projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Handling of new lifetime limits added to stroke.
[strongswan.git] / src / charon / config / child_cfg.h
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup child_cfg child_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef CHILD_CFG_H_
24 #define CHILD_CFG_H_
25
26 typedef enum action_t action_t;
27 typedef enum ipcomp_transform_t ipcomp_transform_t;
28 typedef struct lifetime_cfg_t lifetime_cfg_t;
29 typedef struct child_cfg_t child_cfg_t;
30
31 #include <library.h>
32 #include <config/proposal.h>
33 #include <config/traffic_selector.h>
34 #include <kernel/kernel_ipsec.h>
35
36 /**
37 * Action to take when DPD detected/connection gets closed by peer.
38 */
39 enum action_t {
40 /** No action */
41 ACTION_NONE,
42 /** Route config to reestablish on demand */
43 ACTION_ROUTE,
44 /** Restart config immediately */
45 ACTION_RESTART,
46 };
47
48 /**
49 * enum names for action_t.
50 */
51 extern enum_name_t *action_names;
52
53 /**
54 * IPComp transform IDs, as in RFC 4306
55 */
56 enum ipcomp_transform_t {
57 IPCOMP_NONE = 241,
58 IPCOMP_OUI = 1,
59 IPCOMP_DEFLATE = 2,
60 IPCOMP_LZS = 3,
61 IPCOMP_LZJH = 4,
62 };
63
64 /**
65 * enum strings for ipcomp_transform_t.
66 */
67 extern enum_name_t *ipcomp_transform_names;
68
69 /**
70 * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
71 *
72 * Set any of these values to 0 to ignore.
73 */
74 struct lifetime_cfg_t {
75 /** Time in seconds before the CHILD_SA gets invalid. */
76 u_int64_t life_time;
77 /** Number of bytes transmitted before the CHILD_SA gets invalid. */
78 u_int64_t life_bytes;
79 /** Number of packets transmitted before the CHILD_SA gets invalid. */
80 u_int64_t life_packets;
81 /** Time in seconds before the CHILD_SA gets rekeyed. */
82 u_int64_t rekey_time;
83 /** Number of bytes transmitted before the CHILD_SA gets rekeyed. */
84 u_int64_t rekey_bytes;
85 /** Number of packets transmitted before the CHILD_SA gets rekeyed. */
86 u_int64_t rekey_packets;
87 /** The range of a random value subtracted from rekey_time */
88 u_int64_t jitter_time;
89 /** The range of a random value subtracted from rekey_bytes */
90 u_int64_t jitter_bytes;
91 /** The range of a random value subtracted from rekey_packets */
92 u_int64_t jitter_packets;
93 };
94
95 /**
96 * Helper macro to easily set all three values of a specified limit (time,
97 * bytes, packets).
98 */
99 #define LIFETIME_CFG_SET(l, limit, life, rekey, jitter) do { \
100 (l)->life_##limit = (life); \
101 (l)->rekey_##limit = (rekey); \
102 (l)->jitter_##limit = (jitter); \
103 } while(0)
104
105 /**
106 * Create a new lifetime_cfg_t object.
107 */
108 static inline lifetime_cfg_t* lifetime_cfg_create() {
109 lifetime_cfg_t *this = malloc_thing(lifetime_cfg_t);
110 memset(this, 0, sizeof(lifetime_cfg_t));
111 return this;
112 }
113
114 /**
115 * Special constructor for the (currently) most common case.
116 */
117 static inline lifetime_cfg_t* lifetime_cfg_create_time(u_int64_t life,
118 u_int64_t rekey, u_int64_t jitter)
119 {
120 lifetime_cfg_t *this = lifetime_cfg_create();
121 LIFETIME_CFG_SET(this, time, life, rekey, jitter);
122 return this;
123 }
124
125 /**
126 * A child_cfg_t defines the config template for a CHILD_SA.
127 *
128 * After creation, proposals and traffic selectors may be added to the config.
129 * A child_cfg object is referenced multiple times, and is not thread save.
130 * Reading from the object is save, adding things is not allowed while other
131 * threads may access the object.
132 * A reference counter handles the number of references hold to this config.
133 *
134 * @see peer_cfg_t to get an overview over the configurations.
135 */
136 struct child_cfg_t {
137
138 /**
139 * Get the name of the child_cfg.
140 *
141 * @return child_cfg's name
142 */
143 char *(*get_name) (child_cfg_t *this);
144
145 /**
146 * Add a proposal to the list.
147 *
148 * The proposals are stored by priority, first added
149 * is the most prefered.
150 * After add, proposal is owned by child_cfg.
151 *
152 * @param proposal proposal to add
153 */
154 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
155
156 /**
157 * Get the list of proposals for the CHILD_SA.
158 *
159 * Resulting list and all of its proposals must be freed after use.
160 *
161 * @param strip_dh TRUE strip out diffie hellman groups
162 * @return list of proposals
163 */
164 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
165
166 /**
167 * Select a proposal from a supplied list.
168 *
169 * Returned propsal is newly created and must be destroyed after usage.
170 *
171 * @param proposals list from from wich proposals are selected
172 * @param strip_dh TRUE strip out diffie hellman groups
173 * @return selected proposal, or NULL if nothing matches
174 */
175 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
176 bool strip_dh);
177
178 /**
179 * Add a traffic selector to the config.
