Annotation of embedaddon/strongswan/src/libcharon/config/peer_cfg.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2007-2019 Tobias Brunner
3: * Copyright (C) 2005-2009 Martin Willi
4: * Copyright (C) 2005 Jan Hutter
5: * HSR Hochschule fuer Technik Rapperswil
6: *
7: * This program is free software; you can redistribute it and/or modify it
8: * under the terms of the GNU General Public License as published by the
9: * Free Software Foundation; either version 2 of the License, or (at your
10: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11: *
12: * This program is distributed in the hope that it will be useful, but
13: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15: * for more details.
16: */
17:
18: /**
19: * @defgroup peer_cfg peer_cfg
20: * @{ @ingroup config
21: */
22:
23: #ifndef PEER_CFG_H_
24: #define PEER_CFG_H_
25:
26: typedef enum cert_policy_t cert_policy_t;
27: typedef enum unique_policy_t unique_policy_t;
28: typedef struct peer_cfg_t peer_cfg_t;
29: typedef struct peer_cfg_create_t peer_cfg_create_t;
30:
31: #include <library.h>
32: #include <utils/identification.h>
33: #include <collections/enumerator.h>
34: #include <selectors/traffic_selector.h>
35: #include <crypto/proposal/proposal.h>
36: #include <config/ike_cfg.h>
37: #include <config/child_cfg.h>
38: #include <credentials/auth_cfg.h>
39:
40: /**
41: * Certificate sending policy. This is also used for certificate
42: * requests when using this definition for the other peer. If
43: * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
44: * included.
45: *
46: * @warning These definitions must be the same as in pluto/starter,
47: * as they are sent over the stroke socket.
48: */
49: enum cert_policy_t {
50: /** always send certificates, even when not requested */
51: CERT_ALWAYS_SEND = 0,
52: /** send certificate upon cert request */
53: CERT_SEND_IF_ASKED = 1,
54: /** never send a certificate, even when requested */
55: CERT_NEVER_SEND = 2,
56: };
57:
58: /**
59: * enum strings for cert_policy_t
60: */
61: extern enum_name_t *cert_policy_names;
62:
63: /**
64: * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
65: */
66: enum unique_policy_t {
67: /** never check for client uniqueness */
68: UNIQUE_NEVER,
69: /** only check for client uniqueness when receiving an INITIAL_CONTACT */
70: UNIQUE_NO,
71: /** replace existing IKE_SAs when new ones get established by a client */
72: UNIQUE_REPLACE,
73: /** keep existing IKE_SAs, close the new ones on connection attempt */
74: UNIQUE_KEEP,
75: };
76:
77: /**
78: * enum strings for unique_policy_t
79: */
80: extern enum_name_t *unique_policy_names;
81:
82: /**
83: * Configuration of a peer, specified by IDs.
84: *
85: * The peer config defines a connection between two given IDs. It contains
86: * exactly one ike_cfg_t, which is used for initiation. Additionally, it
87: * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
88: * peer.
89: * @verbatim
90: +-------------------+ +---------------+
91: +---------------+ | peer_cfg | +---------------+ |
92: | ike_cfg | +-------------------+ | child_cfg | |
93: +---------------+ | - ids | +---------------+ |
94: | - hosts | 1 1 | - cas | 1 n | - proposals | |
95: | - proposals |<-----| - auth info |----->| - traffic sel | |
96: | - ... | | - dpd config | | - ... |-+
97: +---------------+ | - ... | +---------------+
98: +-------------------+
99: | 1 0 |
100: | |
101: v n n V
102: +-------------------+ +-------------------+
103: +-------------------+ | +-------------------+ |
104: | auth_cfg | | | auth_cfg | |
105: +-------------------+ | +-------------------+ |
106: | - local rules |-+ | - remote constr. |-+
107: +-------------------+ +-------------------+
108: @endverbatim
109: *
110: * Each peer_cfg has two lists of authentication config attached. Local
111: * authentication configs define how to authenticate ourself against the remote
112: * peer. Each config is enforced using the multiple authentication extension
113: * (RFC4739).
114: * The remote authentication configs are handled as constraints. The peer has
115: * to fulfill each of these rules (using multiple authentication, in any order)
116: * to gain access to the configuration.
117: */
118: struct peer_cfg_t {
119:
120: /**
121: * Get the name of the peer_cfg.
122: *
123: * Returned object is not getting cloned.
124: *
125: * @return peer_cfg's name
126: */
127: char* (*get_name) (peer_cfg_t *this);
128:
129: /**
130: * Get the IKE version to use for initiating.
131: *
132: * @return IKE major version
133: */
134: ike_version_t (*get_ike_version)(peer_cfg_t *this);
135:
136: /**
137: * Get the IKE config to use for initiation.
