summaryrefslogtreecommitdiff
path: root/src/charon/config/policies/policy.h
diff options
context:
space:
mode:
Diffstat (limited to 'src/charon/config/policies/policy.h')
-rw-r--r--src/charon/config/policies/policy.h413
1 files changed, 413 insertions, 0 deletions
diff --git a/src/charon/config/policies/policy.h b/src/charon/config/policies/policy.h
new file mode 100644
index 000000000..d8916b29e
--- /dev/null
+++ b/src/charon/config/policies/policy.h
@@ -0,0 +1,413 @@
+/**
+ * @file policy.h
+ *
+ * @brief Interface of policy_t.
+ *
+ */
+
+/*
+ * Copyright (C) 2005-2006 Martin Willi
+ * Copyright (C) 2005 Jan Hutter
+ * Hochschule fuer Technik Rapperswil
+ *
+ * This program is free software; you can redistribute it and/or modify it
+ * under the terms of the GNU General Public License as published by the
+ * Free Software Foundation; either version 2 of the License, or (at your
+ * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
+ *
+ * This program is distributed in the hope that it will be useful, but
+ * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
+ * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
+ * for more details.
+ */
+
+#ifndef POLICY_H_
+#define POLICY_H_
+
+typedef enum dpd_action_t dpd_action_t;
+typedef struct policy_t policy_t;
+
+#include <library.h>
+#include <utils/identification.h>
+#include <config/traffic_selector.h>
+#include <config/proposal.h>
+#include <sa/authenticators/authenticator.h>
+#include <sa/authenticators/eap/eap_method.h>
+
+
+/**
+ * @brief Actions to take when a peer does not respond (dead peer detected).
+ *
+ * These values are the same as in pluto/starter, so do not modify them!
+ *
+ * @ingroup config
+ */
+enum dpd_action_t {
+ /** DPD disabled */
+ DPD_NONE,
+ /** remove CHILD_SA without replacement */
+ DPD_CLEAR,
+ /** route the CHILD_SA to resetup when needed */
+ DPD_ROUTE,
+ /** restart CHILD_SA in a new IKE_SA, immediately */
+ DPD_RESTART,
+};
+
+/**
+ * enum names for dpd_action_t.
+ */
+extern enum_name_t *dpd_action_names;
+
+/**
+ * @brief Mode of an IPsec SA.
+ *
+ * These are equal to those defined in XFRM, so don't change.
+ *
+ * @ingroup config
+ */
+enum mode_t {
+ /** transport mode, no inner address */
+ MODE_TRANSPORT = 0,
+ /** tunnel mode, inner and outer addresses */
+ MODE_TUNNEL = 1,
+ /** BEET mode, tunnel mode but fixed, bound inner addresses */
+ MODE_BEET = 4,
+};
+
+/**
+ * enum names for mode_t.
+ */
+extern enum_name_t *mode_names;
+
+/**
+ * @brief A policy_t defines the policies to apply to CHILD_SAs.
+ *
+ * The given two IDs identify a policy. These rules define how
+ * child SAs may be set up and which traffic may be IPsec'ed.
+ *
+ * @b Constructors:
+ * - policy_create()
+ *
+ * @ingroup config
+ */
+struct policy_t {
+
+ /**
+ * @brief Get the name of the policy.
+ *
+ * Returned object is not getting cloned.
+ *
+ * @param this calling object
+ * @return policy's name
+ */
+ char *(*get_name) (policy_t *this);
+
+ /**
+ * @brief Get own id.
+ *
+ * Returned object is not getting cloned.
+ *
+ * @param this calling object
+ * @return own id
+ */
+ identification_t *(*get_my_id) (policy_t *this);
+
+ /**
+ * @brief Get peer id.
+ *
+ * Returned object is not getting cloned.
+ *
+ * @param this calling object
+ * @return other id
+ */
+ identification_t *(*get_other_id) (policy_t *this);
+
+ /**
+ * @brief Get own ca.
+ *
+ * Returned object is not getting cloned.
+ *
+ * @param this calling object
+ * @return own ca
+ */
+ identification_t *(*get_my_ca) (policy_t *this);
+
+ /**
+ * @brief Get peer ca.
+ *
+ * Returned object is not getting cloned.
+ *
+ * @param this calling object
+ * @return other ca
+ */
+ identification_t *(*get_other_ca) (policy_t *this);
+
+ /**
+ * @brief Get the authentication method to use.
