![[BACK]](/icons/cvsweb/back.gif){kind=icon}
Return to confread.h CVS log ![[TXT]](/icons/cvsweb/text.gif){kind=icon}
![[DIR]](/icons/cvsweb/dir.gif){kind=icon}
Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / starter|
Return to confread.h CVS log | Up to [ELWIX - Embedded LightWeight unIX -] / embedaddon / strongswan / src / starter |
1.1 misho 1: /* strongSwan IPsec config file parser
2: * Copyright (C) 2001-2002 Mathieu Lafon
3: * Arkoon Network Security
4: *
5: * This program is free software; you can redistribute it and/or modify it
6: * under the terms of the GNU General Public License as published by the
7: * Free Software Foundation; either version 2 of the License, or (at your
8: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9: *
10: * This program is distributed in the hope that it will be useful, but
11: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13: * for more details.
14: */
15:
16: #ifndef _IPSEC_CONFREAD_H_
17: #define _IPSEC_CONFREAD_H_
18:
19: #include <kernel/kernel_ipsec.h>
20:
21: typedef enum {
22: STARTUP_NO,
23: STARTUP_ADD,
24: STARTUP_ROUTE,
25: STARTUP_START
26: } startup_t;
27:
28: typedef enum {
29: STATE_IGNORE,
30: STATE_TO_ADD,
31: STATE_ADDED,
32: STATE_REPLACED,
33: STATE_INVALID
34: } starter_state_t;
35:
36: typedef enum {
37: /* shared with ike_version_t */
38: KEY_EXCHANGE_IKE = 0,
39: KEY_EXCHANGE_IKEV1 = 1,
40: KEY_EXCHANGE_IKEV2 = 2,
41: } keyexchange_t;
42:
43: typedef enum {
44: STRICT_NO,
45: STRICT_YES,
46: STRICT_IFURI,
47: } strict_t;
48:
49: typedef enum {
50: CERT_ALWAYS_SEND,
51: CERT_SEND_IF_ASKED,
52: CERT_NEVER_SEND,
53: CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */
54: CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */
55: } certpolicy_t;
56:
57: typedef enum {
58: DPD_ACTION_NONE,
59: DPD_ACTION_CLEAR,
60: DPD_ACTION_HOLD,
61: DPD_ACTION_RESTART,
62: DPD_ACTION_UNKNOWN,
63: } dpd_action_t;
64:
65: typedef enum {
66: /* same as in ike_cfg.h */
67: FRAGMENTATION_NO,
68: FRAGMENTATION_ACCEPT,
69: FRAGMENTATION_YES,
70: FRAGMENTATION_FORCE,
71: } fragmentation_t;
72:
73: typedef enum {
74: /* IPsec options */
75: SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */
76:
77: /* IKE and other other options */
78: SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */
79: SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
80: SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */
81: SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */
82: SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */
83: SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */
84: } sa_option_t;
85:
86: typedef struct starter_end starter_end_t;
87:
88: struct starter_end {
89: char *auth;
90: char *auth2;
91: char *id;
92: char *id2;
93: char *rsakey;
94: char *cert;
95: char *cert2;
96: char *ca;
97: char *ca2;
98: char *groups;
99: char *groups2;
100: char *cert_policy;
101: char *host;
102: u_int ikeport;
103: char *subnet;
104: bool modecfg;
105: certpolicy_t sendcert;
106: bool firewall;
107: bool hostaccess;
108: bool allow_any;
109: char *updown;
110: uint16_t from_port;
111: uint16_t to_port;
112: uint8_t protocol;
113: char *sourceip;
114: char *dns;
115: };
116:
117: typedef struct starter_conn starter_conn_t;
118:
119: struct starter_conn {
120: char *name;
121: startup_t startup;
122: starter_state_t state;
123:
124: keyexchange_t keyexchange;
125: char *eap_identity;
126: char *aaa_identity;
127: char *xauth_identity;
128: char *authby;
129: ipsec_mode_t mode;
130: bool proxy_mode;
131: fragmentation_t fragmentation;
132: u_int ikedscp;
133: sa_option_t options;
134: time_t sa_ike_life_seconds;
135: time_t sa_ipsec_life_seconds;
136: time_t sa_rekey_margin;
137: uint64_t sa_ipsec_life_bytes;
138: uint64_t sa_ipsec_margin_bytes;
139: uint64_t sa_ipsec_life_packets;
140: uint64_t sa_ipsec_margin_packets;
141: unsigned long sa_keying_tries;
142: unsigned long sa_rekey_fuzz;
143: uint32_t reqid;
144: mark_t mark_in;
145: mark_t mark_out;
146: uint32_t replay_window;
147: uint32_t tfc;
148: bool install_policy;
149: bool aggressive;
150: starter_end_t left, right;
151:
152: unsigned long id;
153:
154: char *esp;
155: char *ah;
156: char *ike;
157:
158: time_t dpd_delay;
159: time_t dpd_timeout;
160: dpd_action_t dpd_action;
161: int dpd_count;
162:
163: dpd_action_t close_action;
164:
165: bool sha256_96;
166:
167: time_t inactivity;
168:
169: bool me_mediation;
170: char *me_mediated_by;
171: char *me_peerid;
172:
173: starter_conn_t *next;
174: };
175:
176: typedef struct starter_ca starter_ca_t;
177:
178: struct starter_ca {
179: char *name;
180: startup_t startup;
181: starter_state_t state;
182:
183: char *cacert;
184: char *crluri;
185: char *crluri2;
186: char *ocspuri;
187: char *ocspuri2;
188: char *certuribase;
189:
190: bool strict;
191:
192: starter_ca_t *next;
193: };
194:
195: typedef struct starter_config starter_config_t;
196:
197: struct starter_config {
198: struct {
199: char *charondebug;
200: bool uniqueids;
201: bool cachecrls;
202: strict_t strictcrlpolicy;
203: } setup;
204:
205: /* number of encountered parsing errors */
206: u_int err;
207: u_int non_fatal_err;
208:
209: /* connections list */
210: starter_ca_t *ca_first, *ca_last;
211:
212: /* connections list */
213: starter_conn_t *conn_first, *conn_last;
214: };
215:
216: starter_config_t *confread_load(const char *file);
217: void confread_free(starter_config_t *cfg);
218:
219: #endif /* _IPSEC_CONFREAD_H_ */