]> git.ipfire.org Git - thirdparty/strongswan.git/blob - src/libcharon/config/peer_cfg.h
projects / thirdparty / strongswan.git / blob
? search:


b294ae72f7fb6fbb9fc15e32a0efa3df9fd23adf
[thirdparty/strongswan.git] / src / libcharon / config / peer_cfg.h
1 /*
2 * Copyright (C) 2007-2017 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup peer_cfg peer_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef PEER_CFG_H_
24 #define PEER_CFG_H_
25
26 typedef enum cert_policy_t cert_policy_t;
27 typedef enum unique_policy_t unique_policy_t;
28 typedef struct peer_cfg_t peer_cfg_t;
29 typedef struct peer_cfg_create_t peer_cfg_create_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <collections/enumerator.h>
34 #include <selectors/traffic_selector.h>
35 #include <config/proposal.h>
36 #include <config/ike_cfg.h>
37 #include <config/child_cfg.h>
38 #include <credentials/auth_cfg.h>
39
40 /**
41 * Certificate sending policy. This is also used for certificate
42 * requests when using this definition for the other peer. If
43 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
44 * included.
45 *
46 * @warning These definitions must be the same as in pluto/starter,
47 * as they are sent over the stroke socket.
48 */
49 enum cert_policy_t {
50 /** always send certificates, even when not requested */
51 CERT_ALWAYS_SEND = 0,
52 /** send certificate upon cert request */
53 CERT_SEND_IF_ASKED = 1,
54 /** never send a certificate, even when requested */
55 CERT_NEVER_SEND = 2,
56 };
57
58 /**
59 * enum strings for cert_policy_t
60 */
61 extern enum_name_t *cert_policy_names;
62
63 /**
64 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
65 */
66 enum unique_policy_t {
67 /** never check for client uniqueness */
68 UNIQUE_NEVER,
69 /** only check for client uniqueness when receiving an INITIAL_CONTACT */
70 UNIQUE_NO,
71 /** replace existing IKE_SAs when new ones get established by a client */
72 UNIQUE_REPLACE,
73 /** keep existing IKE_SAs, close the new ones on connection attempt */
74 UNIQUE_KEEP,
75 };
76
77 /**
78 * enum strings for unique_policy_t
79 */
80 extern enum_name_t *unique_policy_names;
81
82 /**
83 * Configuration of a peer, specified by IDs.
84 *
85 * The peer config defines a connection between two given IDs. It contains
86 * exactly one ike_cfg_t, which is used for initiation. Additionally, it
87 * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
88 * peer.
89 * @verbatim
90 +-------------------+ +---------------+
91 +---------------+ | peer_cfg | +---------------+ |
92 | ike_cfg | +-------------------+ | child_cfg | |
93 +---------------+ | - ids | +---------------+ |
94 | - hosts | 1 1 | - cas | 1 n | - proposals | |
95 | - proposals |<-----| - auth info |----->| - traffic sel | |
96 | - ... | | - dpd config | | - ... |-+
97 +---------------+ | - ... | +---------------+
98 +-------------------+
99 | 1 0 |
100 | |
101 v n n V
102 +-------------------+ +-------------------+
103 +-------------------+ | +-------------------+ |
104 | auth_cfg | | | auth_cfg | |
105 +-------------------+ | +-------------------+ |
106 | - local rules |-+ | - remote constr. |-+
107 +-------------------+ +-------------------+
108 @endverbatim
109 *
110 * Each peer_cfg has two lists of authentication config attached. Local
111 * authentication configs define how to authenticate ourself against the remote
112 * peer. Each config is enforced using the multiple authentication extension
113 * (RFC4739).
114 * The remote authentication configs are handled as constraints. The peer has
115 * to fulfill each of these rules (using multiple authentication, in any order)
116 * to gain access to the configuration.
117 */
118 struct peer_cfg_t {
119
120 /**
121 * Get the name of the peer_cfg.
122 *
123 * Returned object is not getting cloned.
124 *
125 * @return peer_cfg's name
126 */
127 char* (*get_name) (peer_cfg_t *this);
128
129 /**
130 * Get the IKE version to use for initiating.