180 *
181 * Use the "local" parameter to add it for the local or the remote side.
182 * After add, traffic selector is owned by child_cfg.
183 *
184 * @param local TRUE for local side, FALSE for remote
185 * @param ts traffic_selector to add
186 */
187 void (*add_traffic_selector)(child_cfg_t *this, bool local,
188 traffic_selector_t *ts);
189
190 /**
191 * Get a list of traffic selectors to use for the CHILD_SA.
192 *
193 * The config contains two set of traffic selectors, one for the local
194 * side, one for the remote side.
195 * If a list with traffic selectors is supplied, these are used to narrow
196 * down the traffic selector list to the greatest common divisor.
197 * Some traffic selector may be "dymamic", meaning they are narrowed down
198 * to a specific address (host-to-host or virtual-IP setups). Use
199 * the "host" parameter to narrow such traffic selectors to that address.
200 * Resulted list and its traffic selectors must be destroyed after use.
201 *
202 * @param local TRUE for TS on local side, FALSE for remote
203 * @param supplied list with TS to select from, or NULL
204 * @param host address to use for narrowing "dynamic" TS', or NULL
205 * @return list containing the traffic selectors
206 */
207 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
208 linked_list_t *supplied,
209 host_t *host);
210 /**
211 * Get the updown script to run for the CHILD_SA.
212 *
213 * @return path to updown script
214 */
215 char* (*get_updown)(child_cfg_t *this);
216
217 /**
218 * Should we allow access to the local host (gateway)?
219 *
220 * @return value of hostaccess flag
221 */
222 bool (*get_hostaccess) (child_cfg_t *this);
223
224 /**
225 * Get the lifetime configuration of a CHILD_SA.
226 *
227 * The rekey limits automatically contain a jitter to avoid simultaneous
228 * rekeying. These values will change with each call to this function.
229 *
230 * @return lifetime_cfg_t (has to be freed)
231 */
232 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
233
234 /**
235 * Get the mode to use for the CHILD_SA.
236 *
237 * The mode is either tunnel, transport or BEET. The peer must agree
238 * on the method, fallback is tunnel mode.
239 *
240 * @return ipsec mode
241 */
242 ipsec_mode_t (*get_mode) (child_cfg_t *this);
243
244 /**
245 * Action to take on DPD.
246 *
247 * @return DPD action
248 */
249 action_t (*get_dpd_action) (child_cfg_t *this);
250
251 /**
252 * Action to take if CHILD_SA gets closed.
253 *
254 * @return close action
255 */
256 action_t (*get_close_action) (child_cfg_t *this);
257
258 /**
259 * Get the DH group to use for CHILD_SA setup.
260 *
261 * @return dh group to use
262 */
263 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
264
265 /**
266 * Check whether IPComp should be used, if the other peer supports it.
267 *
268 * @return TRUE, if IPComp should be used
269 * FALSE, otherwise
270 */
271 bool (*use_ipcomp)(child_cfg_t *this);
272
273 /**
274 * Sets two options needed for Mobile IPv6 interoperability
275 *
276 * @param proxy_mode use IPsec transport proxy mode (default FALSE)
277 * @param install_policy install IPsec kernel policies (default TRUE)
278 */
279 void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
280 bool install_policy);
281
282 /**
283 * Check whether IPsec transport SA should be set up in proxy mode
284 *
285 * @return TRUE, if proxy mode should be used
286 * FALSE, otherwise
287 */
288 bool (*use_proxy_mode)(child_cfg_t *this);
289
290 /**
291 * Check whether IPsec policies should be installed in the kernel
292 *
293 * @return TRUE, if IPsec kernel policies should be installed
294 * FALSE, otherwise
295 */
296 bool (*install_policy)(child_cfg_t *this);
297
298 /**
299 * Increase the reference count.
300 *
301 * @return reference to this
302 */
303 child_cfg_t* (*get_ref) (child_cfg_t *this);
304
305 /**
306 * Destroys the child_cfg object.
307 *
308 * Decrements the internal reference counter and
309 * destroys the child_cfg when it reaches zero.
310 */
311 void (*destroy) (child_cfg_t *this);
312 };
313
314 /**
315 * Create a configuration template for CHILD_SA setup.
316 *
317 * The "name" string gets cloned.
318 *
319 * The lifetime_cfg_t object gets adopted by this config.
320 * To prevent two peers to start rekeying at the same time, a jitter may be
321 * specified. Rekeying of an SA starts at (rekey_xxx - random(0, jitter_xxx)).
322 *
323 * After a call to create, a reference is obtained (refcount = 1).
324 *
325 * @param name name of the child_cfg
326 * @param lifetime lifetime_cfg_t for this child_cfg
327 * @param updown updown script to execute on up/down event
328 * @param hostaccess TRUE to allow access to the local host
329 * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
330 * @param dpd_action DPD action
331 * @param close_action close action
332 * @param ipcomp use IPComp, if peer supports it
333 * @return child_cfg_t object
334 */
335 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
336 char *updown, bool hostaccess,
337 ipsec_mode_t mode, action_t dpd_action,
338 action_t close_action, bool ipcomp);
339
340 #endif /** CHILD_CFG_H_ @}*/
strongSwan - IPsec VPN