2 * Copyright (C) 2008-2019 Tobias Brunner
3 * Copyright (C) 2016 Andreas Steffen
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
7 * Copyright (C) secunet Security Networks AG
9 * This program is free software; you can redistribute it and/or modify it
10 * under the terms of the GNU General Public License as published by the
11 * Free Software Foundation; either version 2 of the License, or (at your
12 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
14 * This program is distributed in the hope that it will be useful, but
15 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
16 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * @defgroup child_cfg child_cfg
28 typedef enum action_t action_t
;
29 typedef enum child_cfg_option_t child_cfg_option_t
;
30 typedef struct child_cfg_t child_cfg_t
;
31 typedef struct child_cfg_create_t child_cfg_create_t
;
34 #include <selectors/traffic_selector.h>
35 #include <crypto/proposal/proposal.h>
36 #include <kernel/kernel_ipsec.h>
39 * Action to take when connection is loaded, DPD is detected or
40 * connection gets closed by peer.
45 /** Install trap policy to (re-)establish on demand */
47 /** Start or restart immediately */
48 ACTION_START
= (1<<1),
52 * enum names for action_t.
54 extern enum_name_t
*action_names
;
57 * A child_cfg_t defines the config template for a CHILD_SA.
59 * After creation, proposals and traffic selectors may be added to the config.
60 * A child_cfg object is referenced multiple times, and is not thread save.
61 * Reading from the object is save, adding things is not allowed while other
62 * threads may access the object.
63 * A reference counter handles the number of references hold to this config.
65 * @see peer_cfg_t to get an overview over the configurations.
70 * Get the name of the child_cfg.
72 * @return child_cfg's name
74 char *(*get_name
) (child_cfg_t
*this);
77 * Add a proposal to the list.
79 * The proposals are stored by priority, first added
80 * is the most preferred. It is safe to add NULL as proposal, which has no
81 * effect. After add, proposal is owned by child_cfg.
83 * @param proposal proposal to add, or NULL
85 void (*add_proposal
) (child_cfg_t
*this, proposal_t
*proposal
);
88 * Get the list of proposals for the CHILD_SA.
90 * Resulting list and all of its proposals must be freed after use.
92 * @param strip_ke TRUE strip out key exchange methods
93 * @return list of proposals
95 linked_list_t
* (*get_proposals
)(child_cfg_t
*this, bool strip_ke
);
98 * Select a proposal from a supplied list.
100 * Returned proposal is newly created and must be destroyed after usage.
102 * @param proposals list from which proposals are selected
103 * @param flags flags to consider during proposal selection
104 * @return selected proposal, or NULL if nothing matches
106 proposal_t
* (*select_proposal
)(child_cfg_t
*this, linked_list_t
*proposals
,
107 proposal_selection_flag_t flags
);
110 * Add a traffic selector to the config.
112 * Use the "local" parameter to add it for the local or the remote side.
113 * After add, traffic selector is owned by child_cfg.
115 * @param local TRUE for local side, FALSE for remote
116 * @param ts traffic_selector to add
118 void (*add_traffic_selector
)(child_cfg_t
*this, bool local
,
119 traffic_selector_t
*ts
);
122 * Get a list of traffic selectors to use for the CHILD_SA.
124 * The config contains two set of traffic selectors, one for the local
125 * side, one for the remote side.
126 * If a list with traffic selectors is supplied, these are used to narrow
127 * down the traffic selector list to the greatest common divisor.
128 * Some traffic selector may be "dynamic", meaning they are narrowed down
129 * to a specific address (host-to-host or virtual-IP setups). Use
130 * the "host" parameter to narrow such traffic selectors to that address.
131 * Resulted list and its traffic selectors must be destroyed after use.
133 * @param local TRUE for TS on local side, FALSE for remote
134 * @param supplied list with TS to select from, or NULL
135 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
136 * @param log FALSE to avoid logging details about the selection
137 * @return list containing the traffic selectors
139 linked_list_t
*(*get_traffic_selectors
)(child_cfg_t
*this, bool local
,
140 linked_list_t
*supplied
,
141 linked_list_t
*hosts
, bool log
);
144 * Get the updown script to run for the CHILD_SA.
