[thirdparty/strongswan.git] / src / libcharon / config / peer_cfg.h

/*
 * Copyright (C) 2007-2019 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 *
 * Copyright (C) secunet Security Networks AG
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup peer_cfg peer_cfg
 * @{ @ingroup config
 */

#ifndef PEER_CFG_H_
#define PEER_CFG_H_

typedef enum cert_policy_t cert_policy_t;
typedef enum ocsp_policy_t ocsp_policy_t;
typedef enum unique_policy_t unique_policy_t;
typedef struct peer_cfg_t peer_cfg_t;
typedef struct peer_cfg_create_t peer_cfg_create_t;

#include <library.h>
#include <utils/identification.h>
#include <collections/enumerator.h>
#include <selectors/traffic_selector.h>
#include <crypto/proposal/proposal.h>
#include <config/ike_cfg.h>
#include <config/child_cfg.h>
#include <credentials/auth_cfg.h>

/**
 * Certificate sending policy. This is also used for certificate
 * requests when using this definition for the other peer. If
 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
 * included.
 *
 * @warning These definitions must be the same as in pluto/starter,
 * as they are sent over the stroke socket.
 */
enum cert_policy_t {
	/** always send certificates, even when not requested */
	CERT_ALWAYS_SEND =		0,
	/** send certificate upon cert request */
	CERT_SEND_IF_ASKED =	1,
	/** never send a certificate, even when requested */
	CERT_NEVER_SEND =		2,
};

/**
 * enum strings for cert_policy_t
 */
extern enum_name_t *cert_policy_names;

/**
 * OCSP status request/response sending policy.
 */
enum ocsp_policy_t {
	/** request OCSP status and reply to OCSP status requests */
	OCSP_SEND_BOTH =     0,
	/** send OCSP status upon OCSP status request */
	OCSP_SEND_REPLY =    1,
	/** send OCSP status request */
	OCSP_SEND_REQUEST =  2,
	/** never send OCSP status request or response */
	OCSP_SEND_NEVER =    3,
};

/**
 * enum strings for ocsp_policy_t
 */
extern enum_name_t *ocsp_policy_names;

/**
 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
 */
enum unique_policy_t {
	/** never check for client uniqueness */
	UNIQUE_NEVER,
	/** only check for client uniqueness when receiving an INITIAL_CONTACT */
	UNIQUE_NO,
	/** replace existing IKE_SAs when new ones get established by a client */
	UNIQUE_REPLACE,
	/** keep existing IKE_SAs, close the new ones on connection attempt */
	UNIQUE_KEEP,
};

/**
 * enum strings for unique_policy_t
 */
extern enum_name_t *unique_policy_names;

/**
 * Configuration of a peer, specified by IDs.
 *
 * The peer config defines a connection between two given IDs. It contains
 * exactly one ike_cfg_t, which is used for initiation. Additionally, it
 * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
 * peer.
 * @verbatim
                          +-------------------+        +---------------+
   +---------------+      |     peer_cfg      |      +---------------+ |
   |    ike_cfg    |      +-------------------+      |   child_cfg   | |
   +---------------+      | - ids             |      +---------------+ |
   | - hosts       | 1  1 | - cas             | 1  n | - proposals   | |
   | - proposals   |<-----| - auth info       |----->| - traffic sel | |
   | - ...         |      | - dpd config      |      | - ...         |-+
   +---------------+      | - ...             |      +---------------+
                          +-------------------+
                             | 1         0 |
                             |             |
                             v n         n V
             +-------------------+     +-------------------+
           +-------------------+ |   +-------------------+ |
           |     auth_cfg      | |   |     auth_cfg      | |
           +-------------------+ |   +-------------------+ |
           | - local rules     |-+   | - remote constr.  |-+
           +-------------------+     +-------------------+
   @endverbatim
 *
 * Each peer_cfg has two lists of authentication config attached. Local
 * authentication configs define how to authenticate ourself against the remote
 * peer. Each config is enforced using the multiple authentication extension
 * (RFC4739).
 * The remote authentication configs are handled as constraints. The peer has
 * to fulfill each of these rules (using multiple authentication, in any order)
 * to gain access to the configuration.
 */
struct peer_cfg_t {

	/**
	 * Get the name of the peer_cfg.
	 *
	 * Returned object is not getting cloned.
	 *
	 * @return				peer_cfg's name
	 */
	char* (*get_name) (peer_cfg_t *this);

