]>
Commit | Line | Data |
---|---|---|
e0fe7651 | 1 | /* |
72c96dbf | 2 | * Copyright (C) 2008-2019 Tobias Brunner |
7f57c4f9 | 3 | * Copyright (C) 2016 Andreas Steffen |
e0fe7651 MW |
4 | * Copyright (C) 2005-2007 Martin Willi |
5 | * Copyright (C) 2005 Jan Hutter | |
19ef2aec TB |
6 | * |
7 | * Copyright (C) secunet Security Networks AG | |
e0fe7651 MW |
8 | * |
9 | * This program is free software; you can redistribute it and/or modify it | |
10 | * under the terms of the GNU General Public License as published by the | |
11 | * Free Software Foundation; either version 2 of the License, or (at your | |
12 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
13 | * | |
14 | * This program is distributed in the hope that it will be useful, but | |
15 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
16 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
17 | * for more details. | |
552cc11b MW |
18 | */ |
19 | ||
20 | /** | |
21 | * @defgroup child_cfg child_cfg | |
22 | * @{ @ingroup config | |
e0fe7651 MW |
23 | */ |
24 | ||
25 | #ifndef CHILD_CFG_H_ | |
26 | #define CHILD_CFG_H_ | |
27 | ||
96926b00 | 28 | typedef enum action_t action_t; |
749ac175 | 29 | typedef enum child_cfg_option_t child_cfg_option_t; |
e0fe7651 | 30 | typedef struct child_cfg_t child_cfg_t; |
8a00a845 | 31 | typedef struct child_cfg_create_t child_cfg_create_t; |
e0fe7651 MW |
32 | |
33 | #include <library.h> | |
1125a0be | 34 | #include <selectors/traffic_selector.h> |
2307bffe | 35 | #include <crypto/proposal/proposal.h> |
a341a68f | 36 | #include <kernel/kernel_ipsec.h> |
e0fe7651 | 37 | |
96926b00 | 38 | /** |
c616d84c AS |
39 | * Action to take when connection is loaded, DPD is detected or |
40 | * connection gets closed by peer. | |
96926b00 MW |
41 | */ |
42 | enum action_t { | |
43 | /** No action */ | |
4f4d4021 TB |
44 | ACTION_NONE = 0, |
45 | /** Install trap policy to (re-)establish on demand */ | |
46 | ACTION_TRAP = (1<<0), | |
47 | /** Start or restart immediately */ | |
48 | ACTION_START = (1<<1), | |
96926b00 MW |
49 | }; |
50 | ||
51 | /** | |
52 | * enum names for action_t. | |
53 | */ | |
54 | extern enum_name_t *action_names; | |
55 | ||
e0fe7651 | 56 | /** |
552cc11b | 57 | * A child_cfg_t defines the config template for a CHILD_SA. |
e0fe7651 MW |
58 | * |
59 | * After creation, proposals and traffic selectors may be added to the config. | |
60 | * A child_cfg object is referenced multiple times, and is not thread save. | |
3b138b84 | 61 | * Reading from the object is save, adding things is not allowed while other |
7daf5226 | 62 | * threads may access the object. |
e0fe7651 | 63 | * A reference counter handles the number of references hold to this config. |
3b138b84 MW |
64 | * |
65 | * @see peer_cfg_t to get an overview over the configurations. | |
e0fe7651 MW |
66 | */ |
67 | struct child_cfg_t { | |
7daf5226 | 68 | |
e0fe7651 | 69 | /** |
552cc11b | 70 | * Get the name of the child_cfg. |
7daf5226 | 71 | * |
e0fe7651 MW |
72 | * @return child_cfg's name |
73 | */ | |
74 | char *(*get_name) (child_cfg_t *this); | |
7daf5226 | 75 | |
e0fe7651 | 76 | /** |
7daf5226 MW |
77 | * Add a proposal to the list. |
78 | * | |
e0fe7651 | 79 | * The proposals are stored by priority, first added |
356846db MW |
80 | * is the most preferred. It is safe to add NULL as proposal, which has no |
81 | * effect. After add, proposal is owned by child_cfg. | |
7daf5226 | 82 | * |
356846db | 83 | * @param proposal proposal to add, or NULL |
e0fe7651 MW |
84 | */ |
85 | void (*add_proposal) (child_cfg_t *this, proposal_t *proposal); | |
7daf5226 | 86 | |
e0fe7651 | 87 | /** |
552cc11b | 88 | * Get the list of proposals for the CHILD_SA. |
e0fe7651 MW |
89 | * |
