path: root/src/charon/config/policies/policy.h

/**
 * @file policy.h
 * 
 * @brief Interface of policy_t.
 *  
 */

/*
 * Copyright (C) 2005-2006 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 * Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

#ifndef POLICY_H_
#define POLICY_H_

typedef enum dpd_action_t dpd_action_t;
typedef struct policy_t policy_t;

#include <library.h>
#include <utils/identification.h>
#include <config/traffic_selector.h>
#include <config/proposal.h>
#include <sa/authenticators/authenticator.h>
#include <sa/authenticators/eap/eap_method.h>


/**
 * @brief Actions to take when a peer does not respond (dead peer detected).
 *
 * These values are the same as in pluto/starter, so do not modify them!
 *
 * @ingroup config
 */
enum dpd_action_t {
	/** DPD disabled */
	DPD_NONE,
	/** remove CHILD_SA without replacement */
	DPD_CLEAR,
	/** route the CHILD_SA to resetup when needed */
	DPD_ROUTE,
	/** restart CHILD_SA in a new IKE_SA, immediately */
	DPD_RESTART,
};

/**
 * enum names for dpd_action_t.
 */
extern enum_name_t *dpd_action_names;

/**
 * @brief Mode of an IPsec SA.
 *
 * These are equal to those defined in XFRM, so don't change.
 *
 * @ingroup config
 */
enum mode_t {
	/** transport mode, no inner address */
	MODE_TRANSPORT = 0,
	/** tunnel mode, inner and outer addresses */
	MODE_TUNNEL = 1,
	/** BEET mode, tunnel mode but fixed, bound inner addresses */
	MODE_BEET = 4,
};

/**
 * enum names for mode_t.
 */
extern enum_name_t *mode_names;

/**
 * @brief A policy_t defines the policies to apply to CHILD_SAs.
 *
 * The given two IDs identify a policy. These rules define how
 * child SAs may be set up and which traffic may be IPsec'ed.
 *
 * @b Constructors:
 *   - policy_create()
 *
 * @ingroup config
 */
struct policy_t {
	
	/**
	 * @brief Get the name of the policy.
	 * 
	 * Returned object is not getting cloned.
	 * 
	 * @param this			calling object
	 * @return				policy's name
	 */
	char *(*get_name) (policy_t *this);
	
	/**
	 * @brief Get own id.
	 * 
	 * Returned object is not getting cloned.
	 * 
	 * @param this			calling object
	 * @return				own id
	 */
	identification_t *(*get_my_id) (policy_t *this);
	
	/**
	 * @brief Get peer id.
	 *
	 * Returned object is not getting cloned.
	 * 
	 * @param this			calling object
	 * @return				other id
	 */
	identification_t *(*get_other_id) (policy_t *this);
	
	/**
	 * @brief Get own ca.
	 *
	 * Returned object is not getting cloned.
	 * 
	 * @param this			calling object
	 * @return				own ca
	 */
	identification_t *(*get_my_ca) (policy_t *this);

	/**
	 * @brief Get peer ca.
	 *
	 * Returned object is not getting cloned.
	 * 
	 * @param this			calling object
	 * @return				other ca
	 */
	identification_t *(*get_other_ca) (policy_t *this);

	/**
	 * @brief Get the authentication method to use.
	 * 
	 * @param this		calling object
	 * @return			authentication method
	 */
	auth_method_t (*get_auth_method) (policy_t *this);

	/**
	 * @brief Get the EAP type to use for peer authentication.
	 * 
	 * @param this		calling object
	 * @return			authentication method
	 */
	eap_type_t (*get_eap_type) (policy_t *this);
	
	/**
	 * @brief Get configured traffic selectors for our site.
	 * 
	 * Returns a list with all traffic selectors for the local
	 * site. List and items must be destroyed after usage.
	 * 
	 * @param this			calling object
	 * @return				list with traffic selectors
	 */
	linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me);
	
