name_t *ipsec_mode_names;
+
+/**
+ * Direction of a policy. These are equal to those
+ * defined in xfrm.h, but we want to stay implementation
+ * neutral here.
+ */
+enum policy_dir_t {
+ /** Policy for inbound traffic */
+ POLICY_IN = 0,
+ /** Policy for outbound traffic */
+ POLICY_OUT = 1,
+ /** Policy for forwarded traffic */
+ POLICY_FWD = 2,
+};
+
+/**
+ * Interface to the ipsec subsystem of the kernel.
+ *
+ * The kernel ipsec interface handles the communication with the kernel
+ * for SA and policy management. It allows setup of these, and provides
+ * further the handling of kernel events.
+ * Policy information are cached in the interface. This is necessary to do
+ * reference counting. The Linux kernel does not allow the same policy
+ * installed twice, but we need this as CHILD_SA exist multiple times
+ * when rekeying. Thats why we do reference counting of policies.
+ */
+struct kernel_ipsec_t {
+
+ /**
+ * Get a SPI from the kernel.
+ *
+ * @warning get_spi() implicitly creates an SA with
+ * the allocated SPI, therefore the replace flag
+ * in add_sa() must be set when installing this SA.
+ *
+ * @param src source address of SA
+ * @param dst destination address of SA
+ * @param protocol protocol for SA (ESP/AH)
+ * @param reqid unique ID for this SA
+ * @param spi allocated spi
+ * @return SUCCESS if operation completed
+ */
+ status_t (*get_spi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+ protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi);
+
+ /**
+ * Get a Compression Parameter Index (CPI) from the kernel.
+ *
+ * @param src source address of SA
+ * @param dst destination address of SA
+ * @param reqid unique ID for the corresponding SA
+ * @param cpi allocated cpi
+ * @return SUCCESS if operation completed
+ */
+ status_t (*get_cpi)(kernel_ipsec_t *this, host_t *src, host_t *dst,
+ u_int32_t reqid, u_int16_t *cpi);
+
+ /**
+ * Add an SA to the SAD.
+ *
+ * add_sa() may update an already allocated
+ * SPI (via get_spi). In this case, the replace
+ * flag must be set.
+ * This function does install a single SA for a
+ * single protocol in one direction. The kernel-interface
+ * gets the keys itself from the PRF, as we don't know
+ * his algorithms and key sizes.
+ *
+ * @param src source address for this SA
+ * @param dst destination address for this SA
+ * @param spi SPI allocated by us or remote peer
+ * @param protocol protocol for this SA (ESP/AH)
+ * @param reqid unique ID for this SA
+ * @param expire_soft lifetime in seconds before rekeying
+ * @param expire_hard lifetime in seconds before delete
+ * @param enc_alg Algorithm to use for encryption (ESP only)
+ * @param enc_size key length of encryption algorithm, if dynamic
+ * @param int_alg Algorithm to use for integrity protection
+ * @param int_size key length of integrity algorithm, if dynamic
+ * @param prf_plus PRF to derive keys from
+ * @param mode mode of the SA (tunnel, transport)
+ * @param ipcomp IPComp transform to use
+ * @param encap enable UDP encapsulation for NAT traversal
+ * @param replace Should an already installed SA be updated?
+ * @return SUCCESS if operation completed
+ */
+ status_t (*add_sa) (kernel_ipsec_t *this,
+ host_t *src, host_t *dst, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t reqid,
+ u_int64_t expire_soft, u_int64_t expire_hard,
+ u_int16_t enc_alg, u_int16_t enc_size,
+ u_int16_t int_alg, u_int16_t int_size,
+ prf_plus_t *prf_plus, ipsec_mode_t mode,
+ u_int16_t ipcomp, bool encap,
+ bool update);
+
+ /**
+ * Update the hosts on an installed SA.
+ *
+ * We cannot directly update the destination address as the kernel
+ * requires the spi, the protocol AND the destination address (and family)
+ * to identify SAs. Therefore if the destination address changed we
+ * create a new SA and delete the old one.
