Annotation of embedaddon/strongswan/src/libcharon/config/ike_cfg.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2012-2019 Tobias Brunner
! 3: * Copyright (C) 2005-2007 Martin Willi
! 4: * Copyright (C) 2005 Jan Hutter
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
! 7: * This program is free software; you can redistribute it and/or modify it
! 8: * under the terms of the GNU General Public License as published by the
! 9: * Free Software Foundation; either version 2 of the License, or (at your
! 10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 11: *
! 12: * This program is distributed in the hope that it will be useful, but
! 13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 15: * for more details.
! 16: */
! 17:
! 18: /**
! 19: * @defgroup ike_cfg ike_cfg
! 20: * @{ @ingroup config
! 21: */
! 22:
! 23: #ifndef IKE_CFG_H_
! 24: #define IKE_CFG_H_
! 25:
! 26: typedef enum ike_version_t ike_version_t;
! 27: typedef enum fragmentation_t fragmentation_t;
! 28: typedef enum childless_t childless_t;
! 29: typedef struct ike_cfg_t ike_cfg_t;
! 30: typedef struct ike_cfg_create_t ike_cfg_create_t;
! 31:
! 32: #include <library.h>
! 33: #include <networking/host.h>
! 34: #include <collections/linked_list.h>
! 35: #include <utils/identification.h>
! 36: #include <crypto/proposal/proposal.h>
! 37: #include <crypto/diffie_hellman.h>
! 38:
! 39: /**
! 40: * IKE version.
! 41: */
! 42: enum ike_version_t {
! 43: /** any version */
! 44: IKE_ANY = 0,
! 45: /** IKE version 1 */
! 46: IKEV1 = 1,
! 47: /** IKE version 2 */
! 48: IKEV2 = 2,
! 49: };
! 50:
! 51: /**
! 52: * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
! 53: */
! 54: enum fragmentation_t {
! 55: /** disable fragmentation */
! 56: FRAGMENTATION_NO,
! 57: /** announce support, but don't send any fragments */
! 58: FRAGMENTATION_ACCEPT,
! 59: /** enable fragmentation, if supported by peer */
! 60: FRAGMENTATION_YES,
! 61: /** force use of fragmentation (even for the first message for IKEv1) */
! 62: FRAGMENTATION_FORCE,
! 63: };
! 64:
! 65: /**
! 66: * Childless IKE_SAs (RFC 6023)
! 67: */
! 68: enum childless_t {
! 69: /** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */
! 70: CHILDLESS_ALLOW,
! 71: /** Don't accept childless IKE_SAs as responder, don't initiate them */
! 72: CHILDLESS_NEVER,
! 73: /** Only accept the creation of childless IKE_SAs (also as responder) */
! 74: CHILDLESS_FORCE,
! 75: };
! 76:
! 77: /**
! 78: * enum strings for ike_version_t
! 79: */
! 80: extern enum_name_t *ike_version_names;
! 81:
! 82: /**
! 83: * An ike_cfg_t defines the rules to set up an IKE_SA.
! 84: *
! 85: * @see peer_cfg_t to get an overview over the configurations.
! 86: */
! 87: struct ike_cfg_t {
! 88:
! 89: /**
! 90: * Get the IKE version to use with this configuration.
! 91: *
! 92: * @return IKE major version
! 93: */
! 94: ike_version_t (*get_version)(ike_cfg_t *this);
! 95:
! 96: /**
! 97: * Resolve the local address to use for initiation.
! 98: *
! 99: * @param family address family to prefer, or AF_UNSPEC
! 100: * @return resolved host, NULL on error
! 101: */
! 102: host_t* (*resolve_me)(ike_cfg_t *this, int family);
! 103:
! 104: /**
! 105: * Resolve the remote address to use for initiation.
! 106: *
! 107: * @param family address family to prefer, or AF_UNSPEC
! 108: * @return resolved host, NULL on error
! 109: */
! 110: host_t* (*resolve_other)(ike_cfg_t *this, int family);
! 111:
! 112: /**
! 113: * Check how good a host matches to the configured local address.
! 114: *
! 115: * @param host host to check match quality
! 116: * @return quality of the match, 0 if not matching at all
! 117: */
! 118: u_int (*match_me)(ike_cfg_t *this, host_t *host);
! 119:
! 120: /**
! 121: * Check how good a host matches to the configured remote address.
! 122: *
! 123: * @param host host to check match quality
! 124: * @return quality of the match, 0 if not matching at all
! 125: */
! 126: u_int (*match_other)(ike_cfg_t *this, host_t *host);
! 127:
! 128: /**
! 129: * Get own address.
! 130: *
! 131: * @return string of address/DNS name
! 132: */
! 133: char* (*get_my_addr) (ike_cfg_t *this);
! 134:
! 135: /**
! 136: * Get peer's address.
! 137: *
! 138: * @return string of address/DNS name
! 139: */
! 140: char* (*get_other_addr) (ike_cfg_t *this);
! 141:
! 142: /**
! 143: * Get the port to use as our source port.
! 144: *
! 145: * @return source address port, host order
! 146: */
! 147: uint16_t (*get_my_port)(ike_cfg_t *this);
! 148:
! 149: /**
! 150: * Get the port to use as destination port.
! 151: *
! 152: * @return destination address, host order
! 153: */
! 154: uint16_t (*get_other_port)(ike_cfg_t *this);
! 155:
! 156: /**
! 157: * Get the DSCP value to use for IKE packets send from connections.
! 158: *
! 159: * @return DSCP value
! 160: */
! 161: uint8_t (*get_dscp)(ike_cfg_t *this);
! 162:
! 163: /**
! 164: * Adds a proposal to the list.