	/**
	 * Get the IKE version to use for initiating.
	 *
	 * @return				IKE major version
	 */
	ike_version_t (*get_ike_version)(peer_cfg_t *this);

	/**
	 * Get the IKE config to use for initiation.
	 *
	 * @return				the IKE config to use
	 */
	ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);

	/**
	 * Attach a CHILD config.
	 *
	 * @param child_cfg		CHILD config to add
	 */
	void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);

	/**
	 * Detach a CHILD config, pointed to by an enumerator.
	 *
	 * @param enumerator	enumerator indicating element position
	 */
	void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);

	/**
	 * Replace the CHILD configs with those in the given PEER config.
	 *
	 * The enumerator enumerates the removed and added CHILD configs
	 * (child_cfg_t*, bool), where the flag is FALSE for removed configs and
	 * TRUE for added configs. Configs that are equal are not enumerated.
	 *
	 * @param other			other config to get CHILD configs from
	 * @return				an enumerator over removed/added CHILD configs
	 */
	enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other);

	/**
	 * Create an enumerator for all attached CHILD configs.
	 *
	 * @return				an enumerator over all CHILD configs.
	 */
	enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);

	/**
	 * Select a CHILD config from received traffic selectors.
	 *
	 * @param my_ts			TS for local side
	 * @param other_ts		TS for remote side
	 * @param my_hosts		hosts to narrow down dynamic TS for local side
	 * @param other_hosts	hosts to narrow down dynamic TS for remote side
	 * @param my_labels		optional local security labels
	 * @param other_labels	optional remove security labels
	 * @return					selected CHILD config, or NULL if no match found
	 */
	child_cfg_t* (*select_child_cfg)(peer_cfg_t *this,
							linked_list_t *my_ts, linked_list_t *other_ts,
							linked_list_t *my_hosts, linked_list_t *other_hosts,
							linked_list_t *my_labels, linked_list_t *other_labels);

	/**
	 * Add an authentication config to the peer configuration.
	 *
	 * @param cfg			config to add
	 * @param local			TRUE for local rules, FALSE for remote constraints
	 */
	void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);

	/**
	 * Create an enumerator over registered authentication configs.
	 *
	 * @param local			TRUE for local rules, FALSE for remote constraints
	 * @return				enumerator over auth_cfg_t*
	 */
	enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);

	/**
	 * Should a certificate be sent for this connection?
	 *
	 * @return			certificate sending policy
	 */
	cert_policy_t (*get_cert_policy) (peer_cfg_t *this);

	/**
	 * Should an OCSP status request/response be sent for this connection?
	 *
	 * @return			OCSP sending policy
	 */
	ocsp_policy_t (*get_ocsp_policy) (peer_cfg_t *this);

	/**
	 * How to handle uniqueness of IKE_SAs?
	 *
	 * @return			unique policy
	 */
	unique_policy_t (*get_unique_policy) (peer_cfg_t *this);

	/**
	 * Get the max number of retries after timeout.
	 *
	 * @return			max number retries
	 */
	uint32_t (*get_keyingtries) (peer_cfg_t *this);

	/**
	 * Get a time to start rekeying.
	 *
	 * @param jitter	subtract a jitter value to randomize time
	 * @return			time in s when to start rekeying, 0 disables rekeying
	 */
	uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);

	/**
	 * Get a time to start reauthentication.
	 *
	 * @param jitter	subtract a jitter value to randomize time
	 * @return			time in s when to start reauthentication, 0 disables it
	 */
	uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);

	/**
	 * Get the timeout of a rekeying/reauthenticating SA.
	 *
	 * @return			timeout in s
	 */
	uint32_t (*get_over_time)(peer_cfg_t *this);

	/**
	 * Use MOBIKE (RFC4555) if peer supports it?
	 *
	 * @return			TRUE to enable MOBIKE support
	 */
	bool (*use_mobike) (peer_cfg_t *this);

	/**
	 * Use/Accept aggressive mode with IKEv1?.
	 *
	 * @return			TRUE to use aggressive mode
	 */
	bool (*use_aggressive)(peer_cfg_t *this);

	/**
	 * Use pull or push mode for mode config?
	 *
	 * @return			TRUE to use pull, FALSE to use push mode
	 */
	bool (*use_pull_mode)(peer_cfg_t *this);

	/**
	 * Get the DPD check interval.
	 *
	 * @return			dpd_delay in seconds
	 */
	uint32_t (*get_dpd) (peer_cfg_t *this);

