Annotation of embedaddon/strongswan/src/libcharon/config/peer_cfg.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2007-2019 Tobias Brunner
! 3: * Copyright (C) 2005-2009 Martin Willi
! 4: * Copyright (C) 2005 Jan Hutter
! 5: * HSR Hochschule fuer Technik Rapperswil
! 6: *
! 7: * This program is free software; you can redistribute it and/or modify it
! 8: * under the terms of the GNU General Public License as published by the
! 9: * Free Software Foundation; either version 2 of the License, or (at your
! 10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 11: *
! 12: * This program is distributed in the hope that it will be useful, but
! 13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 15: * for more details.
! 16: */
! 17:
! 18: /**
! 19: * @defgroup peer_cfg peer_cfg
! 20: * @{ @ingroup config
! 21: */
! 22:
! 23: #ifndef PEER_CFG_H_
! 24: #define PEER_CFG_H_
! 25:
! 26: typedef enum cert_policy_t cert_policy_t;
! 27: typedef enum unique_policy_t unique_policy_t;
! 28: typedef struct peer_cfg_t peer_cfg_t;
! 29: typedef struct peer_cfg_create_t peer_cfg_create_t;
! 30:
! 31: #include <library.h>
! 32: #include <utils/identification.h>
! 33: #include <collections/enumerator.h>
! 34: #include <selectors/traffic_selector.h>
! 35: #include <crypto/proposal/proposal.h>
! 36: #include <config/ike_cfg.h>
! 37: #include <config/child_cfg.h>
! 38: #include <credentials/auth_cfg.h>
! 39:
! 40: /**
! 41: * Certificate sending policy. This is also used for certificate
! 42: * requests when using this definition for the other peer. If
! 43: * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
! 44: * included.
! 45: *
! 46: * @warning These definitions must be the same as in pluto/starter,
! 47: * as they are sent over the stroke socket.
! 48: */
! 49: enum cert_policy_t {
! 50: /** always send certificates, even when not requested */
! 51: CERT_ALWAYS_SEND = 0,
! 52: /** send certificate upon cert request */
! 53: CERT_SEND_IF_ASKED = 1,
! 54: /** never send a certificate, even when requested */
! 55: CERT_NEVER_SEND = 2,
! 56: };
! 57:
! 58: /**
! 59: * enum strings for cert_policy_t
! 60: */
! 61: extern enum_name_t *cert_policy_names;
! 62:
! 63: /**
! 64: * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
! 65: */
! 66: enum unique_policy_t {
! 67: /** never check for client uniqueness */
! 68: UNIQUE_NEVER,
! 69: /** only check for client uniqueness when receiving an INITIAL_CONTACT */
! 70: UNIQUE_NO,
! 71: /** replace existing IKE_SAs when new ones get established by a client */
! 72: UNIQUE_REPLACE,
! 73: /** keep existing IKE_SAs, close the new ones on connection attempt */
! 74: UNIQUE_KEEP,
! 75: };
! 76:
! 77: /**
! 78: * enum strings for unique_policy_t
! 79: */
! 80: extern enum_name_t *unique_policy_names;
! 81:
! 82: /**
! 83: * Configuration of a peer, specified by IDs.
! 84: *
! 85: * The peer config defines a connection between two given IDs. It contains
! 86: * exactly one ike_cfg_t, which is used for initiation. Additionally, it
! 87: * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
! 88: * peer.
! 89: * @verbatim
! 90: +-------------------+ +---------------+
! 91: +---------------+ | peer_cfg | +---------------+ |
! 92: | ike_cfg | +-------------------+ | child_cfg | |
! 93: +---------------+ | - ids | +---------------+ |
! 94: | - hosts | 1 1 | - cas | 1 n | - proposals | |
! 95: | - proposals |<-----| - auth info |----->| - traffic sel | |
! 96: | - ... | | - dpd config | | - ... |-+
! 97: +---------------+ | - ... | +---------------+
! 98: +-------------------+
! 99: | 1 0 |
! 100: | |
! 101: v n n V
! 102: +-------------------+ +-------------------+
! 103: +-------------------+ | +-------------------+ |
! 104: | auth_cfg | | | auth_cfg | |
! 105: +-------------------+ | +-------------------+ |
! 106: | - local rules |-+ | - remote constr. |-+
! 107: +-------------------+ +-------------------+
! 108: @endverbatim
! 109: *
! 110: * Each peer_cfg has two lists of authentication config attached. Local
! 111: * authentication configs define how to authenticate ourself against the remote
! 112: * peer. Each config is enforced using the multiple authentication extension
! 113: * (RFC4739).