90 | * Resulting list and all of its proposals must be freed after use. | |
7daf5226 | 91 | * |
3af7c6db | 92 | * @param strip_ke TRUE strip out key exchange methods |
e0fe7651 MW |
93 | * @return list of proposals |
94 | */ | |
3af7c6db | 95 | linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_ke); |
7daf5226 | 96 | |
e0fe7651 | 97 | /** |
552cc11b | 98 | * Select a proposal from a supplied list. |
e0fe7651 | 99 | * |
b3ab7a48 | 100 | * Returned proposal is newly created and must be destroyed after usage. |
7daf5226 | 101 | * |
f3bb1bd0 | 102 | * @param proposals list from which proposals are selected |
f930b732 | 103 | * @param flags flags to consider during proposal selection |
e0fe7651 MW |
104 | * @return selected proposal, or NULL if nothing matches |
105 | */ | |
1fd5383e | 106 | proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals, |
f930b732 | 107 | proposal_selection_flag_t flags); |
7daf5226 | 108 | |
e0fe7651 | 109 | /** |
552cc11b | 110 | * Add a traffic selector to the config. |
7daf5226 | 111 | * |
e0fe7651 MW |
112 | * Use the "local" parameter to add it for the local or the remote side. |
113 | * After add, traffic selector is owned by child_cfg. | |
7daf5226 | 114 | * |
e0fe7651 MW |
115 | * @param local TRUE for local side, FALSE for remote |
116 | * @param ts traffic_selector to add | |
117 | */ | |
118 | void (*add_traffic_selector)(child_cfg_t *this, bool local, | |
119 | traffic_selector_t *ts); | |
7daf5226 | 120 | |
e0fe7651 | 121 | /** |
552cc11b | 122 | * Get a list of traffic selectors to use for the CHILD_SA. |
7daf5226 | 123 | * |
e0fe7651 MW |
124 | * The config contains two set of traffic selectors, one for the local |
125 | * side, one for the remote side. | |
126 | * If a list with traffic selectors is supplied, these are used to narrow | |
127 | * down the traffic selector list to the greatest common divisor. | |
b3ab7a48 | 128 | * Some traffic selector may be "dynamic", meaning they are narrowed down |
e0fe7651 MW |
129 | * to a specific address (host-to-host or virtual-IP setups). Use |
130 | * the "host" parameter to narrow such traffic selectors to that address. | |
131 | * Resulted list and its traffic selectors must be destroyed after use. | |
7daf5226 | 132 | * |
e0fe7651 MW |
133 | * @param local TRUE for TS on local side, FALSE for remote |
134 | * @param supplied list with TS to select from, or NULL | |
7ee37114 | 135 | * @param hosts addresses to use for narrowing "dynamic" TS', host_t |
84cdfbc9 | 136 | * @param log FALSE to avoid logging details about the selection |
e0fe7651 MW |
137 | * @return list containing the traffic selectors |
138 | */ | |
139 | linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local, | |
140 | linked_list_t *supplied, | |
84cdfbc9 TB |
141 | linked_list_t *hosts, bool log); |
142 | ||
e0fe7651 | 143 | /** |
552cc11b | 144 | * Get the updown script to run for the CHILD_SA. |
7daf5226 | 145 | * |
e0fe7651 MW |
146 | * @return path to updown script |
147 | */ | |
148 | char* (*get_updown)(child_cfg_t *this); | |
7daf5226 | 149 | |
e0fe7651 | 150 | /** |
caf87c7d | 151 | * Get the lifetime configuration of a CHILD_SA. |
e0fe7651 | 152 | * |
caf87c7d TB |
153 | * The rekey limits automatically contain a jitter to avoid simultaneous |
154 | * rekeying. These values will change with each call to this function. | |
155 | * | |
b1df6312 | 156 | * @param jitter subtract jitter value to randomize lifetimes |
caf87c7d | 157 | * @return lifetime_cfg_t (has to be freed) |
e0fe7651 | 158 | */ |
b1df6312 | 159 | lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter); |
7daf5226 | 160 | |
e0fe7651 | 161 | /** |
552cc11b | 162 | * Get the mode to use for the CHILD_SA. |
e0fe7651 MW |
163 | * |