	/**
	 * Get the DPD timeout interval (IKEv1 only)
	 *
	 * @return			dpd_timeout in seconds
	 */
	uint32_t (*get_dpd_timeout) (peer_cfg_t *this);

	/**
	 * Add a virtual IP to request as initiator.
	 *
	 * @param vip			virtual IP to request, may be %any or %any6
	 */
	void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);

	/**
	 * Create an enumerator over virtual IPs to request.
	 *
	 * The returned enumerator enumerates over IPs added with add_virtual_ip().
	 *
	 * @return				enumerator over host_t*
	 */
	enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);

	/**
	 * Add a pool name this configuration uses to select virtual IPs.
	 *
	 * @param name			pool name to use for virtual IP lookup
	 */
	void (*add_pool)(peer_cfg_t *this, char *name);

	/**
	 * Create an enumerator over pool names of this config.
	 *
	 * @return				enumerator over char*
	 */
	enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);

	/**
	 * Optional interface ID to set on policies/SAs.
	 *
	 * @param inbound		TRUE for inbound, FALSE for outbound
	 * @return				interface ID
	 */
	uint32_t (*get_if_id)(peer_cfg_t *this, bool inbound);

	/**
	 * Get the PPK ID to use with this peer.
	 *
	 * @return				PPK id
	 */
	identification_t *(*get_ppk_id)(peer_cfg_t *this);

	/**
	 * Whether a PPK is required with this peer.
	 *
	 * @return				TRUE, if a PPK is required
	 */
	bool (*ppk_required)(peer_cfg_t *this);

#ifdef ME
	/**
	 * Is this a mediation connection?
	 *
	 * @return				TRUE, if this is a mediation connection
	 */
	bool (*is_mediation)(peer_cfg_t *this);

	/**
	 * Get name of the connection this one is mediated through.
	 *
	 * @return				the name of the mediation connection
	 */
	char* (*get_mediated_by)(peer_cfg_t *this);

	/**
	 * Get the id of the other peer at the mediation server.
	 *
	 * This is the leftid of the peer's connection with the mediation server.
	 *
	 * If it is not configured, it is assumed to be the same as the right id
	 * of this connection.
	 *
	 * @return				the id of the other peer
	 */
	identification_t* (*get_peer_id)(peer_cfg_t *this);
#endif /* ME */

	/**
	 * Check if two peer configurations are equal.
	 *
	 * This method does not compare associated ike/child_cfg.
	 *
	 * @param other			candidate to check for equality against this
	 * @return				TRUE if peer_cfg and ike_cfg are equal
	 */
	bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);

	/**
	 * Increase reference count.
	 *
	 * @return				reference to this
	 */
	peer_cfg_t* (*get_ref) (peer_cfg_t *this);

	/**
	 * Destroys the peer_cfg object.
	 *
	 * Decrements the internal reference counter and
	 * destroys the peer_cfg when it reaches zero.
	 */
	void (*destroy) (peer_cfg_t *this);
};

/**
 * Data passed to the constructor of a peer_cfg_t object.
 */
struct peer_cfg_create_t {
	/** Whether to send a certificate payload */
	cert_policy_t cert_policy;
	/** Whether to send OCSP status request/response */
	ocsp_policy_t ocsp_policy;
	/** Uniqueness of an IKE_SA */
	unique_policy_t unique;
	/** How many keying tries should be done before giving up */
	uint32_t keyingtries;
	/** Timeout in seconds before starting rekeying */
	uint32_t rekey_time;
	/** Timeout in seconds before starting reauthentication */
	uint32_t reauth_time;
	/** Time range in seconds to randomly subtract from rekey/reauth time */
	uint32_t jitter_time;
	/** Maximum overtime in seconds before closing a rekeying/reauth SA */
	uint32_t over_time;
	/** Disable MOBIKE (RFC4555) */
	bool no_mobike;
	/** Use/accept aggressive mode with IKEv1 */
	bool aggressive;
	/** TRUE to use modeconfig push, FALSE for pull */
	bool push_mode;
	/** DPD check interval, 0 to disable */
	uint32_t dpd;
	/** DPD timeout interval (IKEv1 only), if 0 default applies */
	uint32_t dpd_timeout;
	/** Optional inbound interface ID */
	uint32_t if_id_in;
	/** Optional outbound interface ID */
	uint32_t if_id_out;
	/** Postquantum Preshared Key ID (adopted) */
	identification_t *ppk_id;
	/** TRUE if a PPK is required, FALSE if it's optional */
	bool ppk_required;
#ifdef ME
	/** TRUE if this is a mediation connection */
	bool mediation;
	/** peer_cfg_t of the mediation connection to mediate through (cloned) */
	char *mediated_by;
	/** ID that identifies our peer at the mediation server (adopted) */
	identification_t *peer_id;
#endif /* ME */
};

