]>
Commit | Line | Data |
---|---|---|
e0fe7651 | 1 | /* |
c56b8c1a | 2 | * Copyright (C) 2007-2019 Tobias Brunner |
a44bb934 | 3 | * Copyright (C) 2005-2009 Martin Willi |
e0fe7651 | 4 | * Copyright (C) 2005 Jan Hutter |
19ef2aec TB |
5 | * |
6 | * Copyright (C) secunet Security Networks AG | |
e0fe7651 MW |
7 | * |
8 | * This program is free software; you can redistribute it and/or modify it | |
9 | * under the terms of the GNU General Public License as published by the | |
10 | * Free Software Foundation; either version 2 of the License, or (at your | |
11 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
12 | * | |
13 | * This program is distributed in the hope that it will be useful, but | |
14 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
15 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
16 | * for more details. | |
552cc11b MW |
17 | */ |
18 | ||
19 | /** | |
20 | * @defgroup peer_cfg peer_cfg | |
21 | * @{ @ingroup config | |
e0fe7651 MW |
22 | */ |
23 | ||
24 | #ifndef PEER_CFG_H_ | |
25 | #define PEER_CFG_H_ | |
26 | ||
e0fe7651 | 27 | typedef enum cert_policy_t cert_policy_t; |
15612b3a | 28 | typedef enum ocsp_policy_t ocsp_policy_t; |
0644ebd3 | 29 | typedef enum unique_policy_t unique_policy_t; |
e0fe7651 | 30 | typedef struct peer_cfg_t peer_cfg_t; |
2ba5dadb | 31 | typedef struct peer_cfg_create_t peer_cfg_create_t; |
e0fe7651 MW |
32 | |
33 | #include <library.h> | |
34 | #include <utils/identification.h> | |
12642a68 | 35 | #include <collections/enumerator.h> |
1125a0be | 36 | #include <selectors/traffic_selector.h> |
2307bffe | 37 | #include <crypto/proposal/proposal.h> |
e0fe7651 MW |
38 | #include <config/ike_cfg.h> |
39 | #include <config/child_cfg.h> | |
2ccc02a4 | 40 | #include <credentials/auth_cfg.h> |
e0fe7651 MW |
41 | |
42 | /** | |
43 | * Certificate sending policy. This is also used for certificate | |
44 | * requests when using this definition for the other peer. If | |
45 | * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its | |
46 | * included. | |
484a06bc | 47 | * |
e0fe7651 MW |
48 | * @warning These definitions must be the same as in pluto/starter, |
49 | * as they are sent over the stroke socket. | |
50 | */ | |
51 | enum cert_policy_t { | |
52 | /** always send certificates, even when not requested */ | |
323f9f99 | 53 | CERT_ALWAYS_SEND = 0, |
e0fe7651 | 54 | /** send certificate upon cert request */ |
323f9f99 | 55 | CERT_SEND_IF_ASKED = 1, |
e0fe7651 | 56 | /** never send a certificate, even when requested */ |
323f9f99 | 57 | CERT_NEVER_SEND = 2, |
e0fe7651 MW |
58 | }; |
59 | ||
60 | /** | |
61 | * enum strings for cert_policy_t | |
e0fe7651 MW |
62 | */ |
63 | extern enum_name_t *cert_policy_names; | |
64 | ||
15612b3a JFH |
65 | /** |
66 | * OCSP status request/response sending policy. | |
67 | */ | |
68 | enum ocsp_policy_t { | |
69 | /** request OCSP status and reply to OCSP status requests */ | |
70 | OCSP_SEND_BOTH = 0, | |
71 | /** send OCSP status upon OCSP status request */ | |
72 | OCSP_SEND_REPLY = 1, | |
73 | /** send OCSP status request */ | |
74 | OCSP_SEND_REQUEST = 2, | |
75 | /** never send OCSP status request or response */ | |
76 | OCSP_SEND_NEVER = 3, | |
77 | }; | |
78 | ||
79 | /** | |
80 | * enum strings for ocsp_policy_t | |
81 | */ | |