! 165: *
! 166: * The first added proposal has the highest priority, the last
! 167: * added the lowest. It is safe to add NULL as proposal, which has no
! 168: * effect.
! 169: *
! 170: * @param proposal proposal to add, or NULL
! 171: */
! 172: void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
! 173:
! 174: /**
! 175: * Returns a list of all supported proposals.
! 176: *
! 177: * Returned list and its proposals must be destroyed after use.
! 178: *
! 179: * @return list containing all the proposals
! 180: */
! 181: linked_list_t* (*get_proposals) (ike_cfg_t *this);
! 182:
! 183: /**
! 184: * Select a proposal from a list of supplied proposals.
! 185: *
! 186: * Returned proposal must be destroyed after use.
! 187: *
! 188: * @param proposals list of proposals to select from
! 189: * @param flags flags to consider during proposal selection
! 190: * @return selected proposal, or NULL if none matches.
! 191: */
! 192: proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
! 193: proposal_selection_flag_t flags);
! 194:
! 195: /**
! 196: * Check if the config has a matching proposal.
! 197: *
! 198: * @param match proposal to check
! 199: * @param private accept algorithms from a private range
! 200: * @return TRUE if a matching proposal is contained
! 201: */
! 202: bool(*has_proposal)(ike_cfg_t *this, proposal_t *match, bool private);
! 203:
! 204: /**
! 205: * Should we send a certificate request in IKE_SA_INIT?
! 206: *
! 207: * @return certificate request sending policy
! 208: */
! 209: bool (*send_certreq) (ike_cfg_t *this);
! 210:
! 211: /**
! 212: * Enforce UDP encapsulation by faking NATD notifies?
! 213: *
! 214: * @return TRUE to enforce UDP encapsulation
! 215: */
! 216: bool (*force_encap) (ike_cfg_t *this);
! 217:
! 218: /**
! 219: * Use IKE fragmentation
! 220: *
! 221: * @return TRUE to use fragmentation
! 222: */
! 223: fragmentation_t (*fragmentation) (ike_cfg_t *this);
! 224:
! 225: /**
! 226: * Whether to initiate/accept childless IKE_SAs
! 227: *
! 228: * @return initiate/accept childless IKE_SAs
! 229: */
! 230: childless_t (*childless)(ike_cfg_t *this);
! 231:
! 232: /**
! 233: * Get the DH group to use for IKE_SA setup.
! 234: *
! 235: * @return dh group to use for initialization
! 236: */
! 237: diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
! 238:
! 239: /**
! 240: * Check if two IKE configs are equal.
! 241: *
! 242: * @param other other to check for equality
! 243: * @return TRUE if other equal to this
! 244: */
! 245: bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
! 246:
! 247: /**
! 248: * Increase reference count.
! 249: *
! 250: * @return reference to this
! 251: */
! 252: ike_cfg_t* (*get_ref) (ike_cfg_t *this);
! 253:
! 254: /**
! 255: * Destroys a ike_cfg_t object.
! 256: *
! 257: * Decrements the internal reference counter and
! 258: * destroys the ike_cfg when it reaches zero.
! 259: */
! 260: void (*destroy) (ike_cfg_t *this);
! 261: };
! 262:
! 263: /**
! 264: * Data passed to the constructor of an ike_cfg_t object.
! 265: *
! 266: * local and remote are comma separated lists of IP addresses, DNS names,
! 267: * IP ranges or subnets. When initiating, the first non-range/subnet address is
! 268: * used as address. When responding, a match is performed against all items in
! 269: * the list.
! 270: */
! 271: struct ike_cfg_create_t {
! 272: /** IKE major version to use for this config */
! 273: ike_version_t version;
! 274: /** Address/DNS name of local peer (cloned) */
! 275: char *local;
! 276: /** IKE port to use as source, 500 uses IKEv2 port floating */
! 277: uint16_t local_port;
! 278: /** Address/DNS name of remote peer (cloned) */
! 279: char *remote;
! 280: /** IKE port to use as dest, 500 uses IKEv2 port floating */
! 281: uint16_t remote_port;
! 282: /** TRUE to not send any certificate requests */
! 283: bool no_certreq;
! 284: /** Enforce UDP encapsulation by faking NATD notify */
! 285: bool force_encap;
! 286: /** Use IKE fragmentation */
! 287: fragmentation_t fragmentation;
! 288: /** Childless IKE_SA configuration */
! 289: childless_t childless;
! 290: /** DSCP value to send IKE packets with */
! 291: uint8_t dscp;
! 292: };
! 293:
! 294: /**
! 295: * Creates an ike_cfg_t object.
! 296: *
! 297: * @param data data for this ike_cfg
! 298: * @return ike_cfg_t object.
! 299: */
! 300: ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data);
! 301:
! 302: /**
! 303: * Determine the address family of the local or remote address(es). If multiple
! 304: * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are
! 305: * not though).
! 306: *
! 307: * @param this ike config to check
! 308: * @param local TRUE to check local addresses, FALSE for remote
! 309: * @return address family of address(es) if distinct
! 310: */
! 311: int ike_cfg_get_family(ike_cfg_t *this, bool local);
! 312:
! 313: /**
! 314: * Determine if the given address was explicitly configured as local or remote
! 315: * address.
! 316: *
! 317: * @param this ike config to check
! 318: * @param addr address to check
! 319: * @param local TRUE to check local addresses, FALSE for remote
! 320: * @return TRUE if address was configured
! 321: */
! 322: bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
! 323:
! 324: #endif /** IKE_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>