/**
 * Create a configuration object for IKE_AUTH and later.
 *
 * @param name				name of the peer_cfg (cloned)
 * @param ike_cfg			IKE config to use when acting as initiator (adopted)
 * @param data				data for this peer_cfg
 * @return					peer_cfg_t object
 */
peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
							peer_cfg_create_t *data);

#endif /** PEER_CFG_H_ @}*/
Commit	Line	Data
e0fe7651	1	/*
c56b8c1a	2	* Copyright (C) 2007-2019 Tobias Brunner
a44bb934	3	* Copyright (C) 2005-2009 Martin Willi
e0fe7651	4	* Copyright (C) 2005 Jan Hutter
19ef2aec TB	5	*
19ef2aec TB	6	* Copyright (C) secunet Security Networks AG
e0fe7651 MW	7	*
	8	* This program is free software; you can redistribute it and/or modify it
	9	* under the terms of the GNU General Public License as published by the
	10	* Free Software Foundation; either version 2 of the License, or (at your
	11	* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
	12	*
	13	* This program is distributed in the hope that it will be useful, but
	14	* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
	15	* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
	16	* for more details.
552cc11b MW	17	*/
	18
	19	/**
	20	* @defgroup peer_cfg peer_cfg
	21	* @{ @ingroup config
e0fe7651 MW	22	*/
	23
	24	#ifndef PEER_CFG_H_
	25	#define PEER_CFG_H_
	26
e0fe7651	27	typedef enum cert_policy_t cert_policy_t;
15612b3a	28	typedef enum ocsp_policy_t ocsp_policy_t;
0644ebd3	29	typedef enum unique_policy_t unique_policy_t;
e0fe7651	30	typedef struct peer_cfg_t peer_cfg_t;
2ba5dadb	31	typedef struct peer_cfg_create_t peer_cfg_create_t;
e0fe7651 MW	32
	33	#include <library.h>
	34	#include <utils/identification.h>
12642a68	35	#include <collections/enumerator.h>
1125a0be	36	#include <selectors/traffic_selector.h>
2307bffe	37	#include <crypto/proposal/proposal.h>
e0fe7651 MW	38	#include <config/ike_cfg.h>
e0fe7651 MW	39	#include <config/child_cfg.h>
2ccc02a4	40	#include <credentials/auth_cfg.h>
e0fe7651 MW	41
	42	/**
	43	* Certificate sending policy. This is also used for certificate
	44	* requests when using this definition for the other peer. If
	45	* it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
	46	* included.
484a06bc	47	*
e0fe7651 MW	48	* @warning These definitions must be the same as in pluto/starter,
	49	* as they are sent over the stroke socket.
	50	*/
	51	enum cert_policy_t {
	52	/** always send certificates, even when not requested */
323f9f99	53	CERT_ALWAYS_SEND = 0,
e0fe7651	54	/** send certificate upon cert request */
323f9f99	55	CERT_SEND_IF_ASKED = 1,
e0fe7651	56	/** never send a certificate, even when requested */
323f9f99	57	CERT_NEVER_SEND = 2,
e0fe7651 MW	58	};
	59
	60	/**
	61	* enum strings for cert_policy_t
e0fe7651 MW	62	*/
	63	extern enum_name_t *cert_policy_names;
	64
15612b3a JFH	65	/**
	66	* OCSP status request/response sending policy.
	67	*/
	68	enum ocsp_policy_t {
	69	/** request OCSP status and reply to OCSP status requests */
	70	OCSP_SEND_BOTH = 0,
	71	/** send OCSP status upon OCSP status request */
	72	OCSP_SEND_REPLY = 1,
	73	/** send OCSP status request */
	74	OCSP_SEND_REQUEST = 2,
	75	/** never send OCSP status request or response */
	76	OCSP_SEND_NEVER = 3,
	77	};
	78
	79	/**
	80	* enum strings for ocsp_policy_t
	81	*/
	82	extern enum_name_t *ocsp_policy_names;
	83
0644ebd3 MW	84	/**
	85	* Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
	86	*/
	87	enum unique_policy_t {
f4cc7ea1 TB	88	/** never check for client uniqueness */
	89	UNIQUE_NEVER,
	90	/** only check for client uniqueness when receiving an INITIAL_CONTACT */