+ *
+ * @param this calling object
+ * @return authentication method
+ */
+ auth_method_t (*get_auth_method) (policy_t *this);
+
+ /**
+ * @brief Get the EAP type to use for peer authentication.
+ *
+ * @param this calling object
+ * @return authentication method
+ */
+ eap_type_t (*get_eap_type) (policy_t *this);
+
+ /**
+ * @brief Get configured traffic selectors for our site.
+ *
+ * Returns a list with all traffic selectors for the local
+ * site. List and items must be destroyed after usage.
+ *
+ * @param this calling object
+ * @return list with traffic selectors
+ */
+ linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me);
+
+ /**
+ * @brief Get configured traffic selectors for others site.
+ *
+ * Returns a list with all traffic selectors for the remote
+ * site. List and items must be destroyed after usage.
+ *
+ * @param this calling object
+ * @return list with traffic selectors
+ */
+ linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other);
+
+ /**
+ * @brief Select traffic selectors from a supplied list for local site.
+ *
+ * Resulted list and traffic selectors must be destroyed after usage.
+ * As the traffic selectors may contain a wildcard address (0.0.0.0) for
+ * addresses we don't know in previous, an address may be supplied to
+ * replace these 0.0.0.0 addresses on-the-fly.
+ *
+ * @param this calling object
+ * @param supplied linked list with traffic selectors
+ * @param me host address used by us
+ * @return list containing the selected traffic selectors
+ */
+ linked_list_t *(*select_my_traffic_selectors) (policy_t *this,
+ linked_list_t *supplied,
+ host_t *me);
+
+ /**
+ * @brief Select traffic selectors from a supplied list for remote site.
+ *
+ * Resulted list and traffic selectors must be destroyed after usage.
+ * As the traffic selectors may contain a wildcard address (0.0.0.0) for
+ * addresses we don't know in previous, an address may be supplied to
+ * replace these 0.0.0.0 addresses on-the-fly.
+ *
+ * @param this calling object
+ * @param supplied linked list with traffic selectors
+ * @return list containing the selected traffic selectors
+ */
+ linked_list_t *(*select_other_traffic_selectors) (policy_t *this,
+ linked_list_t *supplied,
+ host_t *other);
+
+ /**
+ * @brief Get the list of internally stored proposals.
+ *
+ * policy_t does store proposals for AH/ESP, IKE proposals are in
+ * the connection_t.
+ * Resulting list and all of its proposals must be freed after usage.
+ *
+ * @param this calling object
+ * @return lists with proposals
+ */
+ linked_list_t *(*get_proposals) (policy_t *this);
+
+ /**
+ * @brief Select a proposal from a supplied list.
+ *
+ * Returned propsal is newly created and must be destroyed after usage.
+ *
+ * @param this calling object
+ * @param proposals list from from wich proposals are selected
+ * @return selected proposal, or NULL if nothing matches
+ */
+ proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals);
+
+ /**
+ * @brief Add a traffic selector to the list for local site.
+ *
+ * After add, traffic selector is owned by policy.
+ *
+ * @param this calling object
+ * @param traffic_selector traffic_selector to add
+ */
+ void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
+
+ /**
+ * @brief Add a traffic selector to the list for remote site.
+ *
+ * After add, traffic selector is owned by policy.
+ *
+ * @param this calling object
+ * @param traffic_selector traffic_selector to add
+ */
+ void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
+
+ /**
+ * @brief Add a proposal to the list.
+ *
+ * The proposals are stored by priority, first added
+ * is the most prefered.
+ * After add, proposal is owned by policy.
+ *
+ * @param this calling object
+ * @param proposal proposal to add
+ */
+ void (*add_proposal) (policy_t *this, proposal_t *proposal);
+
+ /**
+ * @brief Add certification authorities.
+ *
+ * @param this calling object
+ * @param my_ca issuer of my certificate
+ * @param other_ca required issuer of the peer's certificate
+ */
+ void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca);
+
+ /**
+ * @brief Get updown script
+ *
+ * @param this calling object
+ * @return path to updown script
+ */
+ char* (*get_updown) (policy_t *this);
+
+ /**
+ * @brief Get hostaccess flag
+ *
+ * @param this calling object
+ * @return value of hostaccess flag
+ */
+ bool (*get_hostaccess) (policy_t *this);
+
+ /**
+ * @brief What should be done with a CHILD_SA, when other peer does not respond.