+ *
+ * @param spi SPI of the SA
+ * @param protocol protocol for this SA (ESP/AH)
+ * @param src current source address
+ * @param dst current destination address
+ * @param new_src new source address
+ * @param new_dst new destination address
+ * @param encap use UDP encapsulation
+ * @return SUCCESS if operation completed
+ */
+ status_t (*update_sa)(kernel_ipsec_t *this,
+ u_int32_t spi, protocol_id_t protocol,
+ host_t *src, host_t *dst,
+ host_t *new_src, host_t *new_dst, bool encap);
+
+ /**
+ * Query the use time of an SA.
+ *
+ * The use time of an SA is not the time of the last usage, but
+ * the time of the first usage of the SA.
+ *
+ * @param dst destination address for this SA
+ * @param spi SPI allocated by us or remote peer
+ * @param protocol protocol for this SA (ESP/AH)
+ * @param use_time pointer receives the time of this SA's last use
+ * @return SUCCESS if operation completed
+ */
+ status_t (*query_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
+ protocol_id_t protocol, u_int32_t *use_time);
+
+ /**
+ * Delete a previusly installed SA from the SAD.
+ *
+ * @param dst destination address for this SA
+ * @param spi SPI allocated by us or remote peer
+ * @param protocol protocol for this SA (ESP/AH)
+ * @return SUCCESS if operation completed
+ */
+ status_t (*del_sa) (kernel_ipsec_t *this, host_t *dst, u_int32_t spi,
+ protocol_id_t protocol);
+
+ /**
+ * Add a policy to the SPD.
+ *
+ * A policy is always associated to an SA. Traffic which matches a
+ * policy is handled by the SA with the same reqid.
+ *
+ * @param src source address of SA
+ * @param dst dest address of SA
+ * @param src_ts traffic selector to match traffic source
+ * @param dst_ts traffic selector to match traffic dest
+ * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+ * @param protocol protocol to use to protect traffic (AH/ESP)
+ * @param reqid unique ID of an SA to use to enforce policy
+ * @param high_prio if TRUE, uses a higher priority than any with FALSE
+ * @param mode mode of SA (tunnel, transport)
+ * @param ipcomp the IPComp transform used
+ * @return SUCCESS if operation completed
+ */
+ status_t (*add_policy) (kernel_ipsec_t *this,
+ host_t *src, host_t *dst,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, protocol_id_t protocol,
+ u_int32_t reqid, bool high_prio, ipsec_mode_t mode,
+ u_int16_t ipcomp);
+
+ /**
+ * Query the use time of a policy.
+ *
+ * The use time of a policy is the time the policy was used
+ * for the last time.
+ *
+ * @param src_ts traffic selector to match traffic source
+ * @param dst_ts traffic selector to match traffic dest
+ * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+ * @param[out] use_time the time of this SA's last use
+ * @return SUCCESS if operation completed
+ */
+ status_t (*query_policy) (kernel_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction, u_int32_t *use_time);
+
+ /**
+ * Remove a policy from the SPD.
+ *
+ * The kernel interface implements reference counting for policies.
+ * If the same policy is installed multiple times (in the case of rekeying),
+ * the reference counter is increased. del_policy() decreases the ref counter
+ * and removes the policy only when no more references are available.
+ *
+ * @param src_ts traffic selector to match traffic source
+ * @param dst_ts traffic selector to match traffic dest
+ * @param direction direction of traffic, POLICY_IN, POLICY_OUT, POLICY_FWD
+ * @return SUCCESS if operation completed
+ */
+ status_t (*del_policy) (kernel_ipsec_t *this,
+ traffic_selector_t *src_ts,
+ traffic_selector_t *dst_ts,
+ policy_dir_t direction);
+
+ /**
+ * Destroy the implementation.
+ */
+ void (*destroy) (kernel_ipsec_t *this);
+};
+
+#endif /* KERNEL_IPSEC_H_ @} */