diff options
Diffstat (limited to 'Source/charon/threads/kernel_interface.h')
-rw-r--r-- | Source/charon/threads/kernel_interface.h | 97 |
1 files changed, 88 insertions, 9 deletions
diff --git a/Source/charon/threads/kernel_interface.h b/Source/charon/threads/kernel_interface.h index 7c2a27147..f7621afd9 100644 --- a/Source/charon/threads/kernel_interface.h +++ b/Source/charon/threads/kernel_interface.h @@ -33,6 +33,10 @@ typedef struct kernel_interface_t kernel_interface_t; /** * @brief Interface to the kernel. * + * The kernel interface handles the communication with the kernel + * for SA and policy management. It allows setup of these, and provides + * further the handling of kernel events. + * * @b Constructors: * - kernel_interface_create() * @@ -41,22 +45,47 @@ typedef struct kernel_interface_t kernel_interface_t; struct kernel_interface_t { /** - * @brief Get a SPI from the kernel + * @brief Get a SPI from the kernel. * - * @todo Fix spi range + * @param this calling object + * @param src source address of SA + * @param dst destination address of SA + * @param protocol protocol for SA (ESP/AH) + * @param reqid unique ID for this SA + * @param[out] spi allocated spi + * @return + * - SUCCESS + * - FAILED if kernel comm failed */ status_t (*get_spi) (kernel_interface_t *this, - host_t *src, host_t *dest, + host_t *src, host_t *dst, protocol_id_t protocol, u_int32_t reqid, u_int32_t *spi); /** - * @brief Create an SA. + * @brief Add an SA to the SAD. * - * @todo Fix reqid and replay_window params + * add_sa() may update an already allocated + * SPI (via get_spi). In this case, the replace + * flag must be set. + * This function does install a single SA for a + * single protocol in one direction. * - * @todo Cleanup method params + * @param this calling object + * @param src source address for this SA + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @param reqid unique ID for this SA + * @param enc_alg Algorithm to use for encryption (ESP only) + * @param enc_key Key to use for encryption + * @param int_alg Algorithm to use for integrity protection + * @param int_key Key for integrity protection + * @param replace Should an already installed SA be updated? + * @return + * - SUCCESS + * - FAILED if kernel comm failed */ status_t (*add_sa)(kernel_interface_t *this, host_t *src, host_t *dst, @@ -64,16 +93,50 @@ struct kernel_interface_t { protocol_id_t protocol, u_int32_t reqid, encryption_algorithm_t enc_alg, - chunk_t encryption_key, + chunk_t enc_key, integrity_algorithm_t int_alg, - chunk_t integrity_key, + chunk_t int_key, bool replace); - + /** + * @brief Delete a previusly installed SA from the SAD. + * + * @param this calling object + * @param dst destination address for this SA + * @param spi SPI allocated by us or remote peer + * @param protocol protocol for this SA (ESP/AH) + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ status_t (*del_sa) (kernel_interface_t *this, host_t *dst, u_int32_t spi, protocol_id_t protocol); + /** + * @brief Add a policy to the SPD. + * + * A policy is always associated to an SA, so + * traffic applied to a policy. Traffic which + * matches a policy is handled by the SA with the same + * reqid. + * + * @param this calling object + * @param me address of local peer + * @param other address of remote peer + * @param src src address of traffic this policy applies + * @param dst dest address of traffic this policy applies + * @param src_hostbits subnetmask to use for src address + * @param dst_hostbits subnetmask to use for dst address + * @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD + * @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...) + * @param ah protect traffic with AH? + * @param esp protect traffic with ESP? + * @param reqid uniqe ID of an SA to use to enforce policy + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ status_t (*add_policy) (kernel_interface_t *this, host_t *me, host_t *other, host_t *src, host_t *dst, @@ -82,6 +145,22 @@ struct kernel_interface_t { bool ah, bool esp, u_int32_t reqid); + /** + * @brief Remove a policy from the SPD. + * + * @param this calling object + * @param me address of local peer + * @param other address of remote peer + * @param src src address of traffic this policy applies + * @param dst dest address of traffic this policy applies + * @param src_hostbits subnetmask to use for src address + * @param dst_hostbits subnetmask to use for dst address + * @param direction direction of traffic, XFRM_POLICY_OUT, XFRM_POLICY_IN, XFRM_POLICY_FWD + * @param upper_proto upper layer protocol of traffic for this policy (TCP, UDP, ICMP, ...) + * @return + * - SUCCESS + * - FAILED if kernel comm failed + */ status_t (*del_policy) (kernel_interface_t *this, host_t *me, host_t *other, host_t *src, host_t *dst, |