	/**
	 * @brief Get configured traffic selectors for others site.
	 * 
	 * Returns a list with all traffic selectors for the remote
	 * site. List and items must be destroyed after usage.
	 * 
	 * @param this			calling object
	 * @return				list with traffic selectors
	 */
	linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other);
	
	/**
	 * @brief Select traffic selectors from a supplied list for local site.
	 * 
	 * Resulted list and traffic selectors must be destroyed after usage.
	 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
	 * addresses we don't know in previous, an address may be supplied to
	 * replace these 0.0.0.0 addresses on-the-fly.
	 * 
	 * @param this			calling object
	 * @param supplied		linked list with traffic selectors
	 * @param me			host address used by us
	 * @return				list containing the selected traffic selectors
	 */
	linked_list_t *(*select_my_traffic_selectors) (policy_t *this, 
												   linked_list_t *supplied,
												   host_t *me);
		
	/**
	 * @brief Select traffic selectors from a supplied list for remote site.
	 * 
	 * Resulted list and traffic selectors must be destroyed after usage.
	 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
	 * addresses we don't know in previous, an address may be supplied to
	 * replace these 0.0.0.0 addresses on-the-fly.
	 *
	 * @param this			calling object
	 * @param supplied		linked list with traffic selectors
	 * @return				list containing the selected traffic selectors
	 */
	linked_list_t *(*select_other_traffic_selectors) (policy_t *this, 
													  linked_list_t *supplied,
													  host_t *other);
	
	/**
	 * @brief Get the list of internally stored proposals.
	 * 
	 * policy_t does store proposals for AH/ESP, IKE proposals are in 
	 * the connection_t.
	 * Resulting list and all of its proposals must be freed after usage.
	 *
	 * @param this			calling object
	 * @return				lists with proposals
	 */
	linked_list_t *(*get_proposals) (policy_t *this);
	
	/**
	 * @brief Select a proposal from a supplied list.
	 *
	 * Returned propsal is newly created and must be destroyed after usage.
	 * 
	 * @param this			calling object
	 * @param proposals		list from from wich proposals are selected
	 * @return				selected proposal, or NULL if nothing matches
	 */
	proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals);
	
	/**
	 * @brief Add a traffic selector to the list for local site.
	 * 
	 * After add, traffic selector is owned by policy.
	 * 
	 * @param this				calling object
	 * @param traffic_selector	traffic_selector to add
	 */
	void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
	
	/**
	 * @brief Add a traffic selector to the list for remote site.
	 * 
	 * After add, traffic selector is owned by policy.
	 * 
	 * @param this				calling object
	 * @param traffic_selector	traffic_selector to add
	 */
	void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
	
	/**
	 * @brief Add a proposal to the list. 
	 * 
	 * The proposals are stored by priority, first added
	 * is the most prefered.
	 * After add, proposal is owned by policy.
	 * 
	 * @param this			calling object
	 * @param proposal		proposal to add
	 */
	void (*add_proposal) (policy_t *this, proposal_t *proposal);
	
	/**
	 * @brief Add certification authorities.
	 * 
	 * @param this			calling object
	 * @param my_ca			issuer of my certificate
	 * @param other_ca		required issuer of the peer's certificate
	 */
	void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca);

	/**
	 * @brief Get updown script
	 * 
	 * @param this			calling object
	 * @return				path to updown script
	 */
	char* (*get_updown) (policy_t *this);
	
	/**
	 * @brief Get hostaccess flag
	 * 
	 * @param this			calling object
	 * @return				value of hostaccess flag
	 */
	bool (*get_hostaccess) (policy_t *this);
	
	/**
	 * @brief What should be done with a CHILD_SA, when other peer does not respond.
	 *
	 * @param this 		calling object
	 * @return			dpd action
	 */	
	dpd_action_t (*get_dpd_action) (policy_t *this);

	/**
	 * @brief Get the lifetime of a policy, before rekeying starts.
	 * 
	 * A call to this function automatically adds a jitter to
	 * avoid simultanous rekeying.
	 * 
	 * @param this			policy 
	 * @return				lifetime in seconds
	 */
	u_int32_t (*get_soft_lifetime) (policy_t *this);
	