82 | extern enum_name_t *ocsp_policy_names; | |
83 | ||
0644ebd3 MW |
84 | /** |
85 | * Uniqueness of an IKE_SA, used to drop multiple connections with one peer. | |
86 | */ | |
87 | enum unique_policy_t { | |
f4cc7ea1 TB |
88 | /** never check for client uniqueness */ |
89 | UNIQUE_NEVER, | |
90 | /** only check for client uniqueness when receiving an INITIAL_CONTACT */ | |
0644ebd3 | 91 | UNIQUE_NO, |
f4cc7ea1 | 92 | /** replace existing IKE_SAs when new ones get established by a client */ |
0644ebd3 | 93 | UNIQUE_REPLACE, |
f4cc7ea1 | 94 | /** keep existing IKE_SAs, close the new ones on connection attempt */ |
0644ebd3 MW |
95 | UNIQUE_KEEP, |
96 | }; | |
97 | ||
98 | /** | |
99 | * enum strings for unique_policy_t | |
100 | */ | |
101 | extern enum_name_t *unique_policy_names; | |
102 | ||
e0fe7651 | 103 | /** |
552cc11b | 104 | * Configuration of a peer, specified by IDs. |
e0fe7651 | 105 | * |
3b138b84 | 106 | * The peer config defines a connection between two given IDs. It contains |
6b444c59 TB |
107 | * exactly one ike_cfg_t, which is used for initiation. Additionally, it |
108 | * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this | |
109 | * peer. | |
3b138b84 | 110 | * @verbatim |
a44bb934 MW |
111 | +-------------------+ +---------------+ |
112 | +---------------+ | peer_cfg | +---------------+ | | |
113 | | ike_cfg | +-------------------+ | child_cfg | | | |
114 | +---------------+ | - ids | +---------------+ | | |
115 | | - hosts | 1 1 | - cas | 1 n | - proposals | | | |
116 | | - proposals |<-----| - auth info |----->| - traffic sel | | | |
117 | | - ... | | - dpd config | | - ... |-+ | |
118 | +---------------+ | - ... | +---------------+ | |
119 | +-------------------+ | |
120 | | 1 0 | | |
121 | | | | |
122 | v n n V | |
123 | +-------------------+ +-------------------+ | |
124 | +-------------------+ | +-------------------+ | | |
125 | | auth_cfg | | | auth_cfg | | | |
126 | +-------------------+ | +-------------------+ | | |
127 | | - local rules |-+ | - remote constr. |-+ | |
128 | +-------------------+ +-------------------+ | |
3b138b84 | 129 | @endverbatim |
a44bb934 MW |
130 | * |
131 | * Each peer_cfg has two lists of authentication config attached. Local | |
132 | * authentication configs define how to authenticate ourself against the remote | |
133 | * peer. Each config is enforced using the multiple authentication extension | |
484a06bc | 134 | * (RFC4739). |
a44bb934 | 135 | * The remote authentication configs are handled as constraints. The peer has |
f3bb1bd0 | 136 | * to fulfill each of these rules (using multiple authentication, in any order) |
a44bb934 | 137 | * to gain access to the configuration. |
e0fe7651 MW |
138 | */ |
139 | struct peer_cfg_t { | |
7daf5226 | 140 | |
e0fe7651 | 141 | /** |
552cc11b | 142 | * Get the name of the peer_cfg. |
484a06bc | 143 | * |
e0fe7651 | 144 | * Returned object is not getting cloned. |
484a06bc | 145 | * |
e0fe7651 MW |
146 | * @return peer_cfg's name |
147 | */ | |
148 | char* (*get_name) (peer_cfg_t *this); | |
7daf5226 | 149 | |
e0fe7651 | 150 | /** |
552cc11b | 151 | * Get the IKE version to use for initiating. |
e0fe7651 | 152 | * |
6b444c59 | 153 | * @return IKE major version |
e0fe7651 | 154 | */ |
f7a8fced | 155 | ike_version_t (*get_ike_version)(peer_cfg_t *this); |