164 | * The mode is either tunnel, transport or BEET. The peer must agree | |
165 | * on the method, fallback is tunnel mode. | |
7daf5226 | 166 | * |
96926b00 | 167 | * @return ipsec mode |
e0fe7651 | 168 | */ |
a341a68f | 169 | ipsec_mode_t (*get_mode) (child_cfg_t *this); |
7daf5226 | 170 | |
c616d84c AS |
171 | /** |
172 | * Action to take to start CHILD_SA. | |
173 | * | |
174 | * @return start action | |
175 | */ | |
176 | action_t (*get_start_action) (child_cfg_t *this); | |
177 | ||
96926b00 | 178 | /** |
348af092 | 179 | * Action to take on DPD. |
96926b00 | 180 | * |
348af092 | 181 | * @return DPD action |
7daf5226 | 182 | */ |
348af092 | 183 | action_t (*get_dpd_action) (child_cfg_t *this); |
7daf5226 | 184 | |
8ced1570 AN |
185 | /** |
186 | * Get the HW offload mode to use for the CHILD_SA. | |
187 | * | |
188 | * @return hw offload mode | |
189 | */ | |
190 | hw_offload_t (*get_hw_offload) (child_cfg_t *this); | |
191 | ||
c993eaf9 TB |
192 | /** |
193 | * Get the copy mode for the DS header field to use for the CHILD_SA. | |
194 | * | |
195 | * @return IP header copy mode | |
196 | */ | |
197 | dscp_copy_t (*get_copy_dscp) (child_cfg_t *this); | |
198 | ||
348af092 MW |
199 | /** |
200 | * Action to take if CHILD_SA gets closed. | |
201 | * | |
202 | * @return close action | |
7daf5226 | 203 | */ |
348af092 | 204 | action_t (*get_close_action) (child_cfg_t *this); |
7daf5226 | 205 | |
1fd5383e | 206 | /** |
ec350ebb TB |
207 | * Get the first algorithm of a certain transform type that's contained in |
208 | * any of the configured proposals. | |
7daf5226 | 209 | * |
ec350ebb TB |
210 | * For instance, use with KEY_EXCHANGE_METHOD to get the KE method to use |
211 | * for the CHILD_SA initiation. | |
212 | * | |
213 | * @param type transform type to look for | |
214 | * @return algorithm identifier (0 for none) | |
1fd5383e | 215 | */ |
ec350ebb | 216 | uint16_t (*get_algorithm)(child_cfg_t *this, transform_type_t type); |
7daf5226 | 217 | |
71da0017 MW |
218 | /** |
219 | * Get the inactivity timeout value. | |
220 | * | |
221 | * @return inactivity timeout in s | |
222 | */ | |
b12c53ce | 223 | uint32_t (*get_inactivity)(child_cfg_t *this); |
71da0017 | 224 | |
277fcf9f | 225 | /** |
0ceb2888 | 226 | * Specific reqid to use for CHILD_SA. |
277fcf9f RB |
227 | * |
228 | * @return reqid | |
229 | */ | |
b12c53ce | 230 | uint32_t (*get_reqid)(child_cfg_t *this); |
277fcf9f | 231 | |
72c96dbf TB |
232 | /** |
233 | * Optional interface ID to set on policies/SAs. | |
234 | * | |
235 | * @param inbound TRUE for inbound, FALSE for outbound | |
236 | * @return interface ID | |
237 | */ | |
238 | uint32_t (*get_if_id)(child_cfg_t *this, bool inbound); | |
239 | ||
ee26c537 | 240 | /** |
fa4d4012 | 241 | * Optional mark to set on policies/SAs. |
ee26c537 | 242 | * |
6f449d2e | 243 | * @param inbound TRUE for inbound, FALSE for outbound |
ee26c537 AS |
244 | * @return mark |
245 | */ | |
246 | mark_t (*get_mark)(child_cfg_t *this, bool inbound); | |
247 | ||
fa4d4012 TB |
248 | /** |
249 | * Optional mark the SAs should apply after processing packets. | |
250 | * | |
251 | * @param inbound TRUE for inbound, FALSE for outbound | |
252 | * @return mark | |
253 | */ | |
254 | mark_t (*get_set_mark)(child_cfg_t *this, bool inbound); | |
255 | ||
ef72ac88 TB |
256 | /** |
257 | * Optional security label to be configured on policies. | |
258 | * | |
259 | * @return label or NULL | |
260 | */ | |
261 | sec_label_t *(*get_label)(child_cfg_t *this); | |
262 | ||
263 | /** | |
264 | * Get the mode in which the security label is used. | |
265 | * | |
266 | * @return label mode (never SEC_LABEL_MODE_SYSTEM) | |
267 | */ | |
268 | sec_label_mode_t (*get_label_mode)(child_cfg_t *this); | |
269 | ||
63d4bd07 TB |
