1 files changed, 84 insertions, 62 deletions
diff --git a/src/charon/config/child_cfg.h b/src/charon/config/child_cfg.h
index 33c75701c..c6186ea36 100644
--- a/src/charon/config/child_cfg.h
+++ b/src/charon/config/child_cfg.h
@@ -1,5 +1,5 @@
 /*
- * Copyright (C) 2008 Tobias Brunner
+ * Copyright (C) 2008-2009 Tobias Brunner
  * Copyright (C) 2005-2007 Martin Willi
  * Copyright (C) 2005 Jan Hutter
  * Hochschule fuer Technik Rapperswil
@@ -25,11 +25,12 @@
 
 typedef enum action_t action_t;
 typedef enum ipcomp_transform_t ipcomp_transform_t;
+typedef struct lifetime_cfg_t lifetime_cfg_t;
 typedef struct child_cfg_t child_cfg_t;
 
 #include <library.h>
+#include <selectors/traffic_selector.h>
 #include <config/proposal.h>
-#include <config/traffic_selector.h>
 #include <kernel/kernel_ipsec.h>
 
 /**
@@ -66,73 +67,90 @@ enum ipcomp_transform_t {
 extern enum_name_t *ipcomp_transform_names;
 
 /**
+ * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
+ *
+ * Set any of these values to 0 to ignore.
+ */
+struct lifetime_cfg_t {
+	struct {
+		/** Limit before the CHILD_SA gets invalid. */
+		u_int64_t	life;
+		/** Limit before the CHILD_SA gets rekeyed. */
+		u_int64_t	rekey;
+		/** The range of a random value subtracted from rekey. */
+		u_int64_t	jitter;
+	} time, bytes, packets;
+};
+
+/**
  * A child_cfg_t defines the config template for a CHILD_SA.
  *
  * After creation, proposals and traffic selectors may be added to the config.
  * A child_cfg object is referenced multiple times, and is not thread save.
  * Reading from the object is save, adding things is not allowed while other
- * threads may access the object. 
+ * threads may access the object.
  * A reference counter handles the number of references hold to this config.
  *
  * @see peer_cfg_t to get an overview over the configurations.
  */
 struct child_cfg_t {
-	
+
 	/**
 	 * Get the name of the child_cfg.
-	 * 
+	 *
 	 * @return				child_cfg's name
 	 */
 	char *(*get_name) (child_cfg_t *this);
-	
+
 	/**
-	 * Add a proposal to the list. 
-	 * 
+	 * Add a proposal to the list.
+	 *
 	 * The proposals are stored by priority, first added
 	 * is the most prefered.
 	 * After add, proposal is owned by child_cfg.
-	 * 
+	 *
 	 * @param proposal		proposal to add
 	 */
 	void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
-	
+
 	/**
 	 * Get the list of proposals for the CHILD_SA.
 	 *
 	 * Resulting list and all of its proposals must be freed after use.
-	 * 
+	 *
 	 * @param strip_dh		TRUE strip out diffie hellman groups
 	 * @return				list of proposals
 	 */
 	linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
-	
+
 	/**
 	 * Select a proposal from a supplied list.
 	 *
 	 * Returned propsal is newly created and must be destroyed after usage.
-	 * 
+	 *
 	 * @param proposals		list from from wich proposals are selected
 	 * @param strip_dh		TRUE strip out diffie hellman groups
+	 * @param private		accept algorithms from a private range
 	 * @return				selected proposal, or NULL if nothing matches
 	 */
 	proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
-								   bool strip_dh);
-	
+								   bool strip_dh, bool private);
+
 	/**
 	 * Add a traffic selector to the config.
-	 * 
+	 *
 	 * Use the "local" parameter to add it for the local or the remote side.
 	 * After add, traffic selector is owned by child_cfg.
-	 * 
+	 *
 	 * @param local			TRUE for local side, FALSE for remote
 	 * @param ts			traffic_selector to add
 	 */
 	void (*add_traffic_selector)(child_cfg_t *this, bool local,
 								 traffic_selector_t *ts);
-	
+
 	/**
 	 * Get a list of traffic selectors to use for the CHILD_SA.
-	 * 
+	 *
 	 * The config contains two set of traffic selectors, one for the local
 	 * side, one for the remote side.
 	 * If a list with traffic selectors is supplied, these are used to narrow
@@ -141,7 +159,7 @@ struct child_cfg_t {
 	 * to a specific address (host-to-host or virtual-IP setups). Use
 	 * the "host" parameter to narrow such traffic selectors to that address.
 	 * Resulted list and its traffic selectors must be destroyed after use.
-	 * 
+	 *
 	 * @param local			TRUE for TS on local side, FALSE for remote
 	 * @param supplied		list with TS to select from, or NULL
 	 * @param host			address to use for narrowing "dynamic" TS', or NULL
@@ -152,74 +170,77 @@ struct child_cfg_t {
 											host_t *host);
 	/**
 	 * Get the updown script to run for the CHILD_SA.
-	 * 
+	 *
 	 * @return				path to updown script
 	 */
 	char* (*get_updown)(child_cfg_t *this);
-	
+
 	/**
 	 * Should we allow access to the local host (gateway)?
-	 * 
+	 *
 	 * @return				value of hostaccess flag
 	 */
 	bool (*get_hostaccess) (child_cfg_t *this);
 
