projects / strongswan.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
readded local_credential_store
[strongswan.git] / src / charon / config / connections / connection.h
1 /**
2 * @file connection.h
3 *
4 * @brief Interface of connection_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005 Jan Hutter, Martin Willi
10 * Hochschule fuer Technik Rapperswil
11 *
12 * This program is free software; you can redistribute it and/or modify it
13 * under the terms of the GNU General Public License as published by the
14 * Free Software Foundation; either version 2 of the License, or (at your
15 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
16 *
17 * This program is distributed in the hope that it will be useful, but
18 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
19 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
20 * for more details.
21 */
22
23 #ifndef CONNECTION_H_
24 #define CONNECTION_H_
25
26 #include <types.h>
27 #include <utils/host.h>
28 #include <utils/linked_list.h>
29 #include <utils/identification.h>
30 #include <config/proposal.h>
31 #include <crypto/diffie_hellman.h>
32
33
34 typedef enum auth_method_t auth_method_t;
35
36 /**
37 * AUTH Method to use.
38 *
39 * @ingroup config
40 */
41 enum auth_method_t {
42 /**
43 * Computed as specified in section 2.15 of RFC using
44 * an RSA private key over a PKCS#1 padded hash.
45 */
46 RSA_DIGITAL_SIGNATURE = 1,
47
48 /**
49 * Computed as specified in section 2.15 of RFC using the
50 * shared key associated with the identity in the ID payload
51 * and the negotiated prf function
52 */
53 SHARED_KEY_MESSAGE_INTEGRITY_CODE = 2,
54
55 /**
56 * Computed as specified in section 2.15 of RFC using a
57 * DSS private key over a SHA-1 hash.
58 */
59 DSS_DIGITAL_SIGNATURE = 3,
60 };
61
62 /**
63 * string mappings for auth method.
64 *
65 * @ingroup config
66 */
67 extern mapping_t auth_method_m[];
68
69
70 typedef enum cert_policy_t cert_policy_t;
71
72 /**
73 * Certificate sending policy. This is also used for certificate
74 * requests when using this definition for the other peer. If
75 * it is CERT_NEVER_SEND, a certreq is ommited, otherwise its
76 * included.
77 *
78 * @ingroup config
79 *
80 * @warning These definitions must be the same as in pluto/starter,
81 * as they are sent over the stroke socket.
82 */
83 enum cert_policy_t {
84 /** always send certificates, even when not requested */
85 CERT_ALWAYS_SEND = 0,
86 /** send certificate upon cert request */
87 CERT_SEND_IF_ASKED = 1,
88 /** never send a certificate, even when requested */
89 CERT_NEVER_SEND = 2,
90 };
91
92 /**
93 * string mappings for certpolicy_t.
94 *
95 * @ingroup config
96 */
97 extern mapping_t cert_policy_m[];
98
99
100 typedef struct connection_t connection_t;
101
102 /**
103 * @brief A connection_t defines the rules to set up an IKE_SA.
104 *
105 *
106 * @b Constructors:
107 * - connection_create()
108 *
109 * @ingroup config
110 */
111 struct connection_t {
112
113 /**
114 * @brief Get my address as host_t object.
115 *
116 * Object is NOT getting cloned.
117 *
118 * @param this calling object
119 * @return host information as host_t object
120 */
121 host_t *(*get_my_host) (connection_t *this);
122
123 /**
124 * @brief Get others address as host_t object.
125 *
126 * Object is NOT getting cloned.
127 *
128 * @param this calling object
129 * @return host information as host_t object
130 */
131 host_t *(*get_other_host) (connection_t *this);
132
133 /**
134 * @brief Update address of my host.
135 *
136 * It may be necessary to uptdate own address, as it
137 * is set to the default route (0.0.0.0) in some cases.
138 * Old host is destroyed, new one NOT cloned.
139 *
140 * @param this calling object
141 * @param my_host new host to set as my_host
142 */
143 void (*update_my_host) (connection_t *this, host_t *my_host);
144
145 /**
146 * @brief Update address of remote host.
147 *
148 * It may be necessary to uptdate remote address, as a
149 * connection may define %any (0.0.0.0) or a subnet.
150 * Old host is destroyed, new one NOT cloned.
151 *
152 * @param this calling object
153 * @param my_host new host to set as other_host
154 */
155 void (*update_other_host) (connection_t *this, host_t *other_host);
156
157 /**
158 * @brief Returns a list of all supported proposals.
