fixed CHILD_SA proposal selection when not using DH exchange
[strongswan.git] / src / charon / config / peer_cfg.h
1 /**
2 * @file peer_cfg.h
3 *
4 * @brief Interface of peer_cfg_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2007 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef PEER_CFG_H_
25 #define PEER_CFG_H_
26
27 typedef enum dpd_action_t dpd_action_t;
28 typedef enum cert_policy_t cert_policy_t;
29 typedef struct peer_cfg_t peer_cfg_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <config/traffic_selector.h>
34 #include <config/proposal.h>
35 #include <config/ike_cfg.h>
36 #include <config/child_cfg.h>
37 #include <sa/authenticators/authenticator.h>
38 #include <sa/authenticators/eap/eap_method.h>
39
40 /**
41 * Certificate sending policy. This is also used for certificate
42 * requests when using this definition for the other peer. If
43 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
44 * included.
45 *
46 * @ingroup config
47 *
48 * @warning These definitions must be the same as in pluto/starter,
49 * as they are sent over the stroke socket.
50 */
51 enum cert_policy_t {
52 /** always send certificates, even when not requested */
53 CERT_ALWAYS_SEND = 0,
54 /** send certificate upon cert request */
55 CERT_SEND_IF_ASKED = 1,
56 /** never send a certificate, even when requested */
57 CERT_NEVER_SEND = 2,
58 };
59
60 /**
61 * enum strings for cert_policy_t
62 *
63 * @ingroup config
64 */
65 extern enum_name_t *cert_policy_names;
66
67 /**
68 * @brief Actions to take when a peer does not respond (dead peer detected).
69 *
70 * These values are the same as in pluto/starter, so do not modify them!
71 *
72 * @ingroup config
73 */
74 enum dpd_action_t {
75 /** DPD disabled */
76 DPD_NONE,
77 /** remove CHILD_SAs without replacement */
78 DPD_CLEAR,
79 /** route the CHILD_SAs to resetup when needed */
80 DPD_ROUTE,
81 /** restart CHILD_SAs in a new IKE_SA, immediately */
82 DPD_RESTART,
83 };
84
85 /**
86 * enum names for dpd_action_t.
87 */
88 extern enum_name_t *dpd_action_names;
89
90 /**
91 * @brief Configuration of a peer, specified by IDs.
92 *
93 * The peer config defines a connection between two given IDs. It contains
94 * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
95 * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
96 * @verbatim
97
98 +-------------------+ +---------------+
99 +---------------+ | peer_cfg | +---------------+ |
100 | ike_cfg | +-------------------+ | child_cfg | |
101 +---------------+ | - ids | +---------------+ |
102 | - hosts | 1 1 | - cas | 1 n | - proposals | |
103 | - proposals |<------| - auth info |-------->| - traffic sel | |
104 | - ... | | - dpd config | | - ... |-+
105 +---------------+ | - ... | +---------------+
106 +-------------------+
107 @endverbatim
108 *
109 * @b Constructors:
110 * - peer_cfg_create()
111 *
112 * @ingroup config
113 */
114 struct peer_cfg_t {
115
116 /**
117 * @brief Get the name of the peer_cfg.
118 *
119 * Returned object is not getting cloned.
120 *
121 * @param this calling object
122 * @return peer_cfg's name
123 */
124 char* (*get_name) (peer_cfg_t *this);
125
126 /**
127 * @brief Get the IKE version to use for initiating.
128 *
129 * @param this calling object
130 * @return IKE major version
131 */
132 u_int (*get_ike_version)(peer_cfg_t *this);
133
134 /**
135 * @brief Get the IKE config to use for initiaton.
136 *
137 * @param this calling object
138 * @return the IKE config to use
139 */
140 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
141
142 /**
143 * @brief Attach a CHILD config.
144 *
145 * @param this calling object
146 * @param child_cfg CHILD config to add
147 */
148 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
149
150 /**
151 * @brief Create an iterator for all attached CHILD configs.
152 *
153 * @param this calling object
154 * @return an iterator over all CHILD configs.
155 */
156 iterator_t* (*create_child_cfg_iterator) (peer_cfg_t *this);
157
158 /**
159 * @brief Select a CHILD config from traffic selectors.
160 *
161 * @param this calling object
162 * @param my_ts TS for local side
163 * @param other_ts TS for remote side
164 * @param my_host host to narrow down dynamic TS for local side
165 * @param other_host host to narrow down dynamic TS for remote side
166 * @return selected CHILD config, or NULL if no match found
167 */
168 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
169 linked_list_t *other_ts, host_t *my_host,
170 host_t *other_host);
171
172 /**
173 * @brief Get own ID.
174 *
175 * @param this calling object
176 * @return own id
177 */
178 identification_t* (*get_my_id)(peer_cfg_t *this);
179
180 /**
181 * @brief Get peers ID.
182 *
183 * @param this calling object
184 * @return other id
185 */
186 identification_t* (*get_other_id)(peer_cfg_t *this);
187
188 /**
189 * @brief Get own CA.
190 *
191 * @param this calling object
192 * @return own ca
193 */
194 identification_t* (*get_my_ca)(peer_cfg_t *this);
195
196 /**
197 * @brief Get peers CA.
198 *
199 * @param this calling object
200 * @return other ca
201 */
202 identification_t* (*get_other_ca)(peer_cfg_t *this);
203
204 /**
205 * @brief Should be sent a certificate for this connection?