0644ebd3	91	UNIQUE_NO,
f4cc7ea1	92	/** replace existing IKE_SAs when new ones get established by a client */
0644ebd3	93	UNIQUE_REPLACE,
f4cc7ea1	94	/** keep existing IKE_SAs, close the new ones on connection attempt */
0644ebd3 MW	95	UNIQUE_KEEP,
	96	};
	97
	98	/**
	99	* enum strings for unique_policy_t
	100	*/
	101	extern enum_name_t *unique_policy_names;
	102
e0fe7651	103	/**
552cc11b	104	* Configuration of a peer, specified by IDs.
e0fe7651	105	*
3b138b84	106	* The peer config defines a connection between two given IDs. It contains
6b444c59 TB	107	* exactly one ike_cfg_t, which is used for initiation. Additionally, it
	108	* contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
	109	* peer.
3b138b84	110	* @verbatim
a44bb934 MW	111	+-------------------+ +---------------+
	112	+---------------+ \| peer_cfg \| +---------------+ \|
	113	\| ike_cfg \| +-------------------+ \| child_cfg \| \|
	114	+---------------+ \| - ids \| +---------------+ \|
	115	\| - hosts \| 1 1 \| - cas \| 1 n \| - proposals \| \|
	116	\| - proposals \|<-----\| - auth info \|----->\| - traffic sel \| \|
	117	\| - ... \| \| - dpd config \| \| - ... \|-+
	118	+---------------+ \| - ... \| +---------------+
	119	+-------------------+
	120	\| 1 0 \|
	121	\| \|
	122	v n n V
	123	+-------------------+ +-------------------+
	124	+-------------------+ \| +-------------------+ \|
	125	\| auth_cfg \| \| \| auth_cfg \| \|
	126	+-------------------+ \| +-------------------+ \|
	127	\| - local rules \|-+ \| - remote constr. \|-+
	128	+-------------------+ +-------------------+
3b138b84	129	@endverbatim
a44bb934 MW	130	*
	131	* Each peer_cfg has two lists of authentication config attached. Local
	132	* authentication configs define how to authenticate ourself against the remote
	133	* peer. Each config is enforced using the multiple authentication extension
484a06bc	134	* (RFC4739).
a44bb934	135	* The remote authentication configs are handled as constraints. The peer has
f3bb1bd0	136	* to fulfill each of these rules (using multiple authentication, in any order)
a44bb934	137	* to gain access to the configuration.
e0fe7651 MW	138	*/
e0fe7651 MW	139	struct peer_cfg_t {
7daf5226	140
e0fe7651	141	/**
552cc11b	142	* Get the name of the peer_cfg.
484a06bc	143	*
e0fe7651	144	* Returned object is not getting cloned.
484a06bc	145	*
e0fe7651 MW	146	* @return peer_cfg's name
	147	*/
	148	char* (get_name) (peer_cfg_t this);
7daf5226	149
e0fe7651	150	/**
552cc11b	151	* Get the IKE version to use for initiating.
e0fe7651	152	*
6b444c59	153	* @return IKE major version
e0fe7651	154	*/
f7a8fced	155	ike_version_t (get_ike_version)(peer_cfg_t this);
7daf5226	156
e0fe7651	157	/**
b3ab7a48	158	* Get the IKE config to use for initiation.
484a06bc	159	*
e0fe7651 MW	160	* @return the IKE config to use
	161	*/
	162	ike_cfg_t* (get_ike_cfg) (peer_cfg_t this);
7daf5226	163
e0fe7651	164	/**
552cc11b	165	* Attach a CHILD config.
484a06bc	166	*
e0fe7651 MW	167	* @param child_cfg CHILD config to add
	168	*/
	169	void (add_child_cfg) (peer_cfg_t this, child_cfg_t *child_cfg);
7daf5226	170
e0fe7651	171	/**
552cc11b MW	172	* Detach a CHILD config, pointed to by an enumerator.
	173	*
	174	* @param enumerator enumerator indicating element position
	175	*/
	176	void (remove_child_cfg)(peer_cfg_t this, enumerator_t *enumerator);
7daf5226	177
622c2b2c TB	178	/**
	179	* Replace the CHILD configs with those in the given PEER config.
	180	*
622c2b2c TB	181	* The enumerator enumerates the removed and added CHILD configs
