]>
Commit | Line | Data |
---|---|---|
e0fe7651 | 1 | /* |
ed96fe72 | 2 | * Copyright (C) 2007-2017 Tobias Brunner |
a44bb934 | 3 | * Copyright (C) 2005-2009 Martin Willi |
e0fe7651 | 4 | * Copyright (C) 2005 Jan Hutter |
2ba5dadb | 5 | * HSR Hochschule fuer Technik Rapperswil |
e0fe7651 MW |
6 | * |
7 | * This program is free software; you can redistribute it and/or modify it | |
8 | * under the terms of the GNU General Public License as published by the | |
9 | * Free Software Foundation; either version 2 of the License, or (at your | |
10 | * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>. | |
11 | * | |
12 | * This program is distributed in the hope that it will be useful, but | |
13 | * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY | |
14 | * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License | |
15 | * for more details. | |
552cc11b MW |
16 | */ |
17 | ||
18 | /** | |
19 | * @defgroup peer_cfg peer_cfg | |
20 | * @{ @ingroup config | |
e0fe7651 MW |
21 | */ |
22 | ||
23 | #ifndef PEER_CFG_H_ | |
24 | #define PEER_CFG_H_ | |
25 | ||
e0fe7651 | 26 | typedef enum cert_policy_t cert_policy_t; |
0644ebd3 | 27 | typedef enum unique_policy_t unique_policy_t; |
e0fe7651 | 28 | typedef struct peer_cfg_t peer_cfg_t; |
2ba5dadb | 29 | typedef struct peer_cfg_create_t peer_cfg_create_t; |
e0fe7651 MW |
30 | |
31 | #include <library.h> | |
32 | #include <utils/identification.h> | |
12642a68 | 33 | #include <collections/enumerator.h> |
1125a0be | 34 | #include <selectors/traffic_selector.h> |
2307bffe | 35 | #include <crypto/proposal/proposal.h> |
e0fe7651 MW |
36 | #include <config/ike_cfg.h> |
37 | #include <config/child_cfg.h> | |
2ccc02a4 | 38 | #include <credentials/auth_cfg.h> |
e0fe7651 MW |
39 | |
40 | /** | |
41 | * Certificate sending policy. This is also used for certificate | |
42 | * requests when using this definition for the other peer. If | |
43 | * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its | |
44 | * included. | |
484a06bc | 45 | * |
e0fe7651 MW |
46 | * @warning These definitions must be the same as in pluto/starter, |
47 | * as they are sent over the stroke socket. | |
48 | */ | |
49 | enum cert_policy_t { | |
50 | /** always send certificates, even when not requested */ | |
323f9f99 | 51 | CERT_ALWAYS_SEND = 0, |
e0fe7651 | 52 | /** send certificate upon cert request */ |
323f9f99 | 53 | CERT_SEND_IF_ASKED = 1, |
e0fe7651 | 54 | /** never send a certificate, even when requested */ |
323f9f99 | 55 | CERT_NEVER_SEND = 2, |
e0fe7651 MW |
56 | }; |
57 | ||
58 | /** | |
59 | * enum strings for cert_policy_t | |
e0fe7651 MW |
60 | */ |
61 | extern enum_name_t *cert_policy_names; | |
62 | ||
0644ebd3 MW |
63 | /** |
64 | * Uniqueness of an IKE_SA, used to drop multiple connections with one peer. | |
65 | */ | |
66 | enum unique_policy_t { | |
f4cc7ea1 TB |
67 | /** never check for client uniqueness */ |
68 | UNIQUE_NEVER, | |
69 | /** only check for client uniqueness when receiving an INITIAL_CONTACT */ | |
0644ebd3 | 70 | UNIQUE_NO, |
f4cc7ea1 | 71 | /** replace existing IKE_SAs when new ones get established by a client */ |
0644ebd3 | 72 | UNIQUE_REPLACE, |
f4cc7ea1 | 73 | /** keep existing IKE_SAs, close the new ones on connection attempt */ |
0644ebd3 MW |
74 | UNIQUE_KEEP, |
75 | }; | |
76 | ||
77 | /** | |
78 | * enum strings for unique_policy_t | |
79 | */ | |
80 | extern enum_name_t *unique_policy_names; | |
81 | ||
e0fe7651 | 82 | /** |
552cc11b | 83 | * Configuration of a peer, specified by IDs. |
