1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
|
/*
* Copyright (C) 2008-2018 Tobias Brunner
* Copyright (C) 2016 Andreas Steffen
* Copyright (C) 2005-2007 Martin Willi
* Copyright (C) 2005 Jan Hutter
* HSR Hochschule fuer Technik Rapperswil
*
* This program is free software; you can redistribute it and/or modify it
* under the terms of the GNU General Public License as published by the
* Free Software Foundation; either version 2 of the License, or (at your
* option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
*
* This program is distributed in the hope that it will be useful, but
* WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
* or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
* for more details.
*/
/**
* @defgroup child_cfg child_cfg
* @{ @ingroup config
*/
#ifndef CHILD_CFG_H_
#define CHILD_CFG_H_
typedef enum action_t action_t;
typedef enum child_cfg_option_t child_cfg_option_t;
typedef struct child_cfg_t child_cfg_t;
typedef struct child_cfg_create_t child_cfg_create_t;
#include <library.h>
#include <selectors/traffic_selector.h>
#include <crypto/proposal/proposal.h>
#include <kernel/kernel_ipsec.h>
/**
* Action to take when connection is loaded, DPD is detected or
* connection gets closed by peer.
*/
enum action_t {
/** No action */
ACTION_NONE,
/** Route config to establish or reestablish on demand */
ACTION_ROUTE,
/** Start or restart config immediately */
ACTION_RESTART,
};
/**
* enum names for action_t.
*/
extern enum_name_t *action_names;
/**
* A child_cfg_t defines the config template for a CHILD_SA.
*
* After creation, proposals and traffic selectors may be added to the config.
* A child_cfg object is referenced multiple times, and is not thread save.
* Reading from the object is save, adding things is not allowed while other
* threads may access the object.
* A reference counter handles the number of references hold to this config.
*
* @see peer_cfg_t to get an overview over the configurations.
*/
struct child_cfg_t {
/**
* Get the name of the child_cfg.
*
* @return child_cfg's name
*/
char *(*get_name) (child_cfg_t *this);
/**
* Add a proposal to the list.
*
* The proposals are stored by priority, first added
* is the most preferred. It is safe to add NULL as proposal, which has no
* effect. After add, proposal is owned by child_cfg.
*
* @param proposal proposal to add, or NULL
*/
void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
/**
* Get the list of proposals for the CHILD_SA.
*
* Resulting list and all of its proposals must be freed after use.
*
* @param strip_dh TRUE strip out diffie hellman groups
* @return list of proposals
*/
linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
/**
* Select a proposal from a supplied list.
*
* Returned propsal is newly created and must be destroyed after usage.
*
* @param proposals list from which proposals are selected
* @param strip_dh TRUE strip out diffie hellman groups
* @param private accept algorithms from a private range
* @param prefer_self whether to prefer configured or supplied proposals
* @return selected proposal, or NULL if nothing matches
*/
proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
bool strip_dh, bool private,
bool prefer_self);
/**
* Add a traffic selector to the config.
*
* Use the "local" parameter to add it for the local or the remote side.
* After add, traffic selector is owned by child_cfg.
*
* @param local TRUE for local side, FALSE for remote
* @param ts traffic_selector to add
*/
void (*add_traffic_selector)(child_cfg_t *this, bool local,
traffic_selector_t *ts);
/**
* Get a list of traffic selectors to use for the CHILD_SA.
*
* The config contains two set of traffic selectors, one for the local
* side, one for the remote side.
* If a list with traffic selectors is supplied, these are used to narrow
* down the traffic selector list to the greatest common divisor.
* Some traffic selector may be "dymamic", meaning they are narrowed down
* to a specific address (host-to-host or virtual-IP setups). Use
* the "host" parameter to narrow such traffic selectors to that address.
* Resulted list and its traffic selectors must be destroyed after use.
*
* @param local TRUE for TS on local side, FALSE for remote
* @param supplied list with TS to select from, or NULL
* @param hosts addresses to use for narrowing "dynamic" TS', host_t
* @param log FALSE to avoid logging details about the selection
* @return list containing the traffic selectors
*/
linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
linked_list_t *supplied,
linked_list_t *hosts, bool log);
/**
* Get the updown script to run for the CHILD_SA.
*
* @return path to updown script
*/
char* (*get_updown)(child_cfg_t *this);
/**
* Get the lifetime configuration of a CHILD_SA.
*
* The rekey limits automatically contain a jitter to avoid simultaneous
* rekeying. These values will change with each call to this function.
*
* @param jitter subtract jitter value to randomize lifetimes
* @return lifetime_cfg_t (has to be freed)
*/
lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
/**
* Get the mode to use for the CHILD_SA.
*
* The mode is either tunnel, transport or BEET. The peer must agree
* on the method, fallback is tunnel mode.
*
* @return ipsec mode
*/
ipsec_mode_t (*get_mode) (child_cfg_t *this);
/**
* Action to take to start CHILD_SA.
*
* @return start action
*/
action_t (*get_start_action) (child_cfg_t *this);
/**
* Action to take on DPD.
*
* @return DPD action
*/
action_t (*get_dpd_action) (child_cfg_t *this);
/**
* Get the HW offload mode to use for the CHILD_SA.
*
* @return hw offload mode
*/
hw_offload_t (*get_hw_offload) (child_cfg_t *this);
/**
* Get the copy mode for the DS header field to use for the CHILD_SA.