! 114: * The remote authentication configs are handled as constraints. The peer has
! 115: * to fulfill each of these rules (using multiple authentication, in any order)
! 116: * to gain access to the configuration.
! 117: */
! 118: struct peer_cfg_t {
! 119:
! 120: /**
! 121: * Get the name of the peer_cfg.
! 122: *
! 123: * Returned object is not getting cloned.
! 124: *
! 125: * @return peer_cfg's name
! 126: */
! 127: char* (*get_name) (peer_cfg_t *this);
! 128:
! 129: /**
! 130: * Get the IKE version to use for initiating.
! 131: *
! 132: * @return IKE major version
! 133: */
! 134: ike_version_t (*get_ike_version)(peer_cfg_t *this);
! 135:
! 136: /**
! 137: * Get the IKE config to use for initiation.
! 138: *
! 139: * @return the IKE config to use
! 140: */
! 141: ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
! 142:
! 143: /**
! 144: * Attach a CHILD config.
! 145: *
! 146: * @param child_cfg CHILD config to add
! 147: */
! 148: void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
! 149:
! 150: /**
! 151: * Detach a CHILD config, pointed to by an enumerator.
! 152: *
! 153: * @param enumerator enumerator indicating element position
! 154: */
! 155: void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
! 156:
! 157: /**
! 158: * Replace the CHILD configs with those in the given PEER config.
! 159: *
! 160: * The enumerator enumerates the removed and added CHILD configs
! 161: * (child_cfg_t*, bool), where the flag is FALSE for removed configs and
! 162: * TRUE for added configs. Configs that are equal are not enumerated.
! 163: *
! 164: * @param other other config to get CHILD configs from
! 165: * @return an enumerator over removed/added CHILD configs
! 166: */
! 167: enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other);
! 168:
! 169: /**
! 170: * Create an enumerator for all attached CHILD configs.
! 171: *
! 172: * @return an enumerator over all CHILD configs.
! 173: */
! 174: enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
! 175:
! 176: /**
! 177: * Select a CHILD config from traffic selectors.
! 178: *
! 179: * @param my_ts TS for local side
! 180: * @param other_ts TS for remote side
! 181: * @param my_hosts hosts to narrow down dynamic TS for local side
! 182: * @param other_hosts hosts to narrow down dynamic TS for remote side
! 183: * @return selected CHILD config, or NULL if no match found
! 184: */
! 185: child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
! 186: linked_list_t *my_ts, linked_list_t *other_ts,
! 187: linked_list_t *my_hosts, linked_list_t *other_hosts);
! 188:
! 189: /**
! 190: * Add an authentication config to the peer configuration.
! 191: *
! 192: * @param cfg config to add
! 193: * @param local TRUE for local rules, FALSE for remote constraints
! 194: */
! 195: void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
! 196:
! 197: /**
! 198: * Create an enumerator over registered authentication configs.
! 199: *
! 200: * @param local TRUE for local rules, FALSE for remote constraints
! 201: * @return enumerator over auth_cfg_t*
! 202: */
! 203: enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
! 204:
! 205: /**
! 206: * Should a certificate be sent for this connection?
! 207: *
! 208: * @return certificate sending policy
! 209: */
! 210: cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
! 211:
! 212: /**
! 213: * How to handle uniqueness of IKE_SAs?
! 214: *
! 215: * @return unique policy
! 216: */
! 217: unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
! 218:
! 219: /**
! 220: * Get the max number of retries after timeout.