131 *
132 * @return IKE major version
133 */
134 ike_version_t (*get_ike_version)(peer_cfg_t *this);
135
136 /**
137 * Get the IKE config to use for initiaton.
138 *
139 * @return the IKE config to use
140 */
141 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
142
143 /**
144 * Attach a CHILD config.
145 *
146 * @param child_cfg CHILD config to add
147 */
148 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
149
150 /**
151 * Detach a CHILD config, pointed to by an enumerator.
152 *
153 * @param enumerator enumerator indicating element position
154 */
155 void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
156
157 /**
158 * Replace the CHILD configs with those in the given PEER config.
159 *
160 * Configs that are equal are not replaced.
161 *
162 * The enumerator enumerates the removed and added CHILD configs
163 * (child_cfg_t*, bool), where the flag is FALSE for removed configs and
164 * TRUE for added configs.
165 *
166 * @param other other config to get CHILD configs from
167 * @return an enumerator over removed/added CHILD configs
168 */
169 enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other);
170
171 /**
172 * Create an enumerator for all attached CHILD configs.
173 *
174 * @return an enumerator over all CHILD configs.
175 */
176 enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
177
178 /**
179 * Select a CHILD config from traffic selectors.
180 *
181 * @param my_ts TS for local side
182 * @param other_ts TS for remote side
183 * @param my_hosts hosts to narrow down dynamic TS for local side
184 * @param other_hosts hosts to narrow down dynamic TS for remote side
185 * @return selected CHILD config, or NULL if no match found
186 */
187 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
188 linked_list_t *my_ts, linked_list_t *other_ts,
189 linked_list_t *my_hosts, linked_list_t *other_hosts);
190
191 /**
192 * Add an authentication config to the peer configuration.
193 *
194 * @param cfg config to add
195 * @param local TRUE for local rules, FALSE for remote constraints
196 */
197 void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
198
199 /**
200 * Create an enumerator over registered authentication configs.
201 *
202 * @param local TRUE for local rules, FALSE for remote constraints
203 * @return enumerator over auth_cfg_t*
204 */
205 enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
206
207 /**
208 * Should a certificate be sent for this connection?
209 *
210 * @return certificate sending policy
211 */
212 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
213
214 /**
215 * How to handle uniqueness of IKE_SAs?
216 *
217 * @return unique policy
218 */
219 unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
220
221 /**
222 * Get the max number of retries after timeout.
223 *
224 * @return max number retries
225 */
226 uint32_t (*get_keyingtries) (peer_cfg_t *this);
227
228 /**
229 * Get a time to start rekeying.
230 *
231 * @param jitter subtract a jitter value to randomize time
232 * @return time in s when to start rekeying, 0 disables rekeying
233 */
234 uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
235
236 /**
237 * Get a time to start reauthentication.
238 *
239 * @param jitter subtract a jitter value to randomize time
240 * @return time in s when to start reauthentication, 0 disables it
241 */
242 uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
243
244 /**
245 * Get the timeout of a rekeying/reauthenticating SA.
246 *
247 * @return timeout in s
248 */
249 uint32_t (*get_over_time)(peer_cfg_t *this);
250
251 /**
252 * Use MOBIKE (RFC4555) if peer supports it?
253 *
254 * @return TRUE to enable MOBIKE support
255 */
256 bool (*use_mobike) (peer_cfg_t *this);
257
258 /**
259 * Use/Accept aggressive mode with IKEv1?.
260 *
261 * @return TRUE to use aggressive mode
262 */
263 bool (*use_aggressive)(peer_cfg_t *this);
264
265 /**
266 * Use pull or push mode for mode config?
267 *
268 * @return TRUE to use pull, FALSE to use push mode
269 */
270 bool (*use_pull_mode)(peer_cfg_t *this);
271
272 /**
273 * Get the DPD check interval.
274 *
275 * @return dpd_delay in seconds
276 */
277 uint32_t (*get_dpd) (peer_cfg_t *this);
278
279 /**
280 * Get the DPD timeout interval (IKEv1 only)
281 *
282 * @return dpd_timeout in seconds
283 */
284 uint32_t (*get_dpd_timeout) (peer_cfg_t *this);
285
286 /**
287 * Add a virtual IP to request as initiator.