e0fe7651 | 84 | * |
3b138b84 | 85 | * The peer config defines a connection between two given IDs. It contains |
6b444c59 TB |
86 | * exactly one ike_cfg_t, which is used for initiation. Additionally, it |
87 | * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this | |
88 | * peer. | |
3b138b84 | 89 | * @verbatim |
a44bb934 MW |
90 | +-------------------+ +---------------+ |
91 | +---------------+ | peer_cfg | +---------------+ | | |
92 | | ike_cfg | +-------------------+ | child_cfg | | | |
93 | +---------------+ | - ids | +---------------+ | | |
94 | | - hosts | 1 1 | - cas | 1 n | - proposals | | | |
95 | | - proposals |<-----| - auth info |----->| - traffic sel | | | |
96 | | - ... | | - dpd config | | - ... |-+ | |
97 | +---------------+ | - ... | +---------------+ | |
98 | +-------------------+ | |
99 | | 1 0 | | |
100 | | | | |
101 | v n n V | |
102 | +-------------------+ +-------------------+ | |
103 | +-------------------+ | +-------------------+ | | |
104 | | auth_cfg | | | auth_cfg | | | |
105 | +-------------------+ | +-------------------+ | | |
106 | | - local rules |-+ | - remote constr. |-+ | |
107 | +-------------------+ +-------------------+ | |
3b138b84 | 108 | @endverbatim |
a44bb934 MW |
109 | * |
110 | * Each peer_cfg has two lists of authentication config attached. Local | |
111 | * authentication configs define how to authenticate ourself against the remote | |
112 | * peer. Each config is enforced using the multiple authentication extension | |
484a06bc | 113 | * (RFC4739). |
a44bb934 | 114 | * The remote authentication configs are handled as constraints. The peer has |
f3bb1bd0 | 115 | * to fulfill each of these rules (using multiple authentication, in any order) |
a44bb934 | 116 | * to gain access to the configuration. |
e0fe7651 MW |
117 | */ |
118 | struct peer_cfg_t { | |
7daf5226 | 119 | |
e0fe7651 | 120 | /** |
552cc11b | 121 | * Get the name of the peer_cfg. |
484a06bc | 122 | * |
e0fe7651 | 123 | * Returned object is not getting cloned. |
484a06bc | 124 | * |
e0fe7651 MW |
125 | * @return peer_cfg's name |
126 | */ | |
127 | char* (*get_name) (peer_cfg_t *this); | |
7daf5226 | 128 | |
e0fe7651 | 129 | /** |
552cc11b | 130 | * Get the IKE version to use for initiating. |
e0fe7651 | 131 | * |
6b444c59 | 132 | * @return IKE major version |
e0fe7651 | 133 | */ |
f7a8fced | 134 | ike_version_t (*get_ike_version)(peer_cfg_t *this); |
7daf5226 | 135 | |
e0fe7651 | 136 | /** |
552cc11b | 137 | * Get the IKE config to use for initiaton. |
484a06bc | 138 | * |
e0fe7651 MW |
139 | * @return the IKE config to use |
140 | */ | |
141 | ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this); | |
7daf5226 | 142 | |
e0fe7651 | 143 | /** |
552cc11b | 144 | * Attach a CHILD config. |
484a06bc | 145 | * |
e0fe7651 MW |
146 | * @param child_cfg CHILD config to add |
147 | */ | |
148 | void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg); | |
7daf5226 | 149 | |
e0fe7651 | 150 | /** |
552cc11b MW |
151 | * Detach a CHILD config, pointed to by an enumerator. |
152 | * | |
153 | * @param enumerator enumerator indicating element position | |
154 | */ | |
155 | void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator); | |
7daf5226 | 156 | |
622c2b2c TB |
157 | /** |
158 | * Replace the CHILD configs with those in the given PEER config. | |
159 | * | |
160 | * Configs that are equal are not replaced. | |
161 | * | |
162 | * The enumerator enumerates the removed and added CHILD configs | |
