Annotation of embedaddon/strongswan/src/libcharon/config/ike_cfg.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2012-2019 Tobias Brunner
3: * Copyright (C) 2005-2007 Martin Willi
4: * Copyright (C) 2005 Jan Hutter
5: * HSR Hochschule fuer Technik Rapperswil
6: *
7: * This program is free software; you can redistribute it and/or modify it
8: * under the terms of the GNU General Public License as published by the
9: * Free Software Foundation; either version 2 of the License, or (at your
10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11: *
12: * This program is distributed in the hope that it will be useful, but
13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15: * for more details.
16: */
17:
18: /**
19: * @defgroup ike_cfg ike_cfg
20: * @{ @ingroup config
21: */
22:
23: #ifndef IKE_CFG_H_
24: #define IKE_CFG_H_
25:
26: typedef enum ike_version_t ike_version_t;
27: typedef enum fragmentation_t fragmentation_t;
28: typedef enum childless_t childless_t;
29: typedef struct ike_cfg_t ike_cfg_t;
30: typedef struct ike_cfg_create_t ike_cfg_create_t;
31:
32: #include <library.h>
33: #include <networking/host.h>
34: #include <collections/linked_list.h>
35: #include <utils/identification.h>
36: #include <crypto/proposal/proposal.h>
37: #include <crypto/diffie_hellman.h>
38:
39: /**
40: * IKE version.
41: */
42: enum ike_version_t {
43: /** any version */
44: IKE_ANY = 0,
45: /** IKE version 1 */
46: IKEV1 = 1,
47: /** IKE version 2 */
48: IKEV2 = 2,
49: };
50:
51: /**
52: * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
53: */
54: enum fragmentation_t {
55: /** disable fragmentation */
56: FRAGMENTATION_NO,
57: /** announce support, but don't send any fragments */
58: FRAGMENTATION_ACCEPT,
59: /** enable fragmentation, if supported by peer */
60: FRAGMENTATION_YES,
61: /** force use of fragmentation (even for the first message for IKEv1) */
62: FRAGMENTATION_FORCE,
63: };
64:
65: /**
66: * Childless IKE_SAs (RFC 6023)
67: */
68: enum childless_t {
69: /** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */
70: CHILDLESS_ALLOW,
71: /** Don't accept childless IKE_SAs as responder, don't initiate them */
72: CHILDLESS_NEVER,
73: /** Only accept the creation of childless IKE_SAs (also as responder) */
74: CHILDLESS_FORCE,
75: };
76:
77: /**
78: * enum strings for ike_version_t
79: */
80: extern enum_name_t *ike_version_names;
81:
82: /**
83: * An ike_cfg_t defines the rules to set up an IKE_SA.
84: *
85: * @see peer_cfg_t to get an overview over the configurations.
86: */
87: struct ike_cfg_t {
88:
89: /**
90: * Get the IKE version to use with this configuration.
91: *
92: * @return IKE major version
93: */
94: ike_version_t (*get_version)(ike_cfg_t *this);
95:
96: /**
97: * Resolve the local address to use for initiation.
98: *
99: * @param family address family to prefer, or AF_UNSPEC
100: * @return resolved host, NULL on error
101: */
102: host_t* (*resolve_me)(ike_cfg_t *this, int family);
103:
104: /**
105: * Resolve the remote address to use for initiation.
106: *
107: * @param family address family to prefer, or AF_UNSPEC
108: * @return resolved host, NULL on error
109: */
110: host_t* (*resolve_other)(ike_cfg_t *this, int family);
111:
112: /**
113: * Check how good a host matches to the configured local address.
114: *
115: * @param host host to check match quality
116: * @return quality of the match, 0 if not matching at all
117: */
118: u_int (*match_me)(ike_cfg_t *this, host_t *host);
119:
120: /**
121: * Check how good a host matches to the configured remote address.
122: *
123: * @param host host to check match quality
124: * @return quality of the match, 0 if not matching at all
125: */
126: u_int (*match_other)(ike_cfg_t *this, host_t *host);
127:
128: /**
129: * Get own address.
130: *
131: * @return string of address/DNS name
132: */
133: char* (*get_my_addr) (ike_cfg_t *this);
134:
135: /**
136: * Get peer's address.
137: *
138: * @return string of address/DNS name
139: */
140: char* (*get_other_addr) (ike_cfg_t *this);
141:
142: /**
143: * Get the port to use as our source port.
144: *
145: * @return source address port, host order
146: */
147: uint16_t (*get_my_port)(ike_cfg_t *this);
148:
149: /**
150: * Get the port to use as destination port.
151: *
152: * @return destination address, host order
153: */
154: uint16_t (*get_other_port)(ike_cfg_t *this);
155:
156: /**
157: * Get the DSCP value to use for IKE packets send from connections.