146 * @return path to updown script
148 char* (*get_updown
)(child_cfg_t
*this);
151 * Get the lifetime configuration of a CHILD_SA.
153 * The rekey limits automatically contain a jitter to avoid simultaneous
154 * rekeying. These values will change with each call to this function.
156 * @param jitter subtract jitter value to randomize lifetimes
157 * @return lifetime_cfg_t (has to be freed)
159 lifetime_cfg_t
* (*get_lifetime
) (child_cfg_t
*this, bool jitter
);
162 * Get the mode to use for the CHILD_SA.
164 * The mode is either tunnel, transport or BEET. The peer must agree
165 * on the method, fallback is tunnel mode.
169 ipsec_mode_t (*get_mode
) (child_cfg_t
*this);
172 * Action to take to start CHILD_SA.
174 * @return start action
176 action_t (*get_start_action
) (child_cfg_t
*this);
179 * Action to take on DPD.
183 action_t (*get_dpd_action
) (child_cfg_t
*this);
186 * Get the HW offload mode to use for the CHILD_SA.
188 * @return hw offload mode
190 hw_offload_t (*get_hw_offload
) (child_cfg_t
*this);
193 * Get the copy mode for the DS header field to use for the CHILD_SA.
195 * @return IP header copy mode
197 dscp_copy_t (*get_copy_dscp
) (child_cfg_t
*this);
200 * Action to take if CHILD_SA gets closed.
202 * @return close action
204 action_t (*get_close_action
) (child_cfg_t
*this);
207 * Get the first algorithm of a certain transform type that's contained in
208 * any of the configured proposals.
210 * For instance, use with KEY_EXCHANGE_METHOD to get the KE method to use
211 * for the CHILD_SA initiation.
213 * @param type transform type to look for
214 * @return algorithm identifier (0 for none)
216 uint16_t (*get_algorithm
)(child_cfg_t
*this, transform_type_t type
);
219 * Get the inactivity timeout value.
221 * @return inactivity timeout in s
223 uint32_t (*get_inactivity
)(child_cfg_t
*this);
226 * Specific reqid to use for CHILD_SA.
230 uint32_t (*get_reqid
)(child_cfg_t
*this);
233 * Optional interface ID to set on policies/SAs.
235 * @param inbound TRUE for inbound, FALSE for outbound
236 * @return interface ID
238 uint32_t (*get_if_id
)(child_cfg_t
*this, bool inbound
);
241 * Optional mark to set on policies/SAs.
243 * @param inbound TRUE for inbound, FALSE for outbound
246 mark_t (*get_mark
)(child_cfg_t
*this, bool inbound
);
249 * Optional mark the SAs should apply after processing packets.
251 * @param inbound TRUE for inbound, FALSE for outbound
254 mark_t (*get_set_mark
)(child_cfg_t
*this, bool inbound
);
257 * Optional security label to be configured on policies.
259 * @return label or NULL
261 sec_label_t
*(*get_label
)(child_cfg_t
*this);
264 * Get the mode in which the security label is used.
266 * @return label mode (never SEC_LABEL_MODE_SYSTEM)
268 sec_label_mode_t (*get_label_mode
)(child_cfg_t
*this);
271 * Select a security label from the given list that matches the configured
274 * This fails under the following conditions:
275 * - a label is configured but no labels are provided
276 * - no label is configured but at least one label is provided
277 * - the configured and provided labels don't match
279 * If no label is configured and none are provided, that's considered a
280 * success and label will be set to NULL.
282 * @param labels list of labels to match
283 * @param log FALSE to avoid logging details about the selection
284 * @param[out] label selected label or NULL if no label necessary
285 * @param[out] exact TRUE if there was an exact match
286 * @return FALSE on failure
288 bool (*select_label
)(child_cfg_t
*this, linked_list_t
*labels
, bool log
,
289 sec_label_t
**label
, bool *exact
);
292 * Get the TFC padding value to use for CHILD_SA.