163 | * (child_cfg_t*, bool), where the flag is FALSE for removed configs and | |
164 | * TRUE for added configs. | |
165 | * | |
166 | * @param other other config to get CHILD configs from | |
167 | * @return an enumerator over removed/added CHILD configs | |
168 | */ | |
169 | enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other); | |
170 | ||
552cc11b MW |
171 | /** |
172 | * Create an enumerator for all attached CHILD configs. | |
484a06bc | 173 | * |
552cc11b | 174 | * @return an enumerator over all CHILD configs. |
e0fe7651 | 175 | */ |
552cc11b | 176 | enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this); |
7daf5226 | 177 | |
e0fe7651 | 178 | /** |
552cc11b | 179 | * Select a CHILD config from traffic selectors. |
484a06bc | 180 | * |
e0fe7651 MW |
181 | * @param my_ts TS for local side |
182 | * @param other_ts TS for remote side | |
7ee37114 MW |
183 | * @param my_hosts hosts to narrow down dynamic TS for local side |
184 | * @param other_hosts hosts to narrow down dynamic TS for remote side | |
e0fe7651 MW |
185 | * @return selected CHILD config, or NULL if no match found |
186 | */ | |
7ee37114 MW |
187 | child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, |
188 | linked_list_t *my_ts, linked_list_t *other_ts, | |
189 | linked_list_t *my_hosts, linked_list_t *other_hosts); | |
7daf5226 | 190 | |
e0fe7651 | 191 | /** |
a44bb934 | 192 | * Add an authentication config to the peer configuration. |
552cc11b | 193 | * |
0ceb2888 | 194 | * @param cfg config to add |
a44bb934 | 195 | * @param local TRUE for local rules, FALSE for remote constraints |
552cc11b | 196 | */ |
a44bb934 | 197 | void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local); |
7daf5226 | 198 | |
e0fe7651 | 199 | /** |
a44bb934 MW |
200 | * Create an enumerator over registered authentication configs. |
201 | * | |
202 | * @param local TRUE for local rules, FALSE for remote constraints | |
203 | * @return enumerator over auth_cfg_t* | |
e0fe7651 | 204 | */ |
a44bb934 | 205 | enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local); |
15a9d460 | 206 | |
e0fe7651 | 207 | /** |
0ceb2888 | 208 | * Should a certificate be sent for this connection? |
e0fe7651 | 209 | * |
e0fe7651 MW |
210 | * @return certificate sending policy |
211 | */ | |
212 | cert_policy_t (*get_cert_policy) (peer_cfg_t *this); | |
213 | ||
0644ebd3 MW |
214 | /** |
215 | * How to handle uniqueness of IKE_SAs? | |
216 | * | |
217 | * @return unique policy | |
218 | */ | |
219 | unique_policy_t (*get_unique_policy) (peer_cfg_t *this); | |
7daf5226 | 220 | |
e0fe7651 | 221 | /** |
552cc11b | 222 | * Get the max number of retries after timeout. |
e0fe7651 | 223 | * |
e0fe7651 MW |
224 | * @return max number retries |
225 | */ | |
b12c53ce | 226 | uint32_t (*get_keyingtries) (peer_cfg_t *this); |
7daf5226 | 227 | |
e0fe7651 | 228 | /** |
d08269c7 | 229 | * Get a time to start rekeying. |
e0fe7651 | 230 | * |
b1df6312 | 231 | * @param jitter subtract a jitter value to randomize time |
ee614711 | 232 | * @return time in s when to start rekeying, 0 disables rekeying |
e0fe7651 | 233 | */ |
b12c53ce | 234 | uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter); |
7daf5226 | 235 | |
e0fe7651 | 236 | /** |
d08269c7 | 237 | * Get a time to start reauthentication. |
ee614711 | 238 | * |
b1df6312 | 239 | * @param jitter subtract a jitter value to randomize time |
ee614711 MW |
240 | * @return time in s when to start reauthentication, 0 disables it |
241 | */ | |
