Annotation of embedaddon/strongswan/src/libipsec/ipsec_sa_mgr.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2012 Tobias Brunner
3: * Copyright (C) 2012 Giuliano Grassi
4: * Copyright (C) 2012 Ralf Sager
5: * HSR Hochschule fuer Technik Rapperswil
6: *
7: * This program is free software; you can redistribute it and/or modify it
8: * under the terms of the GNU General Public License as published by the
9: * Free Software Foundation; either version 2 of the License, or (at your
10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11: *
12: * This program is distributed in the hope that it will be useful, but
13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15: * for more details.
16: */
17:
18: /**
19: * @defgroup ipsec_sa_mgr ipsec_sa_mgr
20: * @{ @ingroup libipsec
21: */
22:
23: #ifndef IPSEC_SA_MGR_H_
24: #define IPSEC_SA_MGR_H_
25:
26: #include "ipsec_sa.h"
27:
28: #include <library.h>
29: #include <ipsec/ipsec_types.h>
30: #include <selectors/traffic_selector.h>
31: #include <networking/host.h>
32:
33: typedef struct ipsec_sa_mgr_t ipsec_sa_mgr_t;
34:
35: /**
36: * IPsec SA manager
37: *
38: * The first methods are modeled after those in kernel_ipsec_t.
39: */
40: struct ipsec_sa_mgr_t {
41:
42: /**
43: * Allocate an SPI for an inbound IPsec SA
44: *
45: * @param src source address of the SA
46: * @param dst destination address of the SA
47: * @param protocol protocol of the SA (only ESP supported)
48: * @param spi the allocated SPI
49: * @return SUCCESS of operation successful
50: */
51: status_t (*get_spi)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
52: uint8_t protocol, uint32_t *spi);
53:
54: /**
55: * Add a new SA
56: *
57: * @param src source address for this SA (gets cloned)
58: * @param dst destination address for this SA (gets cloned)
59: * @param spi SPI for this SA
60: * @param protocol protocol for this SA (only ESP is supported)
61: * @param reqid reqid for this SA
62: * @param mark mark for this SA (ignored)
63: * @param tfc Traffic Flow Confidentiality (not yet supported)
64: * @param lifetime lifetime for this SA
65: * @param enc_alg encryption algorithm for this SA
66: * @param enc_key encryption key for this SA
67: * @param int_alg integrity protection algorithm
68: * @param int_key integrity protection key
69: * @param mode mode for this SA (only tunnel mode is supported)
70: * @param ipcomp IPcomp transform (not supported, use IPCOMP_NONE)
71: * @param cpi CPI for IPcomp (ignored)
72: * @param initiator TRUE if initiator of the exchange creating this SA
73: * @param encap enable UDP encapsulation (must be TRUE)
74: * @param esn Extended Sequence Numbers (currently not supported)
75: * @param inbound TRUE if this is an inbound SA, FALSE otherwise
76: * @param update TRUE if an SPI has already been allocated for SA
77: * @return SUCCESS if operation completed
78: */
79: status_t (*add_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
80: uint32_t spi, uint8_t protocol, uint32_t reqid,
81: mark_t mark, uint32_t tfc, lifetime_cfg_t *lifetime,
82: uint16_t enc_alg, chunk_t enc_key, uint16_t int_alg,
83: chunk_t int_key, ipsec_mode_t mode, uint16_t ipcomp,
84: uint16_t cpi, bool initiator, bool encap, bool esn,
85: bool inbound, bool update);
86:
87: /**
88: * Update the hosts on an installed SA.
89: *
90: * @param spi SPI of the SA
91: * @param protocol protocol for this SA (ESP/AH)
92: * @param cpi CPI for IPComp, 0 if no IPComp is used
93: * @param src current source address
94: * @param dst current destination address
95: * @param new_src new source address
96: * @param new_dst new destination address
97: * @param encap current use of UDP encapsulation
98: * @param new_encap new use of UDP encapsulation
99: * @param mark optional mark for this SA
100: * @return SUCCESS if operation completed
101: */
102: status_t (*update_sa)(ipsec_sa_mgr_t *this,
103: uint32_t spi, uint8_t protocol, uint16_t cpi,
104: host_t *src, host_t *dst,
105: host_t *new_src, host_t *new_dst,
106: bool encap, bool new_encap, mark_t mark);
107:
108: /**
109: * Query the number of bytes processed by an SA from the SAD.