294 * @return TFC padding, 0 to disable, -1 for MTU
296 uint32_t (*get_tfc
)(child_cfg_t
*this);
299 * Get optional manually-set IPsec policy priority
301 * @return manually-set IPsec policy priority (automatic if 0)
303 uint32_t (*get_manual_prio
)(child_cfg_t
*this);
306 * Get optional network interface restricting IPsec policy
308 * @return network interface)
310 char* (*get_interface
)(child_cfg_t
*this);
313 * Get anti-replay window size
315 * @return anti-replay window size
317 uint32_t (*get_replay_window
)(child_cfg_t
*this);
320 * Set anti-replay window size
322 * @param window anti-replay window size
324 void (*set_replay_window
)(child_cfg_t
*this, uint32_t window
);
327 * Check if an option flag is set.
329 * @param option option flag to check
330 * @return TRUE if option flag set, FALSE otherwise
332 bool (*has_option
)(child_cfg_t
*this, child_cfg_option_t option
);
335 * Check if two child_cfg objects are equal.
337 * @param other candidate to check for equality against this
338 * @return TRUE if equal
340 bool (*equals
)(child_cfg_t
*this, child_cfg_t
*other
);
343 * Increase the reference count.
345 * @return reference to this
347 child_cfg_t
* (*get_ref
) (child_cfg_t
*this);
350 * Destroys the child_cfg object.
352 * Decrements the internal reference counter and
353 * destroys the child_cfg when it reaches zero.
355 void (*destroy
) (child_cfg_t
*this);
359 * Option flags that may be set on a child_cfg_t object
361 enum child_cfg_option_t
{
363 /** Use IPsec transport proxy mode */
364 OPT_PROXY_MODE
= (1<<0),
366 /** Use IPComp, if peer supports it */
369 /** Allow access to the local host */
370 OPT_HOSTACCESS
= (1<<2),
372 /** Don't install any IPsec policies */
373 OPT_NO_POLICIES
= (1<<3),
375 /** Install outbound FWD IPsec policies to bypass drop policies */
376 OPT_FWD_OUT_POLICIES
= (1<<4),
378 /** Force 96-bit truncation for SHA-256 */
379 OPT_SHA256_96
= (1<<5),
381 /** Set mark on inbound SAs */
382 OPT_MARK_IN_SA
= (1<<6),
384 /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
385 OPT_NO_COPY_DF
= (1<<7),
387 /** Disable copying the ECN header field in tunnel mode */
388 OPT_NO_COPY_ECN
= (1<<8),
390 /** Enable per-CPU CHILD_SAs */
391 OPT_PER_CPU_SAS
= (1<<9),
393 /** Enable UDP encapsulation for per-CPU CHILD_SAs */
394 OPT_PER_CPU_SAS_ENCAP
= (1<<10),
398 * Data passed to the constructor of a child_cfg_t object.
400 struct child_cfg_create_t
{
401 /** Options set for CHILD_SA */
402 child_cfg_option_t options
;
403 /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
405 /** Optional inbound interface ID */
407 /** Optional outbound interface ID */
409 /** Optional inbound mark */
411 /** Optional outbound mark */
413 /** Optional inbound mark the SA should apply to traffic */
415 /** Optional outbound mark the SA should apply to traffic */
417 /** Optional security label configured on policies (cloned) */
419 /** Optional security label mode */
420 sec_label_mode_t label_mode
;
421 /** Mode to propose for CHILD_SA */
423 /** TFC padding size, 0 to disable, -1 to pad to PMTU */
425 /** Optional manually-set IPsec policy priority */
427 /** Optional network interface restricting IPsec policy (cloned) */
429 /** lifetime_cfg_t for this child_cfg */
430 lifetime_cfg_t lifetime
;
431 /** Inactivity timeout in s before closing a CHILD_SA */
434 action_t start_action
;
438 action_t close_action
;
439 /** updown script to execute on up/down event (cloned) */
441 /** HW offload mode */
442 hw_offload_t hw_offload
;
443 /** How to handle the DS header field in tunnel mode */
444 dscp_copy_t copy_dscp
;
448 * Create a configuration template for CHILD_SA setup.
450 * After a call to create, a reference is obtained (refcount = 1).
452 * @param name name of the child_cfg (cloned)
453 * @param data data for this child_cfg
454 * @return child_cfg_t object
456 child_cfg_t
*child_cfg_create(char *name
, child_cfg_create_t
*data
);
458 #endif /** CHILD_CFG_H_ @}*/