270 | /** |
271 | * Select a security label from the given list that matches the configured | |
272 | * label. | |
273 | * | |
274 | * This fails under the following conditions: | |
275 | * - a label is configured but no labels are provided | |
276 | * - no label is configured but at least one label is provided | |
277 | * - the configured and provided labels don't match | |
278 | * | |
279 | * If no label is configured and none are provided, that's considered a | |
280 | * success and label will be set to NULL. | |
281 | * | |
282 | * @param labels list of labels to match | |
283 | * @param log FALSE to avoid logging details about the selection | |
8eaddbb8 TB |
284 | * @param[out] label selected label or NULL if no label necessary |
285 | * @param[out] exact TRUE if there was an exact match | |
63d4bd07 TB |
286 | * @return FALSE on failure |
287 | */ | |
288 | bool (*select_label)(child_cfg_t *this, linked_list_t *labels, bool log, | |
289 | sec_label_t **label, bool *exact); | |
290 | ||
37788b1d MW |
291 | /** |
292 | * Get the TFC padding value to use for CHILD_SA. | |
293 | * | |
294 | * @return TFC padding, 0 to disable, -1 for MTU | |
295 | */ | |
b12c53ce | 296 | uint32_t (*get_tfc)(child_cfg_t *this); |
37788b1d | 297 | |
7f57c4f9 AS |
298 | /** |
299 | * Get optional manually-set IPsec policy priority | |
300 | * | |
301 | * @return manually-set IPsec policy priority (automatic if 0) | |
302 | */ | |
303 | uint32_t (*get_manual_prio)(child_cfg_t *this); | |
304 | ||
c26e4330 AS |
305 | /** |
306 | * Get optional network interface restricting IPsec policy | |
307 | * | |
308 | * @return network interface) | |
309 | */ | |
310 | char* (*get_interface)(child_cfg_t *this); | |
311 | ||
bdcaa5e6 MW |
312 | /** |
313 | * Get anti-replay window size | |
314 | * | |
315 | * @return anti-replay window size | |
316 | */ | |
b12c53ce | 317 | uint32_t (*get_replay_window)(child_cfg_t *this); |
bdcaa5e6 MW |
318 | |
319 | /** | |
320 | * Set anti-replay window size | |
321 | * | |
749ac175 | 322 | * @param window anti-replay window size |
bdcaa5e6 | 323 | */ |
b12c53ce | 324 | void (*set_replay_window)(child_cfg_t *this, uint32_t window); |
bdcaa5e6 | 325 | |
91db979c | 326 | /** |
749ac175 | 327 | * Check if an option flag is set. |
c98e48cf | 328 | * |
749ac175 TB |
329 | * @param option option flag to check |
330 | * @return TRUE if option flag set, FALSE otherwise | |
c98e48cf | 331 | */ |
749ac175 | 332 | bool (*has_option)(child_cfg_t *this, child_cfg_option_t option); |
c98e48cf | 333 | |
3af23606 TB |
334 | /** |
335 | * Check if two child_cfg objects are equal. | |
336 | * | |
337 | * @param other candidate to check for equality against this | |
338 | * @return TRUE if equal | |
339 | */ | |
340 | bool (*equals)(child_cfg_t *this, child_cfg_t *other); | |
341 | ||
e0fe7651 | 342 | /** |
ff683671 | 343 | * Increase the reference count. |
e0fe7651 | 344 | * |
ff683671 | 345 | * @return reference to this |
e0fe7651 | 346 | */ |
ff683671 | 347 | child_cfg_t* (*get_ref) (child_cfg_t *this); |
7daf5226 | 348 | |
e0fe7651 | 349 | /** |
552cc11b | 350 | * Destroys the child_cfg object. |
e0fe7651 MW |
351 | * |
352 | * Decrements the internal reference counter and | |
353 | * destroys the child_cfg when it reaches zero. | |
e0fe7651 MW |
354 | */ |
355 | void (*destroy) (child_cfg_t *this); | |
356 | }; | |
357 | ||
749ac175 TB |
358 | /** |
359 | * Option flags that may be set on a child_cfg_t object | |
360 | */ | |
361 | enum child_cfg_option_t { | |
362 | ||
363 | /** Use IPsec transport proxy mode */ | |
364 | OPT_PROXY_MODE = (1<<0), | |
365 | ||
366 | /** Use IPComp, if peer supports it */ | |
367 | OPT_IPCOMP = (1<<1), | |
368 | ||
369 | /** Allow access to the local host */ | |