7daf5226 | 156 | |
e0fe7651 | 157 | /** |
b3ab7a48 | 158 | * Get the IKE config to use for initiation. |
484a06bc | 159 | * |
e0fe7651 MW |
160 | * @return the IKE config to use |
161 | */ | |
162 | ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this); | |
7daf5226 | 163 | |
e0fe7651 | 164 | /** |
552cc11b | 165 | * Attach a CHILD config. |
484a06bc | 166 | * |
e0fe7651 MW |
167 | * @param child_cfg CHILD config to add |
168 | */ | |
169 | void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg); | |
7daf5226 | 170 | |
e0fe7651 | 171 | /** |
552cc11b MW |
172 | * Detach a CHILD config, pointed to by an enumerator. |
173 | * | |
174 | * @param enumerator enumerator indicating element position | |
175 | */ | |
176 | void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator); | |
7daf5226 | 177 | |
622c2b2c TB |
178 | /** |
179 | * Replace the CHILD configs with those in the given PEER config. | |
180 | * | |
622c2b2c TB |
181 | * The enumerator enumerates the removed and added CHILD configs |
182 | * (child_cfg_t*, bool), where the flag is FALSE for removed configs and | |
40ed8124 | 183 | * TRUE for added configs. Configs that are equal are not enumerated. |
622c2b2c TB |
184 | * |
185 | * @param other other config to get CHILD configs from | |
186 | * @return an enumerator over removed/added CHILD configs | |
187 | */ | |
188 | enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other); | |
189 | ||
552cc11b MW |
190 | /** |
191 | * Create an enumerator for all attached CHILD configs. | |
484a06bc | 192 | * |
552cc11b | 193 | * @return an enumerator over all CHILD configs. |
e0fe7651 | 194 | */ |
552cc11b | 195 | enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this); |
7daf5226 | 196 | |
e0fe7651 | 197 | /** |
03729958 | 198 | * Select a CHILD config from received traffic selectors. |
484a06bc | 199 | * |
e0fe7651 MW |
200 | * @param my_ts TS for local side |
201 | * @param other_ts TS for remote side | |
7ee37114 MW |
202 | * @param my_hosts hosts to narrow down dynamic TS for local side |
203 | * @param other_hosts hosts to narrow down dynamic TS for remote side | |
03729958 TB |
204 | * @param my_labels optional local security labels |
205 | * @param other_labels optional remove security labels | |
206 | * @return selected CHILD config, or NULL if no match found | |
e0fe7651 | 207 | */ |
03729958 | 208 | child_cfg_t* (*select_child_cfg)(peer_cfg_t *this, |
7ee37114 | 209 | linked_list_t *my_ts, linked_list_t *other_ts, |
03729958 TB |
210 | linked_list_t *my_hosts, linked_list_t *other_hosts, |
211 | linked_list_t *my_labels, linked_list_t *other_labels); | |
7daf5226 | 212 | |
e0fe7651 | 213 | /** |
a44bb934 | 214 | * Add an authentication config to the peer configuration. |
552cc11b | 215 | * |
0ceb2888 | 216 | * @param cfg config to add |
a44bb934 | 217 | * @param local TRUE for local rules, FALSE for remote constraints |
552cc11b | 218 | */ |
a44bb934 | 219 | void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local); |
7daf5226 | 220 | |
e0fe7651 | 221 | /** |
a44bb934 MW |
222 | * Create an enumerator over registered authentication configs. |
223 | * | |
224 | * @param local TRUE for local rules, FALSE for remote constraints | |
225 | * @return enumerator over auth_cfg_t* | |
e0fe7651 | 226 | */ |