b12c53ce | 242 | uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter); |
7daf5226 | 243 | |
ee614711 | 244 | /** |
552cc11b | 245 | * Get the timeout of a rekeying/reauthenticating SA. |
ee614711 | 246 | * |
ee614711 | 247 | * @return timeout in s |
e0fe7651 | 248 | */ |
b12c53ce | 249 | uint32_t (*get_over_time)(peer_cfg_t *this); |
7daf5226 | 250 | |
9164e49a | 251 | /** |
552cc11b | 252 | * Use MOBIKE (RFC4555) if peer supports it? |
484a06bc | 253 | * |
9164e49a MW |
254 | * @return TRUE to enable MOBIKE support |
255 | */ | |
256 | bool (*use_mobike) (peer_cfg_t *this); | |
7daf5226 | 257 | |
5ce59d4c MW |
258 | /** |
259 | * Use/Accept aggressive mode with IKEv1?. | |
260 | * | |
261 | * @return TRUE to use aggressive mode | |
262 | */ | |
263 | bool (*use_aggressive)(peer_cfg_t *this); | |
264 | ||
9aeaa739 MW |
265 | /** |
266 | * Use pull or push mode for mode config? | |
267 | * | |
268 | * @return TRUE to use pull, FALSE to use push mode | |
269 | */ | |
270 | bool (*use_pull_mode)(peer_cfg_t *this); | |
271 | ||
e0fe7651 | 272 | /** |
552cc11b | 273 | * Get the DPD check interval. |
484a06bc | 274 | * |
e0fe7651 MW |
275 | * @return dpd_delay in seconds |
276 | */ | |
b12c53ce | 277 | uint32_t (*get_dpd) (peer_cfg_t *this); |
7daf5226 | 278 | |
80c5b17d AS |
279 | /** |
280 | * Get the DPD timeout interval (IKEv1 only) | |
281 | * | |
282 | * @return dpd_timeout in seconds | |
283 | */ | |
b12c53ce | 284 | uint32_t (*get_dpd_timeout) (peer_cfg_t *this); |
80c5b17d | 285 | |
e0fe7651 | 286 | /** |
101d26ba | 287 | * Add a virtual IP to request as initiator. |
16878f68 | 288 | * |
101d26ba MW |
289 | * @param vip virtual IP to request, may be %any or %any6 |
290 | */ | |
291 | void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip); | |
292 | ||
293 | /** | |
294 | * Create an enumerator over virtual IPs to request. | |
295 | * | |
296 | * The returned enumerator enumerates over IPs added with add_virtual_ip(). | |
16878f68 | 297 | * |
101d26ba | 298 | * @return enumerator over host_t* |
16878f68 | 299 | */ |
101d26ba | 300 | enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this); |
7daf5226 | 301 | |
16878f68 | 302 | /** |
497ce2cf | 303 | * Add a pool name this configuration uses to select virtual IPs. |
16878f68 | 304 | * |
497ce2cf | 305 | * @param name pool name to use for virtual IP lookup |
e0fe7651 | 306 | */ |
497ce2cf MW |
307 | void (*add_pool)(peer_cfg_t *this, char *name); |
308 | ||
309 | /** | |
310 | * Create an enumerator over pool names of this config. | |
311 | * | |
312 | * @return enumerator over char* | |
313 | */ | |
314 | enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this); | |
7daf5226 | 315 | |
dc04b7c7 | 316 | #ifdef ME |
d5cc1758 | 317 | /** |
552cc11b | 318 | * Is this a mediation connection? |
484a06bc | 319 | * |
d5cc1758 TB |
320 | * @return TRUE, if this is a mediation connection |
321 | */ | |
ed96fe72 | 322 | bool (*is_mediation)(peer_cfg_t *this); |
7daf5226 | 323 | |
d5cc1758 | 324 | /** |
ed96fe72 | 325 | * Get name of the connection this one is mediated through. |
484a06bc | 326 | * |
ed96fe72 | 327 | * @return the name of the mediation connection |
d5cc1758 | 328 | */ |
ed96fe72 | 329 | char* (*get_mediated_by)(peer_cfg_t *this); |
7daf5226 | 330 | |
d5cc1758 | 331 | /** |
552cc11b | 332 | * Get the id of the other peer at the mediation server. |
484a06bc | 333 | * |
d5cc1758 | 334 | * This is the leftid of the peer's connection with the mediation server. |
484a06bc | 335 | * |
