fixed crash if crl fetching fails
[strongswan.git] / src / charon / config / peer_cfg.h
1 /*
2 * Copyright (C) 2007 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 *
17 * $Id$
18 */
19
20 /**
21 * @defgroup peer_cfg peer_cfg
22 * @{ @ingroup config
23 */
24
25 #ifndef PEER_CFG_H_
26 #define PEER_CFG_H_
27
28 typedef enum dpd_action_t dpd_action_t;
29 typedef enum cert_policy_t cert_policy_t;
30 typedef struct peer_cfg_t peer_cfg_t;
31
32 #include <library.h>
33 #include <utils/identification.h>
34 #include <utils/enumerator.h>
35 #include <config/traffic_selector.h>
36 #include <config/proposal.h>
37 #include <config/ike_cfg.h>
38 #include <config/child_cfg.h>
39 #include <sa/authenticators/authenticator.h>
40 #include <sa/authenticators/eap/eap_method.h>
41 #include <credentials/auth_info.h>
42
43 /**
44 * Certificate sending policy. This is also used for certificate
45 * requests when using this definition for the other peer. If
46 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
47 * included.
48 *
49 * @warning These definitions must be the same as in pluto/starter,
50 * as they are sent over the stroke socket.
51 */
52 enum cert_policy_t {
53 /** always send certificates, even when not requested */
54 CERT_ALWAYS_SEND = 0,
55 /** send certificate upon cert request */
56 CERT_SEND_IF_ASKED = 1,
57 /** never send a certificate, even when requested */
58 CERT_NEVER_SEND = 2,
59 };
60
61 /**
62 * enum strings for cert_policy_t
63 */
64 extern enum_name_t *cert_policy_names;
65
66 /**
67 * Actions to take when a peer does not respond (dead peer detected).
68 *
69 * These values are the same as in pluto/starter, so do not modify them!
70 */
71 enum dpd_action_t {
72 /** DPD disabled */
73 DPD_NONE,
74 /** remove CHILD_SAs without replacement */
75 DPD_CLEAR,
76 /** route the CHILD_SAs to resetup when needed */
77 DPD_ROUTE,
78 /** restart CHILD_SAs in a new IKE_SA, immediately */
79 DPD_RESTART,
80 };
81
82 /**
83 * enum names for dpd_action_t.
84 */
85 extern enum_name_t *dpd_action_names;
86
87 /**
88 * Configuration of a peer, specified by IDs.
89 *
90 * The peer config defines a connection between two given IDs. It contains
91 * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
92 * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
93 * @verbatim
94
95 +-------------------+ +---------------+
96 +---------------+ | peer_cfg | +---------------+ |
97 | ike_cfg | +-------------------+ | child_cfg | |
98 +---------------+ | - ids | +---------------+ |
99 | - hosts | 1 1 | - cas | 1 n | - proposals | |
100 | - proposals |<------| - auth info |-------->| - traffic sel | |
101 | - ... | | - dpd config | | - ... |-+
102 +---------------+ | - ... | +---------------+
103 +-------------------+
104 ^
105 |
106 +-------------------+
107 | auth_info |
108 +-------------------+
109 | auth_items |
110 +-------------------+
111 @endverbatim
112 * The auth_info_t object associated to the peer_cfg holds additional
113 * authorization constraints. A peer who wants to use a config needs to fullfil
114 * the requirements defined in auth_info.
115 */
116 struct peer_cfg_t {
117
118 /**
119 * Get the name of the peer_cfg.
120 *
121 * Returned object is not getting cloned.
122 *
123 * @return peer_cfg's name
124 */
125 char* (*get_name) (peer_cfg_t *this);
126
127 /**
128 * Get the IKE version to use for initiating.
129 *
130 * @return IKE major version
131 */
132 u_int (*get_ike_version)(peer_cfg_t *this);
133
134 /**
135 * Get the IKE config to use for initiaton.
136 *
137 * @return the IKE config to use
138 */
139 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
140
141 /**
142 * Attach a CHILD config.