	/**
	 * @brief Get the lifetime of a policy, before SA gets deleted.
	 * 
	 * @param this			policy
	 * @return				lifetime in seconds
	 */
	u_int32_t (*get_hard_lifetime) (policy_t *this);
	
	/**
	 * @brief Get the mode to use for the CHILD_SA, tunnel, transport or BEET.
	 * 
	 * @param this			policy
	 * @return				lifetime in seconds
	 */
	mode_t (*get_mode) (policy_t *this);
	
	/**
	 * @brief Get a virtual IP for the local or the remote host.
	 *
	 * By supplying NULL as IP, an IP for the local host is requested. It
	 * may be %any or specific. 
	 * By supplying %any as host, an IP from the pool is selected to be
	 * served to the peer.
	 * If a specified host is supplied, it is checked if this address
	 * is acceptable to serve to the peer. If so, it is returned. Otherwise,
	 * an alternative IP is returned.
	 * In any mode, this call may return NULL indicating virtual IP should
	 * not be used.
	 * 
	 * @param this			policy
	 * @param suggestion	NULL, %any or specific, see description
	 * @return				clone of an IP to use, or NULL
	 */
	host_t* (*get_virtual_ip) (policy_t *this, host_t *suggestion);
	
	/**
	 * @brief Get a new reference.
	 *
	 * Get a new reference to this policy by increasing
	 * it's internal reference counter.
	 * Do not call get_ref or any other function until you
	 * already have a reference. Otherwise the object may get
	 * destroyed while calling get_ref(),
	 * 
	 * @param this				calling object
	 */
	void (*get_ref) (policy_t *this);
	
	/**
	 * @brief Destroys the policy object.
	 *
	 * Decrements the internal reference counter and
	 * destroys the policy when it reaches zero.
	 * 
	 * @param this				calling object
	 */
	void (*destroy) (policy_t *this);
};

/**
 * @brief Create a configuration object for IKE_AUTH and later.
 * 
 * name-string gets cloned, ID's not.
 * Virtual IPs are used if they are != NULL. A %any host means the virtual
 * IP should be obtained from the other peer.
 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
 * same time, a jitter may be specified. Rekeying of an SA starts at
 * (soft_lifetime - random(0, jitter)). After a successful rekeying, 
 * the hard_lifetime limit counter is reset. You should specify
 * hard_lifetime > soft_lifetime > jitter.
 * After a call to create, a reference is obtained (refcount = 1).
 * 
 * @param name				name of the policy
 * @param my_id 			identification_t for ourselves
 * @param other_id 			identification_t for the remote guy
 * @param my_virtual_ip		virtual IP for local host, or NULL
 * @param other_virtual_ip	virtual IP for remote host, or NULL
 * @param auth_method		Authentication method to use for our(!) auth data
 * @param eap_type			EAP type to use for peer authentication
 * @param hard_lifetime		lifetime before deleting an SA
 * @param soft_lifetime		lifetime before rekeying an SA
 * @param jitter			range of randomization time
 * @param updown			updown script to execute on up/down event
 * @param hostaccess		allow access to the host itself (used by the updown script)
 * @param mode				mode to propose for CHILD_SA, transport, tunnel or BEET
 * @param dpd_action		what to to with a CHILD_SA when other peer does not respond
 * @return 					policy_t object
 * 
 * @ingroup config
 */
policy_t *policy_create(char *name, 
						identification_t *my_id, identification_t *other_id,
						host_t *my_virtual_ip, host_t *other_virtual_ip,
						auth_method_t auth_method, eap_type_t eap_type,
						u_int32_t hard_lifetime, u_int32_t soft_lifetime,
						u_int32_t jitter, char *updown, bool hostaccess,
						mode_t mode, dpd_action_t dpd_action);

#endif /* POLICY_H_ */