288 *
289 * @param vip virtual IP to request, may be %any or %any6
290 */
291 void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);
292
293 /**
294 * Create an enumerator over virtual IPs to request.
295 *
296 * The returned enumerator enumerates over IPs added with add_virtual_ip().
297 *
298 * @return enumerator over host_t*
299 */
300 enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
301
302 /**
303 * Add a pool name this configuration uses to select virtual IPs.
304 *
305 * @param name pool name to use for virtual IP lookup
306 */
307 void (*add_pool)(peer_cfg_t *this, char *name);
308
309 /**
310 * Create an enumerator over pool names of this config.
311 *
312 * @return enumerator over char*
313 */
314 enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
315
316 #ifdef ME
317 /**
318 * Is this a mediation connection?
319 *
320 * @return TRUE, if this is a mediation connection
321 */
322 bool (*is_mediation)(peer_cfg_t *this);
323
324 /**
325 * Get name of the connection this one is mediated through.
326 *
327 * @return the name of the mediation connection
328 */
329 char* (*get_mediated_by)(peer_cfg_t *this);
330
331 /**
332 * Get the id of the other peer at the mediation server.
333 *
334 * This is the leftid of the peer's connection with the mediation server.
335 *
336 * If it is not configured, it is assumed to be the same as the right id
337 * of this connection.
338 *
339 * @return the id of the other peer
340 */
341 identification_t* (*get_peer_id)(peer_cfg_t *this);
342 #endif /* ME */
343
344 /**
345 * Check if two peer configurations are equal.
346 *
347 * This method does not compare associated ike/child_cfg.
348 *
349 * @param other candidate to check for equality against this
350 * @return TRUE if peer_cfg and ike_cfg are equal
351 */
352 bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
353
354 /**
355 * Increase reference count.
356 *
357 * @return reference to this
358 */
359 peer_cfg_t* (*get_ref) (peer_cfg_t *this);
360
361 /**
362 * Destroys the peer_cfg object.
363 *
364 * Decrements the internal reference counter and
365 * destroys the peer_cfg when it reaches zero.
366 */
367 void (*destroy) (peer_cfg_t *this);
368 };
369
370 /**
371 * Data passed to the constructor of a peer_cfg_t object.
372 */
373 struct peer_cfg_create_t {
374 /** Whether to send a certificate payload */
375 cert_policy_t cert_policy;
376 /** Uniqueness of an IKE_SA */
377 unique_policy_t unique;
378 /** How many keying tries should be done before giving up */
379 uint32_t keyingtries;
380 /** Timeout in seconds before starting rekeying */
381 uint32_t rekey_time;
382 /** Timeout in seconds before starting reauthentication */
383 uint32_t reauth_time;
384 /** Time range in seconds to randomly subtract from rekey/reauth time */
385 uint32_t jitter_time;
386 /** Maximum overtime in seconds before closing a rekeying/reauth SA */
387 uint32_t over_time;
388 /** Disable MOBIKE (RFC4555) */
389 bool no_mobike;
390 /** Use/accept aggressive mode with IKEv1 */
391 bool aggressive;
392 /** TRUE to use modeconfig push, FALSE for pull */
393 bool push_mode;
394 /** DPD check interval, 0 to disable */
395 uint32_t dpd;
396 /** DPD timeout interval (IKEv1 only), if 0 default applies */
397 uint32_t dpd_timeout;
398 #ifdef ME
399 /** TRUE if this is a mediation connection */
400 bool mediation;
401 /** peer_cfg_t of the mediation connection to mediate through (cloned) */
402 char *mediated_by;
403 /** ID that identifies our peer at the mediation server (adopted) */
404 identification_t *peer_id;
405 #endif /* ME */
406 };
407
408 /**
409 * Create a configuration object for IKE_AUTH and later.
410 *
411 * @param name name of the peer_cfg (cloned)
412 * @param ike_cfg IKE config to use when acting as initiator (adopted)
413 * @param data data for this peer_cfg
414 * @return peer_cfg_t object
415 */
416 peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
417 peer_cfg_create_t *data);
418
419 #endif /** PEER_CFG_H_ @}*/
Unnamed repository; edit this file 'description' to name the repository.