a44bb934 | 227 | enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local); |
15a9d460 | 228 | |
e0fe7651 | 229 | /** |
0ceb2888 | 230 | * Should a certificate be sent for this connection? |
e0fe7651 | 231 | * |
e0fe7651 MW |
232 | * @return certificate sending policy |
233 | */ | |
234 | cert_policy_t (*get_cert_policy) (peer_cfg_t *this); | |
235 | ||
15612b3a JFH |
236 | /** |
237 | * Should an OCSP status request/response be sent for this connection? | |
238 | * | |
239 | * @return OCSP sending policy | |
240 | */ | |
241 | ocsp_policy_t (*get_ocsp_policy) (peer_cfg_t *this); | |
242 | ||
0644ebd3 MW |
243 | /** |
244 | * How to handle uniqueness of IKE_SAs? | |
245 | * | |
246 | * @return unique policy | |
247 | */ | |
248 | unique_policy_t (*get_unique_policy) (peer_cfg_t *this); | |
7daf5226 | 249 | |
e0fe7651 | 250 | /** |
552cc11b | 251 | * Get the max number of retries after timeout. |
e0fe7651 | 252 | * |
e0fe7651 MW |
253 | * @return max number retries |
254 | */ | |
b12c53ce | 255 | uint32_t (*get_keyingtries) (peer_cfg_t *this); |
7daf5226 | 256 | |
e0fe7651 | 257 | /** |
d08269c7 | 258 | * Get a time to start rekeying. |
e0fe7651 | 259 | * |
b1df6312 | 260 | * @param jitter subtract a jitter value to randomize time |
ee614711 | 261 | * @return time in s when to start rekeying, 0 disables rekeying |
e0fe7651 | 262 | */ |
b12c53ce | 263 | uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter); |
7daf5226 | 264 | |
e0fe7651 | 265 | /** |
d08269c7 | 266 | * Get a time to start reauthentication. |
ee614711 | 267 | * |
b1df6312 | 268 | * @param jitter subtract a jitter value to randomize time |
ee614711 MW |
269 | * @return time in s when to start reauthentication, 0 disables it |
270 | */ | |
b12c53ce | 271 | uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter); |
7daf5226 | 272 | |
ee614711 | 273 | /** |
552cc11b | 274 | * Get the timeout of a rekeying/reauthenticating SA. |
ee614711 | 275 | * |
ee614711 | 276 | * @return timeout in s |
e0fe7651 | 277 | */ |
b12c53ce | 278 | uint32_t (*get_over_time)(peer_cfg_t *this); |
7daf5226 | 279 | |
9164e49a | 280 | /** |
552cc11b | 281 | * Use MOBIKE (RFC4555) if peer supports it? |
484a06bc | 282 | * |
9164e49a MW |
283 | * @return TRUE to enable MOBIKE support |
284 | */ | |
285 | bool (*use_mobike) (peer_cfg_t *this); | |
7daf5226 | 286 | |
5ce59d4c MW |
287 | /** |
288 | * Use/Accept aggressive mode with IKEv1?. | |
289 | * | |
290 | * @return TRUE to use aggressive mode | |
291 | */ | |
292 | bool (*use_aggressive)(peer_cfg_t *this); | |
293 | ||
9aeaa739 MW |
294 | /** |
295 | * Use pull or push mode for mode config? | |
296 | * | |
297 | * @return TRUE to use pull, FALSE to use push mode | |
298 | */ | |
299 | bool (*use_pull_mode)(peer_cfg_t *this); | |
300 | ||
e0fe7651 | 301 | /** |
552cc11b | 302 | * Get the DPD check interval. |
484a06bc | 303 | * |
e0fe7651 MW |
304 | * @return dpd_delay in seconds |
305 | */ | |
b12c53ce | 306 | uint32_t (*get_dpd) (peer_cfg_t *this); |
7daf5226 | 307 | |
80c5b17d AS |
308 | /** |
309 | * Get the DPD timeout interval (IKEv1 only) | |
310 | * | |
311 | * @return dpd_timeout in seconds | |
312 | */ | |
b12c53ce | 313 | uint32_t (*get_dpd_timeout) (peer_cfg_t *this); |
80c5b17d | 314 | |
e0fe7651 | 315 | /** |
101d26ba | 316 | * Add a virtual IP to request as initiator. |