 	/**
-	 * Get the lifetime of a CHILD_SA.
+	 * Get the lifetime configuration of a CHILD_SA.
+	 *
+	 * The rekey limits automatically contain a jitter to avoid simultaneous
+	 * rekeying. These values will change with each call to this function.
 	 *
-	 * If "rekey" is set to TRUE, a lifetime is returned before the first
-	 * rekeying should be started. If it is FALSE, the actual lifetime is
-	 * returned when the CHILD_SA must be deleted.
-	 * The rekey time automatically contains a jitter to avoid simlutaneous
-	 * rekeying.
-	 * 
-	 * @param rekey			TRUE to get rekey time
-	 * @return				lifetime in seconds
+	 * @return				lifetime_cfg_t (has to be freed)
 	 */
-	u_int32_t (*get_lifetime) (child_cfg_t *this, bool rekey);
-	
+	lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
+
 	/**
 	 * Get the mode to use for the CHILD_SA.
 	 *
 	 * The mode is either tunnel, transport or BEET. The peer must agree
 	 * on the method, fallback is tunnel mode.
-	 * 
+	 *
 	 * @return				ipsec mode
 	 */
 	ipsec_mode_t (*get_mode) (child_cfg_t *this);
-	
+
 	/**
 	 * Action to take on DPD.
 	 *
 	 * @return				DPD action
-	 */	
+	 */
 	action_t (*get_dpd_action) (child_cfg_t *this);
-	
+
 	/**
 	 * Action to take if CHILD_SA gets closed.
 	 *
 	 * @return				close action
-	 */	
+	 */
 	action_t (*get_close_action) (child_cfg_t *this);
-	
+
 	/**
 	 * Get the DH group to use for CHILD_SA setup.
-	 * 
+	 *
 	 * @return				dh group to use
 	 */
 	diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
-	
+
 	/**
 	 * Check whether IPComp should be used, if the other peer supports it.
-	 * 
+	 *
 	 * @return				TRUE, if IPComp should be used
 	 * 						FALSE, otherwise
 	 */
 	bool (*use_ipcomp)(child_cfg_t *this);
 
 	/**
+	 * Get the inactivity timeout value.
+	 *
+	 * @return				inactivity timeout in s
+	 */
+	u_int32_t (*get_inactivity)(child_cfg_t *this);
+
+	/**
 	 * Sets two options needed for Mobile IPv6 interoperability
-	 * 
+	 *
 	 * @param proxy_mode	use IPsec transport proxy mode (default FALSE)
 	 * @param install_policy install IPsec kernel policies (default TRUE)
 	 */
@@ -228,27 +249,27 @@ struct child_cfg_t {
 
 	/**
 	 * Check whether IPsec transport SA should be set up in proxy mode
-	 * 
+	 *
 	 * @return				TRUE, if proxy mode should be used
 	 * 						FALSE, otherwise
 	 */
 	bool (*use_proxy_mode)(child_cfg_t *this);
-	
+
 	/**
 	 * Check whether IPsec policies should be installed in the kernel
-	 * 
+	 *
 	 * @return				TRUE, if IPsec kernel policies should be installed
 	 * 						FALSE, otherwise
 	 */
 	bool (*install_policy)(child_cfg_t *this);
-	
+
 	/**
 	 * Increase the reference count.
 	 *
 	 * @return				reference to this
 	 */
 	child_cfg_t* (*get_ref) (child_cfg_t *this);
-	
+
 	/**
 	 * Destroys the child_cfg object.
 	 *
@@ -260,29 +281,30 @@ struct child_cfg_t {
 
 /**
  * Create a configuration template for CHILD_SA setup.
- * 
+ *
  * The "name" string gets cloned.
- * Lifetimes are in seconds. To prevent to peers to start rekeying at the
- * same time, a jitter may be specified. Rekeying of an SA starts at
- * (rekeytime - random(0, jitter)). You should specify
- * lifetime > rekeytime > jitter.
+ *
+ * The lifetime_cfg_t object gets cloned.
+ * To prevent two peers to start rekeying at the same time, a jitter may be
+ * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
+ *
  * After a call to create, a reference is obtained (refcount = 1).
- * 
+ *
  * @param name				name of the child_cfg
- * @param lifetime			lifetime after CHILD_SA expires and gets deleted
- * @param rekeytime			time when rekeying should be initiated
- * @param jitter			range of randomization time to remove from rekeytime
+ * @param lifetime			lifetime_cfg_t for this child_cfg
  * @param updown			updown script to execute on up/down event
  * @param hostaccess		TRUE to allow access to the local host
  * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
  * @param dpd_action		DPD action
  * @param close_action		close action
  * @param ipcomp			use IPComp, if peer supports it
+ * @param inactivity		inactivity timeout in s before closing a CHILD_SA
  * @return 					child_cfg_t object
  */
-child_cfg_t *child_cfg_create(char *name, u_int32_t lifetime,
-							  u_int32_t rekeytime, u_int32_t jitter,
-							  char *updown, bool hostaccess, ipsec_mode_t mode,
-							  action_t dpd_action, action_t close_action, bool ipcomp);
+child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
+							  char *updown, bool hostaccess,
+							  ipsec_mode_t mode, action_t dpd_action,
+							  action_t close_action, bool ipcomp,
+							  u_int32_t inactivity);
 
 #endif /** CHILD_CFG_H_ @}*/