622c2b2c TB	182	* (child_cfg_t*, bool), where the flag is FALSE for removed configs and
40ed8124	183	* TRUE for added configs. Configs that are equal are not enumerated.
622c2b2c TB	184	*
	185	* @param other other config to get CHILD configs from
	186	* @return an enumerator over removed/added CHILD configs
	187	*/
	188	enumerator_t* (replace_child_cfgs)(peer_cfg_t this, peer_cfg_t *other);
	189
552cc11b MW	190	/**
552cc11b MW	191	* Create an enumerator for all attached CHILD configs.
484a06bc	192	*
552cc11b	193	* @return an enumerator over all CHILD configs.
e0fe7651	194	*/
552cc11b	195	enumerator_t* (create_child_cfg_enumerator) (peer_cfg_t this);
7daf5226	196
e0fe7651	197	/**
03729958	198	* Select a CHILD config from received traffic selectors.
484a06bc	199	*
e0fe7651 MW	200	* @param my_ts TS for local side
e0fe7651 MW	201	* @param other_ts TS for remote side
7ee37114 MW	202	* @param my_hosts hosts to narrow down dynamic TS for local side
7ee37114 MW	203	* @param other_hosts hosts to narrow down dynamic TS for remote side
03729958 TB	204	* @param my_labels optional local security labels
	205	* @param other_labels optional remove security labels
	206	* @return selected CHILD config, or NULL if no match found
e0fe7651	207	*/
03729958	208	child_cfg_t* (select_child_cfg)(peer_cfg_t this,
7ee37114	209	linked_list_t my_ts, linked_list_t other_ts,
03729958 TB	210	linked_list_t my_hosts, linked_list_t other_hosts,
03729958 TB	211	linked_list_t my_labels, linked_list_t other_labels);
7daf5226	212
e0fe7651	213	/**
a44bb934	214	* Add an authentication config to the peer configuration.
552cc11b	215	*
0ceb2888	216	* @param cfg config to add
a44bb934	217	* @param local TRUE for local rules, FALSE for remote constraints
552cc11b	218	*/
a44bb934	219	void (add_auth_cfg)(peer_cfg_t this, auth_cfg_t *cfg, bool local);
7daf5226	220
e0fe7651	221	/**
a44bb934 MW	222	* Create an enumerator over registered authentication configs.
	223	*
	224	* @param local TRUE for local rules, FALSE for remote constraints
	225	* @return enumerator over auth_cfg_t*
e0fe7651	226	*/
a44bb934	227	enumerator_t* (create_auth_cfg_enumerator)(peer_cfg_t this, bool local);
15a9d460	228
e0fe7651	229	/**
0ceb2888	230	* Should a certificate be sent for this connection?
e0fe7651	231	*
e0fe7651 MW	232	* @return certificate sending policy
	233	*/
	234	cert_policy_t (get_cert_policy) (peer_cfg_t this);
	235
15612b3a JFH	236	/**
	237	* Should an OCSP status request/response be sent for this connection?
	238	*
	239	* @return OCSP sending policy
	240	*/
	241	ocsp_policy_t (get_ocsp_policy) (peer_cfg_t this);
	242
0644ebd3 MW	243	/**
	244	* How to handle uniqueness of IKE_SAs?
	245	*
	246	* @return unique policy
	247	*/
	248	unique_policy_t (get_unique_policy) (peer_cfg_t this);
7daf5226	249
e0fe7651	250	/**
552cc11b	251	* Get the max number of retries after timeout.
e0fe7651	252	*
e0fe7651 MW	253	* @return max number retries
e0fe7651 MW	254	*/
b12c53ce	255	uint32_t (get_keyingtries) (peer_cfg_t this);
7daf5226	256
e0fe7651	257	/**
d08269c7	258	* Get a time to start rekeying.
e0fe7651	259	*
b1df6312	260	* @param jitter subtract a jitter value to randomize time
ee614711	261	* @return time in s when to start rekeying, 0 disables rekeying
e0fe7651	262	*/
b12c53ce	263	uint32_t (get_rekey_time)(peer_cfg_t this, bool jitter);
7daf5226	264
e0fe7651	265	/**
d08269c7	266	* Get a time to start reauthentication.
ee614711	267	*
b1df6312	268	* @param jitter subtract a jitter value to randomize time
ee614711 MW	269	* @return time in s when to start reauthentication, 0 disables it