158: *
159: * @return DSCP value
160: */
161: uint8_t (*get_dscp)(ike_cfg_t *this);
162:
163: /**
164: * Adds a proposal to the list.
165: *
166: * The first added proposal has the highest priority, the last
167: * added the lowest. It is safe to add NULL as proposal, which has no
168: * effect.
169: *
170: * @param proposal proposal to add, or NULL
171: */
172: void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
173:
174: /**
175: * Returns a list of all supported proposals.
176: *
177: * Returned list and its proposals must be destroyed after use.
178: *
179: * @return list containing all the proposals
180: */
181: linked_list_t* (*get_proposals) (ike_cfg_t *this);
182:
183: /**
184: * Select a proposal from a list of supplied proposals.
185: *
186: * Returned proposal must be destroyed after use.
187: *
188: * @param proposals list of proposals to select from
189: * @param flags flags to consider during proposal selection
190: * @return selected proposal, or NULL if none matches.
191: */
192: proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
193: proposal_selection_flag_t flags);
194:
195: /**
196: * Check if the config has a matching proposal.
197: *
198: * @param match proposal to check
199: * @param private accept algorithms from a private range
200: * @return TRUE if a matching proposal is contained
201: */
202: bool(*has_proposal)(ike_cfg_t *this, proposal_t *match, bool private);
203:
204: /**
205: * Should we send a certificate request in IKE_SA_INIT?
206: *
207: * @return certificate request sending policy
208: */
209: bool (*send_certreq) (ike_cfg_t *this);
210:
211: /**
212: * Enforce UDP encapsulation by faking NATD notifies?
213: *
214: * @return TRUE to enforce UDP encapsulation
215: */
216: bool (*force_encap) (ike_cfg_t *this);
217:
218: /**
219: * Use IKE fragmentation
220: *
221: * @return TRUE to use fragmentation
222: */
223: fragmentation_t (*fragmentation) (ike_cfg_t *this);
224:
225: /**
226: * Whether to initiate/accept childless IKE_SAs
227: *
228: * @return initiate/accept childless IKE_SAs
229: */
230: childless_t (*childless)(ike_cfg_t *this);
231:
232: /**
233: * Get the DH group to use for IKE_SA setup.
234: *
235: * @return dh group to use for initialization
236: */
237: diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
238:
239: /**
240: * Check if two IKE configs are equal.
241: *
242: * @param other other to check for equality
243: * @return TRUE if other equal to this
244: */
245: bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
246:
247: /**
248: * Increase reference count.
249: *
250: * @return reference to this
251: */
252: ike_cfg_t* (*get_ref) (ike_cfg_t *this);
253:
254: /**
255: * Destroys a ike_cfg_t object.
256: *
257: * Decrements the internal reference counter and
258: * destroys the ike_cfg when it reaches zero.
259: */
260: void (*destroy) (ike_cfg_t *this);
261: };
262:
263: /**
264: * Data passed to the constructor of an ike_cfg_t object.
265: *
266: * local and remote are comma separated lists of IP addresses, DNS names,
267: * IP ranges or subnets. When initiating, the first non-range/subnet address is
268: * used as address. When responding, a match is performed against all items in
269: * the list.
270: */
271: struct ike_cfg_create_t {
272: /** IKE major version to use for this config */
273: ike_version_t version;
274: /** Address/DNS name of local peer (cloned) */
275: char *local;
276: /** IKE port to use as source, 500 uses IKEv2 port floating */
277: uint16_t local_port;
278: /** Address/DNS name of remote peer (cloned) */
279: char *remote;
280: /** IKE port to use as dest, 500 uses IKEv2 port floating */
281: uint16_t remote_port;
282: /** TRUE to not send any certificate requests */
283: bool no_certreq;
284: /** Enforce UDP encapsulation by faking NATD notify */
285: bool force_encap;
286: /** Use IKE fragmentation */
287: fragmentation_t fragmentation;
288: /** Childless IKE_SA configuration */
289: childless_t childless;
290: /** DSCP value to send IKE packets with */
291: uint8_t dscp;
292: };
293:
294: /**
295: * Creates an ike_cfg_t object.
296: *
297: * @param data data for this ike_cfg
298: * @return ike_cfg_t object.
299: */
300: ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data);
301:
302: /**
303: * Determine the address family of the local or remote address(es). If multiple
304: * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are
305: * not though).
306: *
307: * @param this ike config to check
308: * @param local TRUE to check local addresses, FALSE for remote
309: * @return address family of address(es) if distinct
310: */
311: int ike_cfg_get_family(ike_cfg_t *this, bool local);
312:
313: /**
314: * Determine if the given address was explicitly configured as local or remote
315: * address.
316: *
317: * @param this ike config to check
318: * @param addr address to check
319: * @param local TRUE to check local addresses, FALSE for remote
320: * @return TRUE if address was configured
321: */
322: bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
323:
324: #endif /** IKE_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>