summaryrefslogtreecommitdiff
path: root/src/libcharon/bus/bus.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/libcharon/bus/bus.h')
-rw-r--r--src/libcharon/bus/bus.h42
1 files changed, 40 insertions, 2 deletions
diff --git a/src/libcharon/bus/bus.h b/src/libcharon/bus/bus.h
index 8cf392eae..6a306afcc 100644
--- a/src/libcharon/bus/bus.h
+++ b/src/libcharon/bus/bus.h
@@ -22,6 +22,7 @@
#define BUS_H_
typedef enum alert_t alert_t;
+typedef enum narrow_hook_t narrow_hook_t;
typedef struct bus_t bus_t;
#include <stdarg.h>
@@ -86,6 +87,31 @@ enum alert_t {
};
/**
+ * Kind of narrow hook.
+ *
+ * There is a non-authenticated (IKE_AUTH) and a authenticated
+ * (CREATE_CHILD_SA) narrowing hook for the initiator. Only one of these
+ * hooks is invoked before the exchange.
+ * To verify the traffic selectors negotiated, each PRE hook has a POST
+ * counterpart that follows. POST hooks are invoked with an authenticated peer.
+ * It is usually not a good idea to narrow in the POST hooks,
+ * as the resulting traffic selector is not negotiated and results
+ * in non-matching policies.
+ */
+enum narrow_hook_t {
+ /** invoked as initiator before exchange, peer is not yet authenticated */
+ NARROW_INITIATOR_PRE_NOAUTH,
+ /** invoked as initiator before exchange, peer is authenticated */
+ NARROW_INITIATOR_PRE_AUTH,
+ /** invoked as responder during exchange, peer is authenticated */
+ NARROW_RESPONDER,
+ /** invoked as initiator after exchange, follows a INITIATOR_PRE_NOAUTH */
+ NARROW_INITIATOR_POST_NOAUTH,
+ /** invoked as initiator after exchange, follows a INITIATOR_PRE_AUTH */
+ NARROW_INITIATOR_POST_AUTH,
+};
+
+/**
* The bus receives events and sends them to all registered listeners.
*
* Any events sent to are delivered to all registered listeners. Threads
@@ -217,6 +243,17 @@ struct bus_t {
bool (*authorize)(bus_t *this, bool final);
/**
+ * CHILD_SA traffic selector narrowing hook.
+ *
+ * @param child_sa CHILD_SA set up with these traffic selectors
+ * @param type type of hook getting invoked
+ * @param local list of local traffic selectors to narrow
+ * @param remote list of remote traffic selectors to narrow
+ */
+ void (*narrow)(bus_t *this, child_sa_t *child_sa, narrow_hook_t type,
+ linked_list_t *local, linked_list_t *remote);
+
+ /**
* IKE_SA keymat hook.
*
* @param ike_sa IKE_SA this keymat belongs to
@@ -231,12 +268,13 @@ struct bus_t {
* CHILD_SA keymat hook.
*
* @param child_sa CHILD_SA this keymat is used for
+ * @param initiator initiator of the CREATE_CHILD_SA exchange
* @param dh diffie hellman shared secret
* @param nonce_i initiators nonce
* @param nonce_r responders nonce
*/
- void (*child_keys)(bus_t *this, child_sa_t *child_sa, diffie_hellman_t *dh,
- chunk_t nonce_i, chunk_t nonce_r);
+ void (*child_keys)(bus_t *this, child_sa_t *child_sa, bool initiator,
+ diffie_hellman_t *dh, chunk_t nonce_i, chunk_t nonce_r);
/**
* IKE_SA up/down hook.