summaryrefslogtreecommitdiff
path: root/src/libipsec/ipsec_sa.h
blob: 80dbd9353a8b49356cf0cce555027965cec850d9 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
/*
 * Copyright (C) 2012 Tobias Brunner
 * Copyright (C) 2012 Giuliano Grassi
 * Copyright (C) 2012 Ralf Sager
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup ipsec_sa ipsec_sa
 * @{ @ingroup libipsec
 */

#ifndef IPSEC_SA_H_
#define IPSEC_SA_H_

#include "esp_context.h"

#include <library.h>
#include <networking/host.h>
#include <selectors/traffic_selector.h>
#include <ipsec/ipsec_types.h>

typedef struct ipsec_sa_t ipsec_sa_t;

/**
 * IPsec Security Association (SA)
 */
struct ipsec_sa_t {

	/**
	 * Get the source address for this SA
	 *
	 * @return			source address of this SA
	 */
	host_t *(*get_source)(ipsec_sa_t *this);

	/**
	 * Get the destination address for this SA
	 *
	 * @return			destination address of this SA
	 */
	host_t *(*get_destination)(ipsec_sa_t *this);

	/**
	 * Set the source address for this SA
	 *
	 * @param addr		source address of this SA (gets cloned)
	 */
	void (*set_source)(ipsec_sa_t *this, host_t *addr);

	/**
	 * Set the destination address for this SA
	 *
	 * @param addr		destination address of this SA (gets cloned)
	 */
	void (*set_destination)(ipsec_sa_t *this, host_t *addr);

	/**
	 * Get the SPI for this SA
	 *
	 * @return			SPI of this SA
	 */
	uint32_t (*get_spi)(ipsec_sa_t *this);

	/**
	 * Get the reqid of this SA
	 *
	 * @return			reqid of this SA
	 */
	uint32_t (*get_reqid)(ipsec_sa_t *this);

	/**
	 * Get the protocol (e.g. IPPROTO_ESP) of this SA
	 *
	 * @return			protocol of this SA
	 */
	uint8_t (*get_protocol)(ipsec_sa_t *this);

	/**
	 * Returns whether this SA is inbound or outbound
	 *
	 * @return			TRUE if inbound, FALSE if outbound
	 */
	bool (*is_inbound)(ipsec_sa_t *this);

	/**
	 * Get the lifetime information for this SA
	 * Note that this information is always relative to the time when the
	 * SA was installed (i.e. it is not adjusted over time)
	 *
	 * @return			lifetime of this SA
	 */
	lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);

	/**
	 * Get the ESP context for this SA
	 *
	 * @return			ESP context of this SA
	 */
	esp_context_t *(*get_esp_context)(ipsec_sa_t *this);

	/**
	 * Get usage statistics for this SA.
	 *
	 * @param bytes		receives number of processed bytes, or NULL
	 * @param packets	receives number of processed packets, or NULL
	 * @param time		receives last use time of this SA, or NULL
	 */
	void (*get_usestats)(ipsec_sa_t *this, uint64_t *bytes, uint64_t *packets,
						 time_t *time);

	/**
	 * Record en/decryption of a packet to update usage statistics.
	 *
	 * @param bytes		length of packet processed
	 */
	void (*update_usestats)(ipsec_sa_t *this, uint32_t bytes);

	/**
	 * Expire this SA, soft or hard.
	 *
	 * A soft expire triggers a rekey, a hard expire blocks the SA and
	 * triggers a delete for the SA.
	 *
	 * @param hard		TRUE for hard, FALSE for soft
	 */
	void (*expire)(ipsec_sa_t *this, bool hard);

	/**
	 * Check if this SA matches all given parameters
	 *
	 * Only matches if the SA has not yet expired.
	 *
	 * @param spi		SPI
	 * @param dst		destination address
	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
	 */
	bool (*match_by_spi_dst)(ipsec_sa_t *this, uint32_t spi, host_t *dst);

	/**
	 * Check if this SA matches all given parameters
	 *
	 * @param spi		SPI
	 * @param src		source address
	 * @param dst		destination address
	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
	 */
	bool (*match_by_spi_src_dst)(ipsec_sa_t *this, uint32_t spi, host_t *src,
								 host_t *dst);

	/**
	 * Check if this SA matches all given parameters
	 *
	 * Only matches if the SA has not yet expired.
	 *
	 * @param reqid		reqid
	 * @param inbound	TRUE for inbound SA, FALSE for outbound
	 * @return			TRUE if this SA matches all parameters, FALSE otherwise
	 */
	bool (*match_by_reqid)(ipsec_sa_t *this, uint32_t reqid, bool inbound);

	/**
	 * Destroy an ipsec_sa_t
	 */
	void (*destroy)(ipsec_sa_t *this);

};

/**
 * Create an ipsec_sa_t instance
 *
 * @param spi			SPI for this SA
 * @param src			source address for this SA (gets cloned)
 * @param dst			destination address for this SA (gets cloned)
 * @param protocol		protocol for this SA (only ESP is supported)
 * @param reqid			reqid for this SA
 * @param mark			mark for this SA (ignored)
 * @param tfc			Traffic Flow Confidentiality (currently not supported)
 * @param lifetime		lifetime for this SA
 * @param enc_alg		encryption algorithm for this SA
 * @param enc_key		encryption key for this SA
 * @param int_alg		integrity protection algorithm
 * @param int_key		integrity protection key
 * @param mode			mode for this SA (only tunnel mode is supported)
 * @param ipcomp		IPcomp transform (not supported, use IPCOMP_NONE)
 * @param cpi			CPI for IPcomp (ignored)
 * @param encap			enable UDP encapsulation (must be TRUE)
 * @param esn			Extended Sequence Numbers (currently not supported)
 * @param inbound		TRUE if this is an inbound SA, FALSE otherwise
 * @return				the IPsec SA, or NULL if the creation failed
 */
ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst,
							uint8_t protocol, uint32_t reqid, mark_t mark,
							uint32_t tfc, lifetime_cfg_t *lifetime,
							uint16_t enc_alg, chunk_t enc_key,
							uint16_t int_alg, chunk_t int_key,
							ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi,
							bool encap, bool esn, bool inbound);

#endif /** IPSEC_SA_H_ @}*/