! 221: *
! 222: * @return max number retries
! 223: */
! 224: uint32_t (*get_keyingtries) (peer_cfg_t *this);
! 225:
! 226: /**
! 227: * Get a time to start rekeying.
! 228: *
! 229: * @param jitter subtract a jitter value to randomize time
! 230: * @return time in s when to start rekeying, 0 disables rekeying
! 231: */
! 232: uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
! 233:
! 234: /**
! 235: * Get a time to start reauthentication.
! 236: *
! 237: * @param jitter subtract a jitter value to randomize time
! 238: * @return time in s when to start reauthentication, 0 disables it
! 239: */
! 240: uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
! 241:
! 242: /**
! 243: * Get the timeout of a rekeying/reauthenticating SA.
! 244: *
! 245: * @return timeout in s
! 246: */
! 247: uint32_t (*get_over_time)(peer_cfg_t *this);
! 248:
! 249: /**
! 250: * Use MOBIKE (RFC4555) if peer supports it?
! 251: *
! 252: * @return TRUE to enable MOBIKE support
! 253: */
! 254: bool (*use_mobike) (peer_cfg_t *this);
! 255:
! 256: /**
! 257: * Use/Accept aggressive mode with IKEv1?.
! 258: *
! 259: * @return TRUE to use aggressive mode
! 260: */
! 261: bool (*use_aggressive)(peer_cfg_t *this);
! 262:
! 263: /**
! 264: * Use pull or push mode for mode config?
! 265: *
! 266: * @return TRUE to use pull, FALSE to use push mode
! 267: */
! 268: bool (*use_pull_mode)(peer_cfg_t *this);
! 269:
! 270: /**
! 271: * Get the DPD check interval.
! 272: *
! 273: * @return dpd_delay in seconds
! 274: */
! 275: uint32_t (*get_dpd) (peer_cfg_t *this);
! 276:
! 277: /**
! 278: * Get the DPD timeout interval (IKEv1 only)
! 279: *
! 280: * @return dpd_timeout in seconds
! 281: */
! 282: uint32_t (*get_dpd_timeout) (peer_cfg_t *this);
! 283:
! 284: /**
! 285: * Add a virtual IP to request as initiator.
! 286: *
! 287: * @param vip virtual IP to request, may be %any or %any6
! 288: */
! 289: void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);
! 290:
! 291: /**
! 292: * Create an enumerator over virtual IPs to request.
! 293: *
! 294: * The returned enumerator enumerates over IPs added with add_virtual_ip().
! 295: *
! 296: * @return enumerator over host_t*
! 297: */
! 298: enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
! 299:
! 300: /**
! 301: * Add a pool name this configuration uses to select virtual IPs.
! 302: *
! 303: * @param name pool name to use for virtual IP lookup
! 304: */
! 305: void (*add_pool)(peer_cfg_t *this, char *name);
! 306:
! 307: /**
! 308: * Create an enumerator over pool names of this config.
! 309: *
! 310: * @return enumerator over char*
! 311: */
! 312: enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
! 313:
! 314: /**
! 315: * Optional interface ID to set on policies/SAs.
! 316: *
! 317: * @param inbound TRUE for inbound, FALSE for outbound
! 318: * @return interface ID
! 319: */
! 320: uint32_t (*get_if_id)(peer_cfg_t *this, bool inbound);
! 321:
! 322: /**
! 323: * Get the PPK ID to use with this peer.
! 324: *
! 325: * @return PPK id
! 326: */
! 327: identification_t *(*get_ppk_id)(peer_cfg_t *this);
! 328:
! 329: /**
! 330: * Whether a PPK is required with this peer.
! 331: *
! 332: * @return TRUE, if a PPK is required
! 333: */
! 334: bool (*ppk_required)(peer_cfg_t *this);
! 335:
! 336: #ifdef ME
! 337: /**
! 338: * Is this a mediation connection?
! 339: *
! 340: * @return TRUE, if this is a mediation connection
! 341: */
! 342: bool (*is_mediation)(peer_cfg_t *this);
! 343:
! 344: /**
! 345: * Get name of the connection this one is mediated through.