+ *
+ * @param this calling object
+ * @return dpd action
+ */
+ dpd_action_t (*get_dpd_action) (policy_t *this);
+
+ /**
+ * @brief Get the lifetime of a policy, before rekeying starts.
+ *
+ * A call to this function automatically adds a jitter to
+ * avoid simultanous rekeying.
+ *
+ * @param this policy
+ * @return lifetime in seconds
+ */
+ u_int32_t (*get_soft_lifetime) (policy_t *this);
+
+ /**
+ * @brief Get the lifetime of a policy, before SA gets deleted.
+ *
+ * @param this policy
+ * @return lifetime in seconds
+ */
+ u_int32_t (*get_hard_lifetime) (policy_t *this);
+
+ /**
+ * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET.
+ *
+ * @param this policy
+ * @return lifetime in seconds
+ */
+ mode_t (*get_mode) (policy_t *this);
+
+ /**
+ * @brief Get a virtual IP for the local or the remote host.
+ *
+ * By supplying NULL as IP, an IP for the local host is requested. It
+ * may be %any or specific.
+ * By supplying %any as host, an IP from the pool is selected to be
+ * served to the peer.
+ * If a specified host is supplied, it is checked if this address
+ * is acceptable to serve to the peer. If so, it is returned. Otherwise,
+ * an alternative IP is returned.
+ * In any mode, this call may return NULL indicating virtual IP should
+ * not be used.
+ *
+ * @param this policy
+ * @param suggestion NULL, %any or specific, see description
+ * @return clone of an IP to use, or NULL
+ */
+ host_t* (*get_virtual_ip) (policy_t *this, host_t *suggestion);
+
+ /**
+ * @brief Get a new reference.
+ *
+ * Get a new reference to this policy by increasing
+ * it's internal reference counter.
+ * Do not call get_ref or any other function until you
+ * already have a reference. Otherwise the object may get
+ * destroyed while calling get_ref(),
+ *
+ * @param this calling object
+ */
+ void (*get_ref) (policy_t *this);
+
+ /**
+ * @brief Destroys the policy object.
+ *
+ * Decrements the internal reference counter and
+ * destroys the policy when it reaches zero.
+ *
+ * @param this calling object
+ */
+ void (*destroy) (policy_t *this);
+};
+
+/**
+ * @brief Create a configuration object for IKE_AUTH and later.
+ *
+ * name-string gets cloned, ID's not.
+ * Virtual IPs are used if they are != NULL. A %any host means the virtual
+ * IP should be obtained from the other peer.
+ * Lifetimes are in seconds. To prevent to peers to start rekeying at the
+ * same time, a jitter may be specified. Rekeying of an SA starts at
+ * (soft_lifetime - random(0, jitter)). After a successful rekeying,
+ * the hard_lifetime limit counter is reset. You should specify
+ * hard_lifetime > soft_lifetime > jitter.
+ * After a call to create, a reference is obtained (refcount = 1).
+ *
+ * @param name name of the policy
+ * @param my_id identification_t for ourselves
+ * @param other_id identification_t for the remote guy
+ * @param my_virtual_ip virtual IP for local host, or NULL
+ * @param other_virtual_ip virtual IP for remote host, or NULL
+ * @param auth_method Authentication method to use for our(!) auth data
+ * @param eap_type EAP type to use for peer authentication
+ * @param hard_lifetime lifetime before deleting an SA
+ * @param soft_lifetime lifetime before rekeying an SA
+ * @param jitter range of randomization time
+ * @param updown updown script to execute on up/down event
+ * @param hostaccess allow access to the host itself (used by the updown script)
+ * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
+ * @param dpd_action what to to with a CHILD_SA when other peer does not respond
+ * @return policy_t object
+ *
+ * @ingroup config
+ */
+policy_t *policy_create(char *name,
+ identification_t *my_id, identification_t *other_id,
+ host_t *my_virtual_ip, host_t *other_virtual_ip,
+ auth_method_t auth_method, eap_type_t eap_type,
+ u_int32_t hard_lifetime, u_int32_t soft_lifetime,
+ u_int32_t jitter, char *updown, bool hostaccess,
+ mode_t mode, dpd_action_t dpd_action);
+
+#endif /* POLICY_H_ */