Annotation of embedaddon/strongswan/src/libipsec/ipsec_sa.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2012 Tobias Brunner
3: * Copyright (C) 2012 Giuliano Grassi
4: * Copyright (C) 2012 Ralf Sager
5: * HSR Hochschule fuer Technik Rapperswil
6: *
7: * This program is free software; you can redistribute it and/or modify it
8: * under the terms of the GNU General Public License as published by the
9: * Free Software Foundation; either version 2 of the License, or (at your
10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11: *
12: * This program is distributed in the hope that it will be useful, but
13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15: * for more details.
16: */
17:
18: /**
19: * @defgroup ipsec_sa ipsec_sa
20: * @{ @ingroup libipsec
21: */
22:
23: #ifndef IPSEC_SA_H_
24: #define IPSEC_SA_H_
25:
26: #include "esp_context.h"
27:
28: #include <library.h>
29: #include <networking/host.h>
30: #include <selectors/traffic_selector.h>
31: #include <ipsec/ipsec_types.h>
32:
33: typedef struct ipsec_sa_t ipsec_sa_t;
34:
35: /**
36: * IPsec Security Association (SA)
37: */
38: struct ipsec_sa_t {
39:
40: /**
41: * Get the source address for this SA
42: *
43: * @return source address of this SA
44: */
45: host_t *(*get_source)(ipsec_sa_t *this);
46:
47: /**
48: * Get the destination address for this SA
49: *
50: * @return destination address of this SA
51: */
52: host_t *(*get_destination)(ipsec_sa_t *this);
53:
54: /**
55: * Set the source address for this SA
56: *
57: * @param addr source address of this SA (gets cloned)
58: */
59: void (*set_source)(ipsec_sa_t *this, host_t *addr);
60:
61: /**
62: * Set the destination address for this SA
63: *
64: * @param addr destination address of this SA (gets cloned)
65: */
66: void (*set_destination)(ipsec_sa_t *this, host_t *addr);
67:
68: /**
69: * Get the SPI for this SA
70: *
71: * @return SPI of this SA
72: */
73: uint32_t (*get_spi)(ipsec_sa_t *this);
74:
75: /**
76: * Get the reqid of this SA
77: *
78: * @return reqid of this SA
79: */
80: uint32_t (*get_reqid)(ipsec_sa_t *this);
81:
82: /**
83: * Get the protocol (e.g. IPPROTO_ESP) of this SA
84: *
85: * @return protocol of this SA
86: */
87: uint8_t (*get_protocol)(ipsec_sa_t *this);
88:
89: /**
90: * Returns whether this SA is inbound or outbound
91: *
92: * @return TRUE if inbound, FALSE if outbound
93: */
94: bool (*is_inbound)(ipsec_sa_t *this);
95:
96: /**
97: * Get the lifetime information for this SA
98: * Note that this information is always relative to the time when the
99: * SA was installed (i.e. it is not adjusted over time)
100: *
101: * @return lifetime of this SA
102: */
103: lifetime_cfg_t *(*get_lifetime)(ipsec_sa_t *this);
104:
105: /**
106: * Get the ESP context for this SA
107: *
108: * @return ESP context of this SA
109: */
110: esp_context_t *(*get_esp_context)(ipsec_sa_t *this);
111:
112: /**
113: * Get usage statistics for this SA.
114: *
115: * @param bytes receives number of processed bytes, or NULL
116: * @param packets receives number of processed packets, or NULL
117: * @param time receives last use time of this SA, or NULL
118: */
119: void (*get_usestats)(ipsec_sa_t *this, uint64_t *bytes, uint64_t *packets,
120: time_t *time);
121:
122: /**
123: * Record en/decryption of a packet to update usage statistics.
124: *
125: * @param bytes length of packet processed
126: */
127: void (*update_usestats)(ipsec_sa_t *this, uint32_t bytes);
128:
129: /**
130: * Expire this SA, soft or hard.
131: *
132: * A soft expire triggers a rekey, a hard expire blocks the SA and
133: * triggers a delete for the SA.
134: *
135: * @param hard TRUE for hard, FALSE for soft
136: */
137: void (*expire)(ipsec_sa_t *this, bool hard);
138:
139: /**
140: * Check if this SA matches all given parameters
141: *
142: * Only matches if the SA has not yet expired.
143: *
144: * @param spi SPI
145: * @param dst destination address
146: * @return TRUE if this SA matches all parameters, FALSE otherwise
147: */
148: bool (*match_by_spi_dst)(ipsec_sa_t *this, uint32_t spi, host_t *dst);
149:
150: /**
151: * Check if this SA matches all given parameters
152: *
153: * @param spi SPI
154: * @param src source address
155: * @param dst destination address
156: * @return TRUE if this SA matches all parameters, FALSE otherwise
157: */
158: bool (*match_by_spi_src_dst)(ipsec_sa_t *this, uint32_t spi, host_t *src,
159: host_t *dst);
160:
161: /**
162: * Check if this SA matches all given parameters
163: *
164: * Only matches if the SA has not yet expired.
165: *
166: * @param reqid reqid
167: * @param inbound TRUE for inbound SA, FALSE for outbound
168: * @return TRUE if this SA matches all parameters, FALSE otherwise
169: */
170: bool (*match_by_reqid)(ipsec_sa_t *this, uint32_t reqid, bool inbound);
171:
172: /**
173: * Destroy an ipsec_sa_t
174: */
175: void (*destroy)(ipsec_sa_t *this);
176:
177: };
178:
179: /**
180: * Create an ipsec_sa_t instance
181: *
182: * @param spi SPI for this SA
183: * @param src source address for this SA (gets cloned)
184: * @param dst destination address for this SA (gets cloned)
185: * @param protocol protocol for this SA (only ESP is supported)
186: * @param reqid reqid for this SA
187: * @param mark mark for this SA (ignored)
188: * @param tfc Traffic Flow Confidentiality (currently not supported)
189: * @param lifetime lifetime for this SA
190: * @param enc_alg encryption algorithm for this SA
191: * @param enc_key encryption key for this SA
192: * @param int_alg integrity protection algorithm
193: * @param int_key integrity protection key
194: * @param mode mode for this SA (only tunnel mode is supported)
195: * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
196: * @param cpi CPI for IPcomp (ignored)
197: * @param encap enable UDP encapsulation (must be TRUE)
198: * @param esn Extended Sequence Numbers (currently not supported)
199: * @param inbound TRUE if this is an inbound SA, FALSE otherwise
200: * @return the IPsec SA, or NULL if the creation failed
201: */
202: ipsec_sa_t *ipsec_sa_create(uint32_t spi, host_t *src, host_t *dst,
203: uint8_t protocol, uint32_t reqid, mark_t mark,
204: uint32_t tfc, lifetime_cfg_t *lifetime,
205: uint16_t enc_alg, chunk_t enc_key,
206: uint16_t int_alg, chunk_t int_key,
207: ipsec_mode_t mode, uint16_t ipcomp, uint16_t cpi,
208: bool encap, bool esn, bool inbound);
209:
210: #endif /** IPSEC_SA_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>