1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
|
/**
* @file connection.h
*
* @brief Interface of connection_t.
*
*/
/*
* Copyright (C) 2005-2006 Martin Willi
* Copyright (C) 2005 Jan Hutter
* Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
#ifndef CONNECTION_H_
#define CONNECTION_H_
typedef enum cert_policy_t cert_policy_t;
typedef struct connection_t connection_t;
#include <library.h>
#include <utils/host.h>
#include <utils/linked_list.h>
#include <utils/identification.h>
#include <config/proposal.h>
#include <crypto/diffie_hellman.h>
/**
* Certificate sending policy. This is also used for certificate
* requests when using this definition for the other peer. If
* it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
* included.
*
* @ingroup config
*
* @warning These definitions must be the same as in pluto/starter,
* as they are sent over the stroke socket.
*/
enum cert_policy_t {
/** always send certificates, even when not requested */
CERT_ALWAYS_SEND = 0,
/** send certificate upon cert request */
CERT_SEND_IF_ASKED = 1,
/** never send a certificate, even when requested */
CERT_NEVER_SEND = 2,
};
/**
* enum strings for cert_policy_t
*
* @ingroup config
*/
extern enum_name_t *cert_policy_names;
/**
* @brief A connection_t defines the rules to set up an IKE_SA.
*
* @b Constructors:
* - connection_create()
*
* @ingroup config
*/
struct connection_t {
/**
* @brief Get my address as host_t object.
*
* Object is NOT getting cloned.
*
* @param this calling object
* @return host information as host_t object
*/
host_t *(*get_my_host) (connection_t *this);
/**
* @brief Get others address as host_t object.
*
* Object is NOT getting cloned.
*
* @param this calling object
* @return host information as host_t object
*/
host_t *(*get_other_host) (connection_t *this);
/**
* @brief Returns a list of all supported proposals.
*
* Returned list and its proposals must be destroyed after usage.
*
* @param this calling object
* @return list containing all the proposals
*/
linked_list_t *(*get_proposals) (connection_t *this);
/**
* @brief Adds a proposal to the list.
*
* The first added proposal has the highest priority, the last
* added the lowest.
*
* @param this calling object
* @param proposal proposal to add
*/
void (*add_proposal) (connection_t *this, proposal_t *proposal);
/**
* @brief Select a proposed from suggested proposals.
*
* Returned proposal must be destroyed after usage.
*
* @param this calling object
* @param proposals list of proposals to select from
* @return selected proposal, or NULL if none matches.
*/
proposal_t *(*select_proposal) (connection_t *this, linked_list_t *proposals);
/**
* @brief Get the DPD check interval.
*
* @param this calling object
* @return dpd_delay in seconds
*/
u_int32_t (*get_dpd_delay) (connection_t *this);
/**
* @brief Should a full reauthentication be done instead of rekeying?
*
* @param this calling object
* @return TRUE to use full reauthentication
*/
bool (*get_reauth) (connection_t *this);
/**
* @brief Get the max number of retransmission sequences.
*
* @param this calling object
* @return max number of retransmission sequences
*/
u_int32_t (*get_keyingtries) (connection_t *this);
/**
* @brief Get the connection name.
*
* Name must not be freed, since it points to
* internal data.
*
* @param this calling object
* @return name of the connection
*/
char* (*get_name) (connection_t *this);
/**
* @brief Check if the connection is marked as an IKEv2 connection.
*
* Since all connections (IKEv1+2) are loaded, but charon handles
* only those marked with IKEv2, this flag can tell us if we must
* ignore a connection on initiaton. Then pluto will do it for us.
*
* @param this calling object
* @return - TRUE, if this is an IKEv2 connection
*/
bool (*is_ikev2) (connection_t *this);
/**
* @brief Should be sent a certificate request for this connection?
*
* A certificate request contains serials of our trusted CA certificates.
* This flag says if such a request is sent on connection setup to
* the peer. It should be omitted when CERT_SEND_NEVER, sended otherwise.
*
* @param this calling object
* @return certificate request sending policy
*/
cert_policy_t (*get_certreq_policy) (connection_t *this);
/**
* @brief Should be sent a certificate for this connection?
*
* Return the policy used to send the certificate.
*
* @param this calling object
* @return certificate sending policy
*/
cert_policy_t (*get_cert_policy) (connection_t *this);
/**
* @brief Get the DH group to use for connection initialization.
*
* @param this calling object
* @return dh group to use for initialization
*/
diffie_hellman_group_t (*get_dh_group) (connection_t *this);
/**
* @brief Check if a suggested dh group is acceptable.
*
* If we guess a wrong DH group for IKE_SA_INIT, the other
* peer will send us a offer. But is this acceptable for us?
*
* @param this calling object
* @return TRUE if group acceptable
*/
bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
/**
* @brief Get the lifetime of a connection, before IKE_SA rekeying starts.
*
* A call to this function automatically adds a jitter to
* avoid simultanous rekeying.
*
* @param this calling object
* @return lifetime in seconds
*/
u_int32_t (*get_soft_lifetime) (connection_t *this);
/**
* @brief Get the lifetime of a connection, before IKE_SA gets deleted.
*
* @param this calling object
* @return lifetime in seconds
*/
u_int32_t (*get_hard_lifetime) (connection_t *this);
/**
* @brief Get a new reference to this connection.
*
* Get a new reference to this connection by increasing
* it's internal reference counter.
* Do not call get_ref or any other function until you
* already have a reference. Otherwise the object may get
* destroyed while calling get_ref(),
*
* @param this calling object
*/
void (*get_ref) (connection_t *this);
/**
* @brief Destroys a connection_t object.
*
* Decrements the internal reference counter and
* destroys the connection when it reaches zero.
*
* @param this calling object
*/
void (*destroy) (connection_t *this);
};
/**
* @brief Creates a connection_t object.
*
* Supplied hosts become owned by connection, so
* do not modify or destroy them after a call to
* connection_create(). Name gets cloned internally.
* The retrasmit sequence number says how fast we give up when the peer
* does not respond. A high value may bridge-over temporary connection
* problems, a small value can detect dead peers faster.
*
* @param name connection identifier
* @param ikev2 TRUE if this is an IKEv2 connection
* @param cert_policy certificate send policy
* @param cert_req_policy certificate request send policy
* @param my_host host_t representing local address
* @param other_host host_t representing remote address
* @param dpd_delay interval of DPD liveness checks
* @param reauth use full reauthentication instead of rekeying
* @param keyingtries number of retransmit sequences to use
* @param hard_lifetime lifetime before deleting an IKE_SA
* @param soft_lifetime lifetime before rekeying an IKE_SA
* @param jitter range of randomization time
* @return connection_t object.
*
* @ingroup config
*/
connection_t * connection_create(char *name, bool ikev2,
cert_policy_t cert_pol, cert_policy_t req_pol,
host_t *my_host, host_t *other_host,
u_int32_t dpd_delay, bool reauth,
u_int32_t keyingtries,
u_int32_t hard_lifetime, u_int32_t soft_lifetime,
u_int32_t jitter);
#endif /* CONNECTION_H_ */
|
