/* strongSwan IPsec config file parser * Copyright (C) 2001-2002 Mathieu Lafon * Arkoon Network Security * * This program is free software; you can redistribute it and/or modify it * under the terms of the GNU General Public License as published by the * Free Software Foundation; either version 2 of the License, or (at your * option) any later version. See . * * This program is distributed in the hope that it will be useful, but * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License * for more details. */ #ifndef _IPSEC_CONFREAD_H_ #define _IPSEC_CONFREAD_H_ #include #include "ipsec-parser.h" /** to mark seen keywords */ typedef u_int64_t seen_t; #define SEEN_NONE 0; #define SEEN_KW(kw, base) ((seen_t)1 << ((kw) - (base))) typedef enum { STARTUP_NO, STARTUP_ADD, STARTUP_ROUTE, STARTUP_START } startup_t; typedef enum { STATE_IGNORE, STATE_TO_ADD, STATE_ADDED, STATE_REPLACED, STATE_INVALID } starter_state_t; typedef enum { /* shared with ike_version_t */ KEY_EXCHANGE_IKE = 0, KEY_EXCHANGE_IKEV1 = 1, KEY_EXCHANGE_IKEV2 = 2, } keyexchange_t; typedef enum { STRICT_NO, STRICT_YES, STRICT_IFURI, } strict_t; typedef enum { CERT_ALWAYS_SEND, CERT_SEND_IF_ASKED, CERT_NEVER_SEND, CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */ CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */ } certpolicy_t; typedef enum { DPD_ACTION_NONE, DPD_ACTION_CLEAR, DPD_ACTION_HOLD, DPD_ACTION_RESTART, DPD_ACTION_UNKNOW, } dpd_action_t; typedef enum { /* same as in ike_cfg.h */ FRAGMENTATION_NO, FRAGMENTATION_YES, FRAGMENTATION_FORCE, } fragmentation_t; typedef enum { /* IPsec options */ SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */ SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */ /* IKE and other other options */ SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */ SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */ SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */ SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */ SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */ SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */ } sa_option_t; typedef struct starter_end starter_end_t; struct starter_end { seen_t seen; char *auth; char *auth2; char *id; char *id2; char *rsakey; char *cert; char *cert2; char *ca; char *ca2; char *groups; char *groups2; char *cert_policy; char *host; u_int ikeport; char *subnet; bool modecfg; certpolicy_t sendcert; bool firewall; bool hostaccess; bool allow_any; char *updown; u_int16_t from_port; u_int16_t to_port; u_int8_t protocol; char *sourceip; char *dns; }; typedef struct also also_t; struct also { char *name; bool included; also_t *next; }; typedef struct starter_conn starter_conn_t; struct starter_conn { seen_t seen; char *name; also_t *also; kw_list_t *kw; u_int visit; startup_t startup; starter_state_t state; keyexchange_t keyexchange; char *eap_identity; char *aaa_identity; char *xauth_identity; char *authby; ipsec_mode_t mode; bool proxy_mode; fragmentation_t fragmentation; u_int ikedscp; sa_option_t options; time_t sa_ike_life_seconds; time_t sa_ipsec_life_seconds; time_t sa_rekey_margin; u_int64_t sa_ipsec_life_bytes; u_int64_t sa_ipsec_margin_bytes; u_int64_t sa_ipsec_life_packets; u_int64_t sa_ipsec_margin_packets; unsigned long sa_keying_tries; unsigned long sa_rekey_fuzz; u_int32_t reqid; mark_t mark_in; mark_t mark_out; u_int32_t tfc; bool install_policy; bool aggressive; starter_end_t left, right; unsigned long id; char *esp; char *ike; time_t dpd_delay; time_t dpd_timeout; dpd_action_t dpd_action; int dpd_count; dpd_action_t close_action; time_t inactivity; bool me_mediation; char *me_mediated_by; char *me_peerid; starter_conn_t *next; }; typedef struct starter_ca starter_ca_t; struct starter_ca { seen_t seen; char *name; also_t *also; kw_list_t *kw; u_int visit; startup_t startup; starter_state_t state; char *cacert; char *crluri; char *crluri2; char *ocspuri; char *ocspuri2; char *certuribase; bool strict; starter_ca_t *next; }; typedef struct starter_config starter_config_t; struct starter_config { struct { seen_t seen; bool charonstart; char *charondebug; bool uniqueids; bool cachecrls; strict_t strictcrlpolicy; } setup; /* number of encountered parsing errors */ u_int err; u_int non_fatal_err; /* do we parse also statements */ bool parse_also; /* ca %default */ starter_ca_t ca_default; /* connections list (without %default) */ starter_ca_t *ca_first, *ca_last; /* conn %default */ starter_conn_t conn_default; /* connections list (without %default) */ starter_conn_t *conn_first, *conn_last; }; extern starter_config_t *confread_load(const char *file); extern void confread_free(starter_config_t *cfg); #endif /* _IPSEC_CONFREAD_H_ */