206 *
207 * @param this calling object
208 * @return certificate sending policy
209 */
210 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
211
212 /**
213 * @brief Get the authentication method to use to authenticate us.
214 *
215 * @param this calling object
216 * @return authentication method
217 */
218 auth_method_t (*get_auth_method) (peer_cfg_t *this);
219
220 /**
221 * @brief Get the EAP type to use for peer authentication.
222 *
223 * @param this calling object
224 * @return authentication method
225 */
226 eap_type_t (*get_eap_type) (peer_cfg_t *this);
227
228 /**
229 * @brief Get the max number of retries after timeout.
230 *
231 * @param this calling object
232 * @return max number retries
233 */
234 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
235
236 /**
237 * @brief Get the lifetime of a IKE_SA.
238 *
239 * If "rekey" is set to TRUE, a lifetime is returned before the first
240 * rekeying should be started. If it is FALSE, the actual lifetime is
241 * returned when the IKE_SA must be deleted.
242 * The rekey time automatically contains a jitter to avoid simlutaneous
243 * rekeying.
244 *
245 * @param this child_config
246 * @param rekey TRUE to get rekey time
247 * @return lifetime in seconds
248 */
249 u_int32_t (*get_lifetime) (peer_cfg_t *this, bool rekey);
250
251 /**
252 * @brief Should a full reauthentication be done instead of rekeying?
253 *
254 * @param this calling object
255 * @return TRUE to use full reauthentication
256 */
257 bool (*use_reauth) (peer_cfg_t *this);
258
259 /**
260 * @brief Get the DPD check interval.
261 *
262 * @param this calling object
263 * @return dpd_delay in seconds
264 */
265 u_int32_t (*get_dpd_delay) (peer_cfg_t *this);
266
267 /**
268 * @brief What should be done with a CHILD_SA, when other peer does not respond.
269 *
270 * @param this calling object
271 * @return dpd action
272 */
273 dpd_action_t (*get_dpd_action) (peer_cfg_t *this);
274
275 /**
276 * @brief Get a virtual IP for the local or the remote host.
277 *
278 * By supplying NULL as IP, an IP for the local host is requested. It
279 * may be %any or specific.
280 * By supplying %any as host, an IP from the pool is selected to be
281 * served to the peer.
282 * If a specified host is supplied, it is checked if this address
283 * is acceptable to serve to the peer. If so, it is returned. Otherwise,
284 * an alternative IP is returned.
285 * In any mode, this call may return NULL indicating virtual IP should
286 * not be used.
287 *
288 * @param this peer_cfg
289 * @param suggestion NULL, %any or specific, see description
290 * @return clone of an IP to use, or NULL
291 */
292 host_t* (*get_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
293
294 /**
295 * @brief Get a new reference.
296 *
297 * Get a new reference to this peer_cfg by increasing
298 * it's internal reference counter.
299 * Do not call get_ref or any other function until you
300 * already have a reference. Otherwise the object may get
301 * destroyed while calling get_ref(),
302 *
303 * @param this calling object
304 */
305 void (*get_ref) (peer_cfg_t *this);
306
307 /**
308 * @brief Destroys the peer_cfg object.
309 *
310 * Decrements the internal reference counter and
311 * destroys the peer_cfg when it reaches zero.
312 *
313 * @param this calling object
314 */
315 void (*destroy) (peer_cfg_t *this);
316 };
317
318 /**
319 * @brief Create a configuration object for IKE_AUTH and later.
320 *
321 * name-string gets cloned, ID's not.
322 * Virtual IPs are used if they are != NULL. A %any host means the virtual
323 * IP should be obtained from the other peer.
324 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
325 * same time, a jitter may be specified. Rekeying of an SA starts at
326 * (rekeylifetime - random(0, jitter)).
327 *
328 * @param name name of the peer_cfg
329 * @param ike_version which IKE version we sould use for this peer
330 * @param ike_cfg IKE config to use when acting as initiator
331 * @param my_id identification_t for ourselves
332 * @param other_id identification_t for the remote guy
333 * @param my_ca CA to use for us
334 * @param other_ca CA to use for other
335 * @param cert_policy should we send a certificate payload?
336 * @param auth_method auth method to use to authenticate us
337 * @param eap_type EAP type to use for peer authentication
338 * @param keyingtries how many keying tries should be done before giving up
339 * @param lifetime lifetime before deleting an SA
340 * @param rekeytime lifetime before rekeying an SA
341 * @param jitter range of random to substract from rekeytime
342 * @param use_reauth sould be done reauthentication instead of rekeying?
343 * @param dpd_delay after how many seconds of inactivity to check DPD
344 * @param dpd_action what to do with CHILD_SAs when detected a dead peer
345 * @param my_virtual_ip virtual IP for local host, or NULL
346 * @param other_virtual_ip virtual IP for remote host, or NULL
347 * @return peer_cfg_t object
348 *
349 * @ingroup config
350 */
351 peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
352 identification_t *my_id, identification_t *other_id,
353 identification_t *my_ca, identification_t *other_ca,
354 cert_policy_t cert_policy, auth_method_t auth_method,
355 eap_type_t eap_type, u_int32_t keyingtries,
356 u_int32_t lifetime, u_int32_t rekeytime,
357 u_int32_t jitter, bool use_reauth,
358 u_int32_t dpd_delay, dpd_action_t dpd_action,
359 host_t *my_virtual_ip, host_t *other_virtual_ip);
360
361 #endif /* PEER_CFG_H_ */