ee614711 MW	270	*/
b12c53ce	271	uint32_t (get_reauth_time)(peer_cfg_t this, bool jitter);
7daf5226	272
ee614711	273	/**
552cc11b	274	* Get the timeout of a rekeying/reauthenticating SA.
ee614711	275	*
ee614711	276	* @return timeout in s
e0fe7651	277	*/
b12c53ce	278	uint32_t (get_over_time)(peer_cfg_t this);
7daf5226	279
9164e49a	280	/**
552cc11b	281	* Use MOBIKE (RFC4555) if peer supports it?
484a06bc	282	*
9164e49a MW	283	* @return TRUE to enable MOBIKE support
	284	*/
	285	bool (use_mobike) (peer_cfg_t this);
7daf5226	286
5ce59d4c MW	287	/**
	288	* Use/Accept aggressive mode with IKEv1?.
	289	*
	290	* @return TRUE to use aggressive mode
	291	*/
	292	bool (use_aggressive)(peer_cfg_t this);
	293
9aeaa739 MW	294	/**
	295	* Use pull or push mode for mode config?
	296	*
	297	* @return TRUE to use pull, FALSE to use push mode
	298	*/
	299	bool (use_pull_mode)(peer_cfg_t this);
	300
e0fe7651	301	/**
552cc11b	302	* Get the DPD check interval.
484a06bc	303	*
e0fe7651 MW	304	* @return dpd_delay in seconds
e0fe7651 MW	305	*/
b12c53ce	306	uint32_t (get_dpd) (peer_cfg_t this);
7daf5226	307
80c5b17d AS	308	/**
	309	* Get the DPD timeout interval (IKEv1 only)
	310	*
	311	* @return dpd_timeout in seconds
	312	*/
b12c53ce	313	uint32_t (get_dpd_timeout) (peer_cfg_t this);
80c5b17d	314
e0fe7651	315	/**
101d26ba	316	* Add a virtual IP to request as initiator.
16878f68	317	*
101d26ba MW	318	* @param vip virtual IP to request, may be %any or %any6
	319	*/
	320	void (add_virtual_ip)(peer_cfg_t this, host_t *vip);
	321
	322	/**
	323	* Create an enumerator over virtual IPs to request.
	324	*
	325	* The returned enumerator enumerates over IPs added with add_virtual_ip().
16878f68	326	*
101d26ba	327	* @return enumerator over host_t*
16878f68	328	*/
101d26ba	329	enumerator_t* (create_virtual_ip_enumerator)(peer_cfg_t this);
7daf5226	330
16878f68	331	/**
497ce2cf	332	* Add a pool name this configuration uses to select virtual IPs.
16878f68	333	*
497ce2cf	334	* @param name pool name to use for virtual IP lookup
e0fe7651	335	*/
497ce2cf MW	336	void (add_pool)(peer_cfg_t this, char *name);
	337
	338	/**
	339	* Create an enumerator over pool names of this config.
	340	*
	341	* @return enumerator over char*
	342	*/
	343	enumerator_t* (create_pool_enumerator)(peer_cfg_t this);
7daf5226	344
c56b8c1a TB	345	/**
	346	* Optional interface ID to set on policies/SAs.
	347	*
	348	* @param inbound TRUE for inbound, FALSE for outbound
	349	* @return interface ID
	350	*/
	351	uint32_t (get_if_id)(peer_cfg_t this, bool inbound);
	352
a2ff8b65 TB	353	/**
	354	* Get the PPK ID to use with this peer.
	355	*
	356	* @return PPK id
	357	*/
	358	identification_t (get_ppk_id)(peer_cfg_t *this);
	359
	360	/**
	361	* Whether a PPK is required with this peer.
	362	*
	363	* @return TRUE, if a PPK is required
	364	*/
	365	bool (ppk_required)(peer_cfg_t this);
	366
dc04b7c7	367	#ifdef ME
d5cc1758	368	/**
552cc11b	369	* Is this a mediation connection?
484a06bc	370	*
d5cc1758 TB	371	* @return TRUE, if this is a mediation connection
d5cc1758 TB	372	*/
ed96fe72	373	bool (is_mediation)(peer_cfg_t this);
7daf5226	374
d5cc1758	375	/**
ed96fe72	376	* Get name of the connection this one is mediated through.
484a06bc	377	*
ed96fe72	378	* @return the name of the mediation connection
d5cc1758	379	*/
ed96fe72	380	char* (get_mediated_by)(peer_cfg_t this);
7daf5226	381
d5cc1758	382	/**
552cc11b	383	* Get the id of the other peer at the mediation server.
484a06bc	384	*
d5cc1758	385	* This is the leftid of the peer's connection with the mediation server.