138: *
139: * @return the IKE config to use
140: */
141: ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
142:
143: /**
144: * Attach a CHILD config.
145: *
146: * @param child_cfg CHILD config to add
147: */
148: void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
149:
150: /**
151: * Detach a CHILD config, pointed to by an enumerator.
152: *
153: * @param enumerator enumerator indicating element position
154: */
155: void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
156:
157: /**
158: * Replace the CHILD configs with those in the given PEER config.
159: *
160: * The enumerator enumerates the removed and added CHILD configs
161: * (child_cfg_t*, bool), where the flag is FALSE for removed configs and
162: * TRUE for added configs. Configs that are equal are not enumerated.
163: *
164: * @param other other config to get CHILD configs from
165: * @return an enumerator over removed/added CHILD configs
166: */
167: enumerator_t* (*replace_child_cfgs)(peer_cfg_t *this, peer_cfg_t *other);
168:
169: /**
170: * Create an enumerator for all attached CHILD configs.
171: *
172: * @return an enumerator over all CHILD configs.
173: */
174: enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
175:
176: /**
177: * Select a CHILD config from traffic selectors.
178: *
179: * @param my_ts TS for local side
180: * @param other_ts TS for remote side
181: * @param my_hosts hosts to narrow down dynamic TS for local side
182: * @param other_hosts hosts to narrow down dynamic TS for remote side
183: * @return selected CHILD config, or NULL if no match found
184: */
185: child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
186: linked_list_t *my_ts, linked_list_t *other_ts,
187: linked_list_t *my_hosts, linked_list_t *other_hosts);
188:
189: /**
190: * Add an authentication config to the peer configuration.
191: *
192: * @param cfg config to add
193: * @param local TRUE for local rules, FALSE for remote constraints
194: */
195: void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
196:
197: /**
198: * Create an enumerator over registered authentication configs.
199: *
200: * @param local TRUE for local rules, FALSE for remote constraints
201: * @return enumerator over auth_cfg_t*
202: */
203: enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
204:
205: /**
206: * Should a certificate be sent for this connection?
207: *
208: * @return certificate sending policy
209: */
210: cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
211:
212: /**
213: * How to handle uniqueness of IKE_SAs?
214: *
215: * @return unique policy
216: */
217: unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
218:
219: /**
220: * Get the max number of retries after timeout.
221: *
222: * @return max number retries
223: */
224: uint32_t (*get_keyingtries) (peer_cfg_t *this);
225:
226: /**
227: * Get a time to start rekeying.
228: *
229: * @param jitter subtract a jitter value to randomize time
230: * @return time in s when to start rekeying, 0 disables rekeying
231: */
232: uint32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
233:
234: /**
235: * Get a time to start reauthentication.
236: *
237: * @param jitter subtract a jitter value to randomize time
238: * @return time in s when to start reauthentication, 0 disables it
239: */
240: uint32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
241:
242: /**
243: * Get the timeout of a rekeying/reauthenticating SA.
244: *
245: * @return timeout in s
246: */
247: uint32_t (*get_over_time)(peer_cfg_t *this);
248:
249: /**
250: * Use MOBIKE (RFC4555) if peer supports it?
251: *
252: * @return TRUE to enable MOBIKE support
253: */
254: bool (*use_mobike) (peer_cfg_t *this);
255:
256: /**
257: * Use/Accept aggressive mode with IKEv1?.
258: *
259: * @return TRUE to use aggressive mode
260: */
261: bool (*use_aggressive)(peer_cfg_t *this);
262:
263: /**
264: * Use pull or push mode for mode config?
265: *
266: * @return TRUE to use pull, FALSE to use push mode
267: */
268: bool (*use_pull_mode)(peer_cfg_t *this);
269:
270: /**
271: * Get the DPD check interval.
272: *
273: * @return dpd_delay in seconds
274: */
275: uint32_t (*get_dpd) (peer_cfg_t *this);
276:
277: /**
278: * Get the DPD timeout interval (IKEv1 only)
279: *
280: * @return dpd_timeout in seconds
281: */
282: uint32_t (*get_dpd_timeout) (peer_cfg_t *this);
283:
284: /**
285: * Add a virtual IP to request as initiator.
286: *
287: * @param vip virtual IP to request, may be %any or %any6
288: */
289: void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);
290:
291: /**
292: * Create an enumerator over virtual IPs to request.
293: *
294: * The returned enumerator enumerates over IPs added with add_virtual_ip().
295: *
296: * @return enumerator over host_t*
297: */
298: enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
299:
300: /**
301: * Add a pool name this configuration uses to select virtual IPs.