370 | OPT_HOSTACCESS = (1<<2), | |
371 | ||
372 | /** Don't install any IPsec policies */ | |
373 | OPT_NO_POLICIES = (1<<3), | |
374 | ||
375 | /** Install outbound FWD IPsec policies to bypass drop policies */ | |
376 | OPT_FWD_OUT_POLICIES = (1<<4), | |
4a175830 | 377 | |
7637633b | 378 | /** Force 96-bit truncation for SHA-256 */ |
8ced1570 | 379 | OPT_SHA256_96 = (1<<5), |
ea43f8ff TB |
380 | |
381 | /** Set mark on inbound SAs */ | |
8ced1570 | 382 | OPT_MARK_IN_SA = (1<<6), |
dc8b015d TB |
383 | |
384 | /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */ | |
385 | OPT_NO_COPY_DF = (1<<7), | |
386 | ||
387 | /** Disable copying the ECN header field in tunnel mode */ | |
388 | OPT_NO_COPY_ECN = (1<<8), | |
09caacd5 TB |
389 | |
390 | /** Enable per-CPU CHILD_SAs */ | |
391 | OPT_PER_CPU_SAS = (1<<9), | |
38eb8787 TB |
392 | |
393 | /** Enable UDP encapsulation for per-CPU CHILD_SAs */ | |
394 | OPT_PER_CPU_SAS_ENCAP = (1<<10), | |
749ac175 | 395 | }; |
8a00a845 TB |
396 | |
397 | /** | |
398 | * Data passed to the constructor of a child_cfg_t object. | |
399 | */ | |
400 | struct child_cfg_create_t { | |
749ac175 TB |
401 | /** Options set for CHILD_SA */ |
402 | child_cfg_option_t options; | |
8a00a845 TB |
403 | /** Specific reqid to use for CHILD_SA, 0 for auto assignment */ |
404 | uint32_t reqid; | |
72c96dbf TB |
405 | /** Optional inbound interface ID */ |
406 | uint32_t if_id_in; | |
407 | /** Optional outbound interface ID */ | |
408 | uint32_t if_id_out; | |
8a00a845 TB |
409 | /** Optional inbound mark */ |
410 | mark_t mark_in; | |
411 | /** Optional outbound mark */ | |
412 | mark_t mark_out; | |
fa4d4012 TB |
413 | /** Optional inbound mark the SA should apply to traffic */ |
414 | mark_t set_mark_in; | |
415 | /** Optional outbound mark the SA should apply to traffic */ | |
416 | mark_t set_mark_out; | |
ef72ac88 TB |
417 | /** Optional security label configured on policies (cloned) */ |
418 | sec_label_t *label; | |
419 | /** Optional security label mode */ | |
420 | sec_label_mode_t label_mode; | |
8a00a845 TB |
421 | /** Mode to propose for CHILD_SA */ |
422 | ipsec_mode_t mode; | |
8a00a845 TB |
423 | /** TFC padding size, 0 to disable, -1 to pad to PMTU */ |
424 | uint32_t tfc; | |
7f57c4f9 AS |
425 | /** Optional manually-set IPsec policy priority */ |
426 | uint32_t priority; | |
c26e4330 AS |
427 | /** Optional network interface restricting IPsec policy (cloned) */ |
428 | char *interface; | |
8a00a845 TB |
429 | /** lifetime_cfg_t for this child_cfg */ |
430 | lifetime_cfg_t lifetime; | |
431 | /** Inactivity timeout in s before closing a CHILD_SA */ | |
432 | uint32_t inactivity; | |
433 | /** Start action */ | |
434 | action_t start_action; | |
435 | /** DPD action */ | |
436 | action_t dpd_action; | |
437 | /** Close action */ | |
438 | action_t close_action; | |
439 | /** updown script to execute on up/down event (cloned) */ | |
440 | char *updown; | |
8ced1570 AN |
441 | /** HW offload mode */ |
442 | hw_offload_t hw_offload; | |
c993eaf9 TB |
443 | /** How to handle the DS header field in tunnel mode */ |
444 | dscp_copy_t copy_dscp; | |
8a00a845 TB |
445 | }; |
446 | ||
e0fe7651 | 447 | /** |
552cc11b | 448 | * Create a configuration template for CHILD_SA setup. |
7daf5226 | 449 | * |
e0fe7651 | 450 | * After a call to create, a reference is obtained (refcount = 1). |
7daf5226 | 451 | * |
8a00a845 TB |
452 | * @param name name of the child_cfg (cloned) |
453 | * @param data data for this child_cfg | |
277fcf9f | 454 | * @return child_cfg_t object |
e0fe7651 | 455 | */ |
8a00a845 | 456 | child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data); |
e0fe7651 | 457 | |
1490ff4d | 458 | #endif /** CHILD_CFG_H_ @}*/ |