159 *
160 * Returned list is still owned by connection and MUST NOT
161 * modified or destroyed.
162 *
163 * @param this calling object
164 * @return list containing all the proposals
165 */
166 linked_list_t *(*get_proposals) (connection_t *this);
167
168 /**
169 * @brief Adds a proposal to the list.
170 *
171 * The first added proposal has the highest priority, the last
172 * added the lowest.
173 *
174 * @param this calling object
175 * @param proposal proposal to add
176 */
177 void (*add_proposal) (connection_t *this, proposal_t *proposal);
178
179 /**
180 * @brief Select a proposed from suggested proposals.
181 *
182 * Returned proposal must be destroyed after usage.
183 *
184 * @param this calling object
185 * @param proposals list of proposals to select from
186 * @return selected proposal, or NULL if none matches.
187 */
188 proposal_t *(*select_proposal) (connection_t *this, linked_list_t *proposals);
189
190 /**
191 * @brief Get the authentication method to use
192 *
193 * @param this calling object
194 * @return authentication method
195 */
196 auth_method_t (*get_auth_method) (connection_t *this);
197
198 /**
199 * @brief Get the connection name.
200 *
201 * Name must not be freed, since it points to
202 * internal data.
203 *
204 * @param this calling object
205 * @return name of the connection
206 */
207 char* (*get_name) (connection_t *this);
208
209 /**
210 * @brief Check if the connection is marked as an IKEv2 connection.
211 *
212 * Since all connections (IKEv1+2) are loaded, but charon handles
213 * only those marked with IKEv2, this flag can tell us if we must
214 * ignore a connection on initiaton. Then pluto will do it for us.
215 *
216 * @param this calling object
217 * @return - TRUE, if this is an IKEv2 connection
218 */
219 bool (*is_ikev2) (connection_t *this);
220
221 /**
222 * @brief Should be sent a certificate request for this connection?
223 *
224 * A certificate request contains serials of our trusted CA certificates.
225 * This flag says if such a request is sent on connection setup to
226 * the peer. It should be ommited when CERT_SEND_NEVER, sended otherwise.
227 *
228 * @param this calling object
229 * @return - TRUE, if certificate request should be sent
230 */
231 cert_policy_t (*get_cert_req_policy) (connection_t *this);
232
233 /**
234 * @brief Should be sent a certificate for this connection?
235 *
236 * Return the policy used to send the certificate.
237 *
238 * @param this calling object
239 * @return certificate sending policy
240 */
241 cert_policy_t (*get_cert_policy) (connection_t *this);
242
243 /**
244 * @brief Get the DH group to use for connection initialization.
245 *
246 * @param this calling object
247 * @return dh group to use for initialization
248 */
249 diffie_hellman_group_t (*get_dh_group) (connection_t *this);
250
251 /**
252 * @brief Check if a suggested dh group is acceptable.
253 *
254 * If we guess a wrong DH group for IKE_SA_INIT, the other
255 * peer will send us a offer. But is this acceptable for us?
256 *
257 * @param this calling object
258 * @return TRUE if group acceptable
259 */
260 bool (*check_dh_group) (connection_t *this, diffie_hellman_group_t dh_group);
261
262 /**
263 * @brief Clone a connection_t object.
264 *
265 * @param this connection to clone
266 * @return clone of it
267 */
268 connection_t *(*clone) (connection_t *this);
269
270 /**
271 * @brief Destroys a connection_t object.
272 *
273 * @param this calling object
274 */
275 void (*destroy) (connection_t *this);
276 };
277
278 /**
279 * @brief Creates a connection_t object.
280 *
281 * Supplied hosts become owned by connection, so
282 * do not modify or destroy them after a call to
283 * connection_create(). Name gets cloned internally.
284 *
285 * @param name connection identifier
286 * @param ikev2 TRUE if this is an IKEv2 connection
287 * @param cert_policy certificate send policy
288 * @param cert_req_policy certificate request send policy
289 * @param my_host host_t representing local address
290 * @param other_host host_t representing remote address
291 * @param auth_method Authentication method to use for our(!) auth data
292 * @return connection_t object.
293 *
294 * @ingroup config
295 */
296 connection_t * connection_create(char *name, bool ikev2,
297 cert_policy_t cert_pol, cert_policy_t req_pol,
298 host_t *my_host, host_t *other_host,
299 auth_method_t auth_method);
300
301 #endif /* CONNECTION_H_ */
strongSwan - IPsec VPN