302: *
303: * @param name pool name to use for virtual IP lookup
304: */
305: void (*add_pool)(peer_cfg_t *this, char *name);
306:
307: /**
308: * Create an enumerator over pool names of this config.
309: *
310: * @return enumerator over char*
311: */
312: enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
313:
314: /**
315: * Optional interface ID to set on policies/SAs.
316: *
317: * @param inbound TRUE for inbound, FALSE for outbound
318: * @return interface ID
319: */
320: uint32_t (*get_if_id)(peer_cfg_t *this, bool inbound);
321:
322: /**
323: * Get the PPK ID to use with this peer.
324: *
325: * @return PPK id
326: */
327: identification_t *(*get_ppk_id)(peer_cfg_t *this);
328:
329: /**
330: * Whether a PPK is required with this peer.
331: *
332: * @return TRUE, if a PPK is required
333: */
334: bool (*ppk_required)(peer_cfg_t *this);
335:
336: #ifdef ME
337: /**
338: * Is this a mediation connection?
339: *
340: * @return TRUE, if this is a mediation connection
341: */
342: bool (*is_mediation)(peer_cfg_t *this);
343:
344: /**
345: * Get name of the connection this one is mediated through.
346: *
347: * @return the name of the mediation connection
348: */
349: char* (*get_mediated_by)(peer_cfg_t *this);
350:
351: /**
352: * Get the id of the other peer at the mediation server.
353: *
354: * This is the leftid of the peer's connection with the mediation server.
355: *
356: * If it is not configured, it is assumed to be the same as the right id
357: * of this connection.
358: *
359: * @return the id of the other peer
360: */
361: identification_t* (*get_peer_id)(peer_cfg_t *this);
362: #endif /* ME */
363:
364: /**
365: * Check if two peer configurations are equal.
366: *
367: * This method does not compare associated ike/child_cfg.
368: *
369: * @param other candidate to check for equality against this
370: * @return TRUE if peer_cfg and ike_cfg are equal
371: */
372: bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
373:
374: /**
375: * Increase reference count.
376: *
377: * @return reference to this
378: */
379: peer_cfg_t* (*get_ref) (peer_cfg_t *this);
380:
381: /**
382: * Destroys the peer_cfg object.
383: *
384: * Decrements the internal reference counter and
385: * destroys the peer_cfg when it reaches zero.
386: */
387: void (*destroy) (peer_cfg_t *this);
388: };
389:
390: /**
391: * Data passed to the constructor of a peer_cfg_t object.
392: */
393: struct peer_cfg_create_t {
394: /** Whether to send a certificate payload */
395: cert_policy_t cert_policy;
396: /** Uniqueness of an IKE_SA */
397: unique_policy_t unique;
398: /** How many keying tries should be done before giving up */
399: uint32_t keyingtries;
400: /** Timeout in seconds before starting rekeying */
401: uint32_t rekey_time;
402: /** Timeout in seconds before starting reauthentication */
403: uint32_t reauth_time;
404: /** Time range in seconds to randomly subtract from rekey/reauth time */
405: uint32_t jitter_time;
406: /** Maximum overtime in seconds before closing a rekeying/reauth SA */
407: uint32_t over_time;
408: /** Disable MOBIKE (RFC4555) */
409: bool no_mobike;
410: /** Use/accept aggressive mode with IKEv1 */
411: bool aggressive;
412: /** TRUE to use modeconfig push, FALSE for pull */
413: bool push_mode;
414: /** DPD check interval, 0 to disable */
415: uint32_t dpd;
416: /** DPD timeout interval (IKEv1 only), if 0 default applies */
417: uint32_t dpd_timeout;
418: /** Optional inbound interface ID */
419: uint32_t if_id_in;
420: /** Optional outbound interface ID */
421: uint32_t if_id_out;
422: /** Postquantum Preshared Key ID (adopted) */
423: identification_t *ppk_id;
424: /** TRUE if a PPK is required, FALSE if it's optional */
425: bool ppk_required;
426: #ifdef ME
427: /** TRUE if this is a mediation connection */
428: bool mediation;
429: /** peer_cfg_t of the mediation connection to mediate through (cloned) */
430: char *mediated_by;
431: /** ID that identifies our peer at the mediation server (adopted) */
432: identification_t *peer_id;
433: #endif /* ME */
434: };
435:
436: /**
437: * Create a configuration object for IKE_AUTH and later.
438: *
439: * @param name name of the peer_cfg (cloned)
440: * @param ike_cfg IKE config to use when acting as initiator (adopted)
441: * @param data data for this peer_cfg
442: * @return peer_cfg_t object
443: */
444: peer_cfg_t *peer_cfg_create(char *name, ike_cfg_t *ike_cfg,
445: peer_cfg_create_t *data);
446:
447: #endif /** PEER_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>