d5cc1758 | 336 | * If it is not configured, it is assumed to be the same as the right id |
484a06bc TB |
337 | * of this connection. |
338 | * | |
d5cc1758 TB |
339 | * @return the id of the other peer |
340 | */ | |
ed96fe72 | 341 | identification_t* (*get_peer_id)(peer_cfg_t *this); |
dc04b7c7 | 342 | #endif /* ME */ |
3c7e72f5 MW |
343 | |
344 | /** | |
345 | * Check if two peer configurations are equal. | |
346 | * | |
347 | * This method does not compare associated ike/child_cfg. | |
348 | * | |
349 | * @param other candidate to check for equality against this | |
350 | * @return TRUE if peer_cfg and ike_cfg are equal | |
351 | */ | |
352 | bool (*equals)(peer_cfg_t *this, peer_cfg_t *other); | |
7daf5226 | 353 | |
e0fe7651 | 354 | /** |
ff683671 | 355 | * Increase reference count. |
e0fe7651 | 356 | * |
ff683671 | 357 | * @return reference to this |
e0fe7651 | 358 | */ |
ff683671 | 359 | peer_cfg_t* (*get_ref) (peer_cfg_t *this); |
7daf5226 | 360 | |
e0fe7651 | 361 | /** |
552cc11b | 362 | * Destroys the peer_cfg object. |
e0fe7651 MW |
363 | * |
364 | * Decrements the internal reference counter and | |
365 | * destroys the peer_cfg when it reaches zero. | |
e0fe7651 MW |
366 | */ |
367 | void (*destroy) (peer_cfg_t *this); | |
368 | }; | |
369 | ||
2ba5dadb TB |
370 | /** |
371 | * Data passed to the constructor of a peer_cfg_t object. | |
372 | */ | |
373 | struct peer_cfg_create_t { | |
374 | /** Whether to send a certificate payload */ | |
375 | cert_policy_t cert_policy; | |
376 | /** Uniqueness of an IKE_SA */ | |
377 | unique_policy_t unique; | |
378 | /** How many keying tries should be done before giving up */ | |
379 | uint32_t keyingtries; | |
380 | /** Timeout in seconds before starting rekeying */ | |
381 | uint32_t rekey_time; | |
382 | /** Timeout in seconds before starting reauthentication */ | |
383 | uint32_t reauth_time; | |
384 | /** Time range in seconds to randomly subtract from rekey/reauth time */ | |
385 | uint32_t jitter_time; | |
386 | /** Maximum overtime in seconds before closing a rekeying/reauth SA */ | |
387 | uint32_t over_time; | |
388 | /** Disable MOBIKE (RFC4555) */ | |
389 | bool no_mobike; | |
390 | /** Use/accept aggressive mode with IKEv1 */ | |
391 | bool aggressive; | |
392 | /** TRUE to use modeconfig push, FALSE for pull */ | |
393 | bool push_mode; | |
394 | /** DPD check interval, 0 to disable */ | |
395 | uint32_t dpd; | |
396 | /** DPD timeout interval (IKEv1 only), if 0 default applies */ | |
397 | uint32_t dpd_timeout; | |
398 | #ifdef ME | |
399 | /** TRUE if this is a mediation connection */ | |
400 | bool mediation; | |
ed96fe72 TB |
401 | /** peer_cfg_t of the mediation connection to mediate through (cloned) */ |
402 | char *mediated_by; | |
2ba5dadb TB |
403 | /** ID that identifies our peer at the mediation server (adopted) */ |
404 | identification_t *peer_id; | |
405 | #endif /* ME */ | |
406 | }; | |
407 | ||
e0fe7651 | 408 | /** |
552cc11b | 409 | * Create a configuration object for IKE_AUTH and later. |
484a06bc | 410 | * |
2ba5dadb TB |
411 | * @param name name of the peer_cfg (cloned) |
412 | * @param ike_cfg IKE config to use when acting as initiator (adopted) | |
413 | * @param data data for this peer_cfg | |
6b444c59 | 414 | * @return peer_cfg_t object |
e0fe7651 | 415 | */ |
2ba5dadb TB |
416 | peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg, |
417 | peer_cfg_create_t *data); | |
e0fe7651 | 418 | |
1490ff4d | 419 | #endif /** PEER_CFG_H_ @}*/ |