110: *
111: * @param src source address for this SA
112: * @param dst destination address for this SA
113: * @param spi SPI allocated by us or remote peer
114: * @param protocol protocol for this SA (ESP/AH)
115: * @param mark optional mark for this SA
116: * @param[out] bytes the number of bytes processed by SA
117: * @param[out] packets number of packets processed by SA
118: * @param[out] time last (monotonic) time of SA use
119: * @return SUCCESS if operation completed
120: */
121: status_t (*query_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
122: uint32_t spi, uint8_t protocol, mark_t mark,
123: uint64_t *bytes, uint64_t *packets, time_t *time);
124:
125: /**
126: * Delete a previously added SA
127: *
128: * @param spi SPI of the SA
129: * @param src source address of the SA
130: * @param dst destination address of the SA
131: * @param protocol protocol of the SA
132: * @param cpi CPI for IPcomp
133: * @param mark optional mark
134: * @return SUCCESS if operation completed
135: */
136: status_t (*del_sa)(ipsec_sa_mgr_t *this, host_t *src, host_t *dst,
137: uint32_t spi, uint8_t protocol, uint16_t cpi,
138: mark_t mark);
139:
140: /**
141: * Flush all SAs
142: *
143: * @return SUCCESS if operation completed
144: */
145: status_t (*flush_sas)(ipsec_sa_mgr_t *this);
146:
147: /**
148: * Checkout an installed IPsec SA by SPI and destination address
149: * Can be used to find the correct SA for an inbound packet.
150: *
151: * The matching SA is locked until it is checked in using checkin().
152: * If the matching SA is already checked out, this call blocks until the
153: * SA is checked in.
154: *
155: * Since other threads may be waiting for the checked out SA, it should be
156: * checked in as soon as possible after use.
157: *
158: * @param spi SPI (e.g. of an inbound packet)
159: * @param dst destination address (e.g. of an inbound packet)
160: * @return the matching IPsec SA, or NULL if none is found
161: */
162: ipsec_sa_t *(*checkout_by_spi)(ipsec_sa_mgr_t *this, uint32_t spi,
163: host_t *dst);
164:
165: /**
166: * Checkout an installed IPsec SA by its reqid and inbound/outbound flag.
167: * Can be used to find the correct SA for an outbound packet.
168: *
169: * The matching SA is locked until it is checked in using checkin().
170: * If the matching SA is already checked out, this call blocks until the
171: * SA is checked in.
172: *
173: * Since other threads may be waiting for a checked out SA, it should be
174: * checked in as soon as possible after use.
175: *
176: * @param reqid reqid of the SA
177: * @param inbound TRUE for an inbound SA, FALSE for an outbound SA
178: * @return the matching IPsec SA, or NULL if none is found
179: */
180: ipsec_sa_t *(*checkout_by_reqid)(ipsec_sa_mgr_t *this, uint32_t reqid,
181: bool inbound);
182:
183: /**
184: * Checkin an SA after use.
185: *
186: * @param sa checked out SA
187: */
188: void (*checkin)(ipsec_sa_mgr_t *this, ipsec_sa_t *sa);
189:
190: /**
191: * Destroy an ipsec_sa_mgr_t
192: */
193: void (*destroy)(ipsec_sa_mgr_t *this);
194:
195: };
196:
197: /**
198: * Create an ipsec_sa_mgr instance
199: *
200: * @return IPsec SA manager instance
201: */
202: ipsec_sa_mgr_t *ipsec_sa_mgr_create();
203:
204: #endif /** IPSEC_SA_MGR_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>
![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to ipsec_sa_mgr.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / libipsec