16878f68 | 317 | * |
101d26ba MW |
318 | * @param vip virtual IP to request, may be %any or %any6 |
319 | */ | |
320 | void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip); | |
321 | ||
322 | /** | |
323 | * Create an enumerator over virtual IPs to request. | |
324 | * | |
325 | * The returned enumerator enumerates over IPs added with add_virtual_ip(). | |
16878f68 | 326 | * |
101d26ba | 327 | * @return enumerator over host_t* |
16878f68 | 328 | */ |
101d26ba | 329 | enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this); |
7daf5226 | 330 | |
16878f68 | 331 | /** |
497ce2cf | 332 | * Add a pool name this configuration uses to select virtual IPs. |
16878f68 | 333 | * |
497ce2cf | 334 | * @param name pool name to use for virtual IP lookup |
e0fe7651 | 335 | */ |
497ce2cf MW |
336 | void (*add_pool)(peer_cfg_t *this, char *name); |
337 | ||
338 | /** | |
339 | * Create an enumerator over pool names of this config. | |
340 | * | |
341 | * @return enumerator over char* | |
342 | */ | |
343 | enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this); | |
7daf5226 | 344 | |
c56b8c1a TB |
345 | /** |
346 | * Optional interface ID to set on policies/SAs. | |
347 | * | |
348 | * @param inbound TRUE for inbound, FALSE for outbound | |
349 | * @return interface ID | |
350 | */ | |
351 | uint32_t (*get_if_id)(peer_cfg_t *this, bool inbound); | |
352 | ||
a2ff8b65 TB |
353 | /** |
354 | * Get the PPK ID to use with this peer. | |
355 | * | |
356 | * @return PPK id | |
357 | */ | |
358 | identification_t *(*get_ppk_id)(peer_cfg_t *this); | |
359 | ||
360 | /** | |
361 | * Whether a PPK is required with this peer. | |
362 | * | |
363 | * @return TRUE, if a PPK is required | |
364 | */ | |
365 | bool (*ppk_required)(peer_cfg_t *this); | |
366 | ||
dc04b7c7 | 367 | #ifdef ME |
d5cc1758 | 368 | /** |
552cc11b | 369 | * Is this a mediation connection? |
484a06bc | 370 | * |
d5cc1758 TB |
371 | * @return TRUE, if this is a mediation connection |
372 | */ | |
ed96fe72 | 373 | bool (*is_mediation)(peer_cfg_t *this); |
7daf5226 | 374 | |
d5cc1758 | 375 | /** |
ed96fe72 | 376 | * Get name of the connection this one is mediated through. |
484a06bc | 377 | * |
ed96fe72 | 378 | * @return the name of the mediation connection |
d5cc1758 | 379 | */ |
ed96fe72 | 380 | char* (*get_mediated_by)(peer_cfg_t *this); |
7daf5226 | 381 | |
d5cc1758 | 382 | /** |
552cc11b | 383 | * Get the id of the other peer at the mediation server. |
484a06bc | 384 | * |
d5cc1758 | 385 | * This is the leftid of the peer's connection with the mediation server. |
484a06bc | 386 | * |
d5cc1758 | 387 | * If it is not configured, it is assumed to be the same as the right id |
484a06bc TB |
388 | * of this connection. |
389 | * | |
d5cc1758 TB |
390 | * @return the id of the other peer |
391 | */ | |
ed96fe72 | 392 | identification_t* (*get_peer_id)(peer_cfg_t *this); |
dc04b7c7 | 393 | #endif /* ME */ |
3c7e72f5 MW |
394 | |
395 | /** | |
396 | * Check if two peer configurations are equal. | |
397 | * | |
398 | * This method does not compare associated ike/child_cfg. | |
399 | * | |
400 | * @param other candidate to check for equality against this | |
401 | * @return TRUE if peer_cfg and ike_cfg are equal | |
402 | */ | |
403 | bool (*equals)(peer_cfg_t *this, peer_cfg_t *other); | |