*
* @return IP header copy mode
*/
dscp_copy_t (*get_copy_dscp) (child_cfg_t *this);
/**
* Action to take if CHILD_SA gets closed.
*
* @return close action
*/
action_t (*get_close_action) (child_cfg_t *this);
/**
* Get the DH group to use for CHILD_SA setup.
*
* @return dh group to use
*/
diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
/**
* Get the inactivity timeout value.
*
* @return inactivity timeout in s
*/
uint32_t (*get_inactivity)(child_cfg_t *this);
/**
* Specific reqid to use for CHILD_SA.
*
* @return reqid
*/
uint32_t (*get_reqid)(child_cfg_t *this);
/**
* Optional mark to set on policies/SAs.
*
* @param inbound TRUE for inbound, FALSE for outbound
* @return mark
*/
mark_t (*get_mark)(child_cfg_t *this, bool inbound);
/**
* Optional mark the SAs should apply after processing packets.
*
* @param inbound TRUE for inbound, FALSE for outbound
* @return mark
*/
mark_t (*get_set_mark)(child_cfg_t *this, bool inbound);
/**
* Get the TFC padding value to use for CHILD_SA.
*
* @return TFC padding, 0 to disable, -1 for MTU
*/
uint32_t (*get_tfc)(child_cfg_t *this);
/**
* Get optional manually-set IPsec policy priority
*
* @return manually-set IPsec policy priority (automatic if 0)
*/
uint32_t (*get_manual_prio)(child_cfg_t *this);
/**
* Get optional network interface restricting IPsec policy
*
* @return network interface)
*/
char* (*get_interface)(child_cfg_t *this);
/**
* Get anti-replay window size
*
* @return anti-replay window size
*/
uint32_t (*get_replay_window)(child_cfg_t *this);
/**
* Set anti-replay window size
*
* @param window anti-replay window size
*/
void (*set_replay_window)(child_cfg_t *this, uint32_t window);
/**
* Check if an option flag is set.
*
* @param option option flag to check
* @return TRUE if option flag set, FALSE otherwise
*/
bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
/**
* Check if two child_cfg objects are equal.
*
* @param other candidate to check for equality against this
* @return TRUE if equal
*/
bool (*equals)(child_cfg_t *this, child_cfg_t *other);
/**
* Increase the reference count.
*
* @return reference to this
*/
child_cfg_t* (*get_ref) (child_cfg_t *this);
/**
* Destroys the child_cfg object.
*
* Decrements the internal reference counter and
* destroys the child_cfg when it reaches zero.
*/
void (*destroy) (child_cfg_t *this);
};
/**
* Option flags that may be set on a child_cfg_t object
*/
enum child_cfg_option_t {
/** Use IPsec transport proxy mode */
OPT_PROXY_MODE = (1<<0),
/** Use IPComp, if peer supports it */
OPT_IPCOMP = (1<<1),
/** Allow access to the local host */
OPT_HOSTACCESS = (1<<2),
/** Don't install any IPsec policies */
OPT_NO_POLICIES = (1<<3),
/** Install outbound FWD IPsec policies to bypass drop policies */
OPT_FWD_OUT_POLICIES = (1<<4),
/** Force 96-bit truncation for SHA-256 */
OPT_SHA256_96 = (1<<5),
/** Set mark on inbound SAs */
OPT_MARK_IN_SA = (1<<6),
/** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
OPT_NO_COPY_DF = (1<<7),
/** Disable copying the ECN header field in tunnel mode */
OPT_NO_COPY_ECN = (1<<8),
};
/**
* Data passed to the constructor of a child_cfg_t object.
*/
struct child_cfg_create_t {
/** Options set for CHILD_SA */
child_cfg_option_t options;
/** Specific reqid to use for CHILD_SA, 0 for auto assignment */
uint32_t reqid;
/** Optional inbound mark */
mark_t mark_in;
/** Optional outbound mark */
mark_t mark_out;
/** Optional inbound mark the SA should apply to traffic */
mark_t set_mark_in;
/** Optional outbound mark the SA should apply to traffic */
mark_t set_mark_out;
/** Mode to propose for CHILD_SA */
ipsec_mode_t mode;
/** TFC padding size, 0 to disable, -1 to pad to PMTU */
uint32_t tfc;
/** Optional manually-set IPsec policy priority */
uint32_t priority;
/** Optional network interface restricting IPsec policy (cloned) */
char *interface;
/** lifetime_cfg_t for this child_cfg */
lifetime_cfg_t lifetime;
/** Inactivity timeout in s before closing a CHILD_SA */
uint32_t inactivity;
/** Start action */
action_t start_action;
/** DPD action */
action_t dpd_action;
/** Close action */
action_t close_action;
/** updown script to execute on up/down event (cloned) */
char *updown;
/** HW offload mode */
hw_offload_t hw_offload;
/** How to handle the DS header field in tunnel mode */
dscp_copy_t copy_dscp;
};
/**
* Create a configuration template for CHILD_SA setup.
*
* After a call to create, a reference is obtained (refcount = 1).
*
* @param name name of the child_cfg (cloned)
* @param data data for this child_cfg
* @return child_cfg_t object
*/
child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
#endif /** CHILD_CFG_H_ @}*/
|