/* * Copyright (C) 2007-2008 Tobias Brunner * Copyright (C) 2005-2007 Martin Willi * Copyright (C) 2005 Jan Hutter * Hochschule fuer Technik Rapperswil * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. * * $Id: peer_cfg.h 4276 2008-08-22 10:44:51Z martin $ */ /** * @defgroup peer_cfg peer_cfg * @{ @ingroup config */ #ifndef PEER_CFG_H_ #define PEER_CFG_H_ typedef enum cert_policy_t cert_policy_t; typedef enum unique_policy_t unique_policy_t; typedef struct peer_cfg_t peer_cfg_t; #include #include #include #include #include #include #include #include #include #include /** * Certificate sending policy. This is also used for certificate * requests when using this definition for the other peer. If * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its * included. * * @warning These definitions must be the same as in pluto/starter, * as they are sent over the stroke socket. */ enum cert_policy_t { /** always send certificates, even when not requested */ CERT_ALWAYS_SEND = 0, /** send certificate upon cert request */ CERT_SEND_IF_ASKED = 1, /** never send a certificate, even when requested */ CERT_NEVER_SEND = 2, }; /** * enum strings for cert_policy_t */ extern enum_name_t *cert_policy_names; /** * Uniqueness of an IKE_SA, used to drop multiple connections with one peer. */ enum unique_policy_t { /** do not check for client uniqueness */ UNIQUE_NO, /** replace unique IKE_SAs if new ones get established */ UNIQUE_REPLACE, /** keep existing IKE_SAs, close the new ones on connection attept */ UNIQUE_KEEP, }; /** * enum strings for unique_policy_t */ extern enum_name_t *unique_policy_names; /** * Configuration of a peer, specified by IDs. * * The peer config defines a connection between two given IDs. It contains * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer. * @verbatim +-------------------+ +---------------+ +---------------+ | peer_cfg | +---------------+ | | ike_cfg | +-------------------+ | child_cfg | | +---------------+ | - ids | +---------------+ | | - hosts | 1 1 | - cas | 1 n | - proposals | | | - proposals |<------| - auth info |-------->| - traffic sel | | | - ... | | - dpd config | | - ... |-+ +---------------+ | - ... | +---------------+ +-------------------+ ^ | +-------------------+ | auth_info | +-------------------+ | auth_items | +-------------------+ @endverbatim * The auth_info_t object associated to the peer_cfg holds additional * authorization constraints. A peer who wants to use a config needs to fullfil * the requirements defined in auth_info. */ struct peer_cfg_t { /** * Get the name of the peer_cfg. * * Returned object is not getting cloned. * * @return peer_cfg's name */ char* (*get_name) (peer_cfg_t *this); /** * Get the IKE version to use for initiating. * * @return IKE major version */ u_int (*get_ike_version)(peer_cfg_t *this); /** * Get the IKE config to use for initiaton. * * @return the IKE config to use */ ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this); /** * Attach a CHILD config. * * @param child_cfg CHILD config to add */ void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg); /** * Detach a CHILD config, pointed to by an enumerator. * * @param enumerator enumerator indicating element position */ void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator); /** * Create an enumerator for all attached CHILD configs. * * @return an enumerator over all CHILD configs. */ enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this); /** * Select a CHILD config from traffic selectors. * * @param my_ts TS for local side * @param other_ts TS for remote side * @param my_host host to narrow down dynamic TS for local side * @param other_host host to narrow down dynamic TS for remote side * @return selected CHILD config, or NULL if no match found */ child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts, linked_list_t *other_ts, host_t *my_host, host_t *other_host); /** * Get the authentication constraint items. * * @return auth_info object to manipulate requirements */ auth_info_t* (*get_auth)(peer_cfg_t *this); /** * Get own ID. * * @return own id */ identification_t* (*get_my_id)(peer_cfg_t *this); /** * Get peers ID. * * @return other id */ identification_t* (*get_other_id)(peer_cfg_t *this); /** * Should be sent a certificate for this connection? * * @return certificate sending policy */ cert_policy_t (*get_cert_policy) (peer_cfg_t *this); /** * How to handle uniqueness of IKE_SAs? * * @return unique policy */ unique_policy_t (*get_unique_policy) (peer_cfg_t *this); /** * Get the max number of retries after timeout. * * @return max number retries */ u_int32_t (*get_keyingtries) (peer_cfg_t *this); /** * Get a time to start rekeying (is randomized with jitter). * * @return time in s when to start rekeying, 0 disables rekeying */ u_int32_t (*get_rekey_time)(peer_cfg_t *this); /** * Get a time to start reauthentication (is randomized with jitter). * * @return time in s when to start reauthentication, 0 disables it */ u_int32_t (*get_reauth_time)(peer_cfg_t *this); /** * Get the timeout of a rekeying/reauthenticating SA. * * @return timeout in s */ u_int32_t (*get_over_time)(peer_cfg_t *this); /** * Use MOBIKE (RFC4555) if peer supports it? * * @return TRUE to enable MOBIKE support */ bool (*use_mobike) (peer_cfg_t *this); /** * Get the DPD check interval. * * @return dpd_delay in seconds */ u_int32_t (*get_dpd) (peer_cfg_t *this); /** * Get a virtual IP for the local peer. * * If no virtual IP should be used, NULL is returned. %any means to request * a virtual IP using configuration payloads. A specific address is also * used for a request and may be changed by the server. * * @param suggestion NULL, %any or specific * @return virtual IP, %any or NULL */ host_t* (*get_virtual_ip) (peer_cfg_t *this); /** * Get the name of the pool to acquire configuration attributes from. * * @return pool name, NULL if none defined */ char* (*get_pool)(peer_cfg_t *this); #ifdef ME /** * Is this a mediation connection? * * @return TRUE, if this is a mediation connection */ bool (*is_mediation) (peer_cfg_t *this); /** * Get peer_cfg of the connection this one is mediated through. * * @return the peer_cfg of the mediation connection */ peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this); /** * Get the id of the other peer at the mediation server. * * This is the leftid of the peer's connection with the mediation server. * * If it is not configured, it is assumed to be the same as the right id * of this connection. * * @return the id of the other peer */ identification_t* (*get_peer_id) (peer_cfg_t *this); #endif /* ME */ /** * Check if two peer configurations are equal. * * This method does not compare associated ike/child_cfg. * * @param other candidate to check for equality against this * @return TRUE if peer_cfg and ike_cfg are equal */ bool (*equals)(peer_cfg_t *this, peer_cfg_t *other); /** * Increase reference count. * * @return reference to this */ peer_cfg_t* (*get_ref) (peer_cfg_t *this); /** * Destroys the peer_cfg object. * * Decrements the internal reference counter and * destroys the peer_cfg when it reaches zero. */ void (*destroy) (peer_cfg_t *this); }; /** * Create a configuration object for IKE_AUTH and later. * * name-string gets cloned, ID's not. * Virtual IPs are used if they are != NULL. A %any host means the virtual * IP should be obtained from the other peer. * Lifetimes are in seconds. To prevent to peers to start rekeying at the * same time, a jitter may be specified. Rekeying of an SA starts at * (rekeylifetime - random(0, jitter)). * * @param name name of the peer_cfg * @param ike_version which IKE version we sould use for this peer * @param ike_cfg IKE config to use when acting as initiator * @param my_id identification_t for ourselves * @param other_id identification_t for the remote guy * @param cert_policy should we send a certificate payload? * @param unique uniqueness of an IKE_SA * @param keyingtries how many keying tries should be done before giving up * @param rekey_time timeout before starting rekeying * @param reauth_time timeout before starting reauthentication * @param jitter_time timerange to randomly substract from rekey/reauth time * @param over_time maximum overtime before closing a rekeying/reauth SA * @param reauth sould be done reauthentication instead of rekeying? * @param mobike use MOBIKE (RFC4555) if peer supports it * @param dpd DPD check interval, 0 to disable * @param virtual_ip virtual IP for local host, or NULL * @param pool pool name to get configuration attributes from, or NULL * @param mediation TRUE if this is a mediation connection * @param mediated_by peer_cfg_t of the mediation connection to mediate through * @param peer_id ID that identifies our peer at the mediation server * @return peer_cfg_t object */ peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg, identification_t *my_id, identification_t *other_id, cert_policy_t cert_policy, unique_policy_t unique, u_int32_t keyingtries, u_int32_t rekey_time, u_int32_t reauth_time, u_int32_t jitter_time, u_int32_t over_time, bool mobike, u_int32_t dpd, host_t *virtual_ip, char *pool, bool mediation, peer_cfg_t *mediated_by, identification_t *peer_id); #endif /* PEER_CFG_H_ @} */