7daf5226 | 404 | |
e0fe7651 | 405 | /** |
ff683671 | 406 | * Increase reference count. |
e0fe7651 | 407 | * |
ff683671 | 408 | * @return reference to this |
e0fe7651 | 409 | */ |
ff683671 | 410 | peer_cfg_t* (*get_ref) (peer_cfg_t *this); |
7daf5226 | 411 | |
e0fe7651 | 412 | /** |
552cc11b | 413 | * Destroys the peer_cfg object. |
e0fe7651 MW |
414 | * |
415 | * Decrements the internal reference counter and | |
416 | * destroys the peer_cfg when it reaches zero. | |
e0fe7651 MW |
417 | */ |
418 | void (*destroy) (peer_cfg_t *this); | |
419 | }; | |
420 | ||
2ba5dadb TB |
421 | /** |
422 | * Data passed to the constructor of a peer_cfg_t object. | |
423 | */ | |
424 | struct peer_cfg_create_t { | |
425 | /** Whether to send a certificate payload */ | |
426 | cert_policy_t cert_policy; | |
15612b3a JFH |
427 | /** Whether to send OCSP status request/response */ |
428 | ocsp_policy_t ocsp_policy; | |
2ba5dadb TB |
429 | /** Uniqueness of an IKE_SA */ |
430 | unique_policy_t unique; | |
431 | /** How many keying tries should be done before giving up */ | |
432 | uint32_t keyingtries; | |
433 | /** Timeout in seconds before starting rekeying */ | |
434 | uint32_t rekey_time; | |
435 | /** Timeout in seconds before starting reauthentication */ | |
436 | uint32_t reauth_time; | |
437 | /** Time range in seconds to randomly subtract from rekey/reauth time */ | |
438 | uint32_t jitter_time; | |
439 | /** Maximum overtime in seconds before closing a rekeying/reauth SA */ | |
440 | uint32_t over_time; | |
441 | /** Disable MOBIKE (RFC4555) */ | |
442 | bool no_mobike; | |
443 | /** Use/accept aggressive mode with IKEv1 */ | |
444 | bool aggressive; | |
445 | /** TRUE to use modeconfig push, FALSE for pull */ | |
446 | bool push_mode; | |
447 | /** DPD check interval, 0 to disable */ | |
448 | uint32_t dpd; | |
449 | /** DPD timeout interval (IKEv1 only), if 0 default applies */ | |
450 | uint32_t dpd_timeout; | |
c56b8c1a TB |
451 | /** Optional inbound interface ID */ |
452 | uint32_t if_id_in; | |
453 | /** Optional outbound interface ID */ | |
454 | uint32_t if_id_out; | |
a2ff8b65 TB |
455 | /** Postquantum Preshared Key ID (adopted) */ |
456 | identification_t *ppk_id; | |
457 | /** TRUE if a PPK is required, FALSE if it's optional */ | |
458 | bool ppk_required; | |
2ba5dadb TB |
459 | #ifdef ME |
460 | /** TRUE if this is a mediation connection */ | |
461 | bool mediation; | |
ed96fe72 TB |
462 | /** peer_cfg_t of the mediation connection to mediate through (cloned) */ |
463 | char *mediated_by; | |
2ba5dadb TB |
464 | /** ID that identifies our peer at the mediation server (adopted) */ |
465 | identification_t *peer_id; | |
466 | #endif /* ME */ | |
467 | }; | |
468 | ||
e0fe7651 | 469 | /** |
552cc11b | 470 | * Create a configuration object for IKE_AUTH and later. |
484a06bc | 471 | * |
2ba5dadb TB |
472 | * @param name name of the peer_cfg (cloned) |
473 | * @param ike_cfg IKE config to use when acting as initiator (adopted) | |
474 | * @param data data for this peer_cfg | |
6b444c59 | 475 | * @return peer_cfg_t object |
e0fe7651 | 476 | */ |
2ba5dadb TB |
477 | peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, |
478 | peer_cfg_create_t *data); | |
e0fe7651 | 479 | |
1490ff4d | 480 | #endif /** PEER_CFG_H_ @}*/ |