484a06bc	386	*
d5cc1758	387	* If it is not configured, it is assumed to be the same as the right id
484a06bc TB	388	* of this connection.
484a06bc TB	389	*
d5cc1758 TB	390	* @return the id of the other peer
d5cc1758 TB	391	*/
ed96fe72	392	identification_t* (get_peer_id)(peer_cfg_t this);
dc04b7c7	393	#endif /* ME */
3c7e72f5 MW	394
	395	/**
	396	* Check if two peer configurations are equal.
	397	*
	398	* This method does not compare associated ike/child_cfg.
	399	*
	400	* @param other candidate to check for equality against this
	401	* @return TRUE if peer_cfg and ike_cfg are equal
	402	*/
	403	bool (equals)(peer_cfg_t this, peer_cfg_t *other);
7daf5226	404
e0fe7651	405	/**
ff683671	406	* Increase reference count.
e0fe7651	407	*
ff683671	408	* @return reference to this
e0fe7651	409	*/
ff683671	410	peer_cfg_t* (get_ref) (peer_cfg_t this);
7daf5226	411
e0fe7651	412	/**
552cc11b	413	* Destroys the peer_cfg object.
e0fe7651 MW	414	*
	415	* Decrements the internal reference counter and
	416	* destroys the peer_cfg when it reaches zero.
e0fe7651 MW	417	*/
	418	void (destroy) (peer_cfg_t this);
	419	};
	420
2ba5dadb TB	421	/**
	422	* Data passed to the constructor of a peer_cfg_t object.
	423	*/
	424	struct peer_cfg_create_t {
	425	/** Whether to send a certificate payload */
	426	cert_policy_t cert_policy;
15612b3a JFH	427	/** Whether to send OCSP status request/response */
15612b3a JFH	428	ocsp_policy_t ocsp_policy;
2ba5dadb TB	429	/** Uniqueness of an IKE_SA */
	430	unique_policy_t unique;
	431	/** How many keying tries should be done before giving up */
	432	uint32_t keyingtries;
	433	/** Timeout in seconds before starting rekeying */
	434	uint32_t rekey_time;
	435	/** Timeout in seconds before starting reauthentication */
	436	uint32_t reauth_time;
	437	/** Time range in seconds to randomly subtract from rekey/reauth time */
	438	uint32_t jitter_time;
	439	/** Maximum overtime in seconds before closing a rekeying/reauth SA */
	440	uint32_t over_time;
	441	/** Disable MOBIKE (RFC4555) */
	442	bool no_mobike;
	443	/** Use/accept aggressive mode with IKEv1 */
	444	bool aggressive;
	445	/** TRUE to use modeconfig push, FALSE for pull */
	446	bool push_mode;
	447	/** DPD check interval, 0 to disable */
	448	uint32_t dpd;
	449	/** DPD timeout interval (IKEv1 only), if 0 default applies */
	450	uint32_t dpd_timeout;
c56b8c1a TB	451	/** Optional inbound interface ID */
	452	uint32_t if_id_in;
	453	/** Optional outbound interface ID */
	454	uint32_t if_id_out;
a2ff8b65 TB	455	/** Postquantum Preshared Key ID (adopted) */
	456	identification_t *ppk_id;
	457	/** TRUE if a PPK is required, FALSE if it's optional */
	458	bool ppk_required;
2ba5dadb TB	459	#ifdef ME
	460	/** TRUE if this is a mediation connection */
	461	bool mediation;
ed96fe72 TB	462	/** peer_cfg_t of the mediation connection to mediate through (cloned) */
ed96fe72 TB	463	char *mediated_by;
2ba5dadb TB	464	/** ID that identifies our peer at the mediation server (adopted) */
	465	identification_t *peer_id;
	466	#endif /* ME */
	467	};
	468
e0fe7651	469	/**
552cc11b	470	* Create a configuration object for IKE_AUTH and later.
484a06bc	471	*
2ba5dadb TB	472	* @param name name of the peer_cfg (cloned)
	473	* @param ike_cfg IKE config to use when acting as initiator (adopted)
	474	* @param data data for this peer_cfg
6b444c59	475	* @return peer_cfg_t object
e0fe7651	476	*/
2ba5dadb TB	477	peer_cfg_t peer_cfg_create(char name, ike_cfg_t *ike_cfg,
2ba5dadb TB	478	peer_cfg_create_t *data);
e0fe7651	479
1490ff4d	480	#endif /** PEER_CFG_H_ @}*/