! 346: *
! 347: * @return the name of the mediation connection
! 348: */
! 349: char* (*get_mediated_by)(peer_cfg_t *this);
! 350:
! 351: /**
! 352: * Get the id of the other peer at the mediation server.
! 353: *
! 354: * This is the leftid of the peer's connection with the mediation server.
! 355: *
! 356: * If it is not configured, it is assumed to be the same as the right id
! 357: * of this connection.
! 358: *
! 359: * @return the id of the other peer
! 360: */
! 361: identification_t* (*get_peer_id)(peer_cfg_t *this);
! 362: #endif /* ME */
! 363:
! 364: /**
! 365: * Check if two peer configurations are equal.
! 366: *
! 367: * This method does not compare associated ike/child_cfg.
! 368: *
! 369: * @param other candidate to check for equality against this
! 370: * @return TRUE if peer_cfg and ike_cfg are equal
! 371: */
! 372: bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
! 373:
! 374: /**
! 375: * Increase reference count.
! 376: *
! 377: * @return reference to this
! 378: */
! 379: peer_cfg_t* (*get_ref) (peer_cfg_t *this);
! 380:
! 381: /**
! 382: * Destroys the peer_cfg object.
! 383: *
! 384: * Decrements the internal reference counter and
! 385: * destroys the peer_cfg when it reaches zero.
! 386: */
! 387: void (*destroy) (peer_cfg_t *this);
! 388: };
! 389:
! 390: /**
! 391: * Data passed to the constructor of a peer_cfg_t object.
! 392: */
! 393: struct peer_cfg_create_t {
! 394: /** Whether to send a certificate payload */
! 395: cert_policy_t cert_policy;
! 396: /** Uniqueness of an IKE_SA */
! 397: unique_policy_t unique;
! 398: /** How many keying tries should be done before giving up */
! 399: uint32_t keyingtries;
! 400: /** Timeout in seconds before starting rekeying */
! 401: uint32_t rekey_time;
! 402: /** Timeout in seconds before starting reauthentication */
! 403: uint32_t reauth_time;
! 404: /** Time range in seconds to randomly subtract from rekey/reauth time */
! 405: uint32_t jitter_time;
! 406: /** Maximum overtime in seconds before closing a rekeying/reauth SA */
! 407: uint32_t over_time;
! 408: /** Disable MOBIKE (RFC4555) */
! 409: bool no_mobike;
! 410: /** Use/accept aggressive mode with IKEv1 */
! 411: bool aggressive;
! 412: /** TRUE to use modeconfig push, FALSE for pull */
! 413: bool push_mode;
! 414: /** DPD check interval, 0 to disable */
! 415: uint32_t dpd;
! 416: /** DPD timeout interval (IKEv1 only), if 0 default applies */
! 417: uint32_t dpd_timeout;
! 418: /** Optional inbound interface ID */
! 419: uint32_t if_id_in;
! 420: /** Optional outbound interface ID */
! 421: uint32_t if_id_out;
! 422: /** Postquantum Preshared Key ID (adopted) */
! 423: identification_t *ppk_id;
! 424: /** TRUE if a PPK is required, FALSE if it's optional */
! 425: bool ppk_required;
! 426: #ifdef ME
! 427: /** TRUE if this is a mediation connection */
! 428: bool mediation;
! 429: /** peer_cfg_t of the mediation connection to mediate through (cloned) */
! 430: char *mediated_by;
! 431: /** ID that identifies our peer at the mediation server (adopted) */
! 432: identification_t *peer_id;
! 433: #endif /* ME */
! 434: };
! 435:
! 436: /**
! 437: * Create a configuration object for IKE_AUTH and later.
! 438: *
! 439: * @param name name of the peer_cfg (cloned)
! 440: * @param ike_cfg IKE config to use when acting as initiator (adopted)
! 441: * @param data data for this peer_cfg
! 442: * @return peer_cfg_t object
! 443: */
! 444: peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
! 445: peer_cfg_create_t *data);
! 446:
! 447: #endif /** PEER_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>