143 *
144 * @param child_cfg CHILD config to add
145 */
146 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
147
148 /**
149 * Detach a CHILD config, pointed to by an enumerator.
150 *
151 * @param enumerator enumerator indicating element position
152 */
153 void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
154
155 /**
156 * Create an enumerator for all attached CHILD configs.
157 *
158 * @return an enumerator over all CHILD configs.
159 */
160 enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
161
162 /**
163 * Select a CHILD config from traffic selectors.
164 *
165 * @param my_ts TS for local side
166 * @param other_ts TS for remote side
167 * @param my_host host to narrow down dynamic TS for local side
168 * @param other_host host to narrow down dynamic TS for remote side
169 * @return selected CHILD config, or NULL if no match found
170 */
171 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
172 linked_list_t *other_ts, host_t *my_host,
173 host_t *other_host);
174
175 /**
176 * Get the authentication constraint items.
177 *
178 * @return auth_info object to manipulate requirements
179 */
180 auth_info_t* (*get_auth)(peer_cfg_t *this);
181
182 /**
183 * Get own ID.
184 *
185 * @return own id
186 */
187 identification_t* (*get_my_id)(peer_cfg_t *this);
188
189 /**
190 * Get peers ID.
191 *
192 * @return other id
193 */
194 identification_t* (*get_other_id)(peer_cfg_t *this);
195
196 /**
197 * Should be sent a certificate for this connection?
198 *
199 * @return certificate sending policy
200 */
201 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
202
203 /**
204 * Get the authentication method to use to authenticate us.
205 *
206 * @return authentication method
207 */
208 auth_method_t (*get_auth_method) (peer_cfg_t *this);
209
210 /**
211 * Get the EAP type to use for peer authentication.
212 *
213 * If vendor specific types are used, a vendor ID != 0 is returned to
214 * to vendor argument. Then the returned type is specific for that
215 * vendor ID.
216 *
217 * @param vendor receives vendor specifier, 0 for predefined EAP types
218 * @return authentication method
219 */
220 eap_type_t (*get_eap_type) (peer_cfg_t *this, u_int32_t *vendor);
221
222 /**
223 * Get the max number of retries after timeout.
224 *
225 * @return max number retries
226 */
227 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
228
229 /**
230 * Get a time to start rekeying (is randomized with jitter).
231 *
232 * @return time in s when to start rekeying, 0 disables rekeying
233 */
234 u_int32_t (*get_rekey_time)(peer_cfg_t *this);
235
236 /**
237 * Get a time to start reauthentication (is randomized with jitter).
238 *
239 * @return time in s when to start reauthentication, 0 disables it
240 */
241 u_int32_t (*get_reauth_time)(peer_cfg_t *this);
242
243 /**
244 * Get the timeout of a rekeying/reauthenticating SA.
245 *
246 * @return timeout in s
247 */
248 u_int32_t (*get_over_time)(peer_cfg_t *this);
249
250 /**
251 * Use MOBIKE (RFC4555) if peer supports it?
252 *
253 * @return TRUE to enable MOBIKE support
254 */
255 bool (*use_mobike) (peer_cfg_t *this);
256
257 /**
258 * Get the DPD check interval.
259 *
260 * @return dpd_delay in seconds
261 */
262 u_int32_t (*get_dpd_delay) (peer_cfg_t *this);
263
264 /**
265 * What should be done with a CHILD_SA, when other peer does not respond.
266 *
267 * @return dpd action
268 */
269 dpd_action_t (*get_dpd_action) (peer_cfg_t *this);
270
271 /**
272 * Get a virtual IP for the local peer.
273 *
274 * If no virtual IP should be used, NULL is returned. %any means to request
275 * a virtual IP using configuration payloads. A specific address is also
276 * used for a request and may be changed by the server.
277 *
278 * @param suggestion NULL, %any or specific
279 * @return clone of an IP, %any or NULL
280 */
281 host_t* (*get_my_virtual_ip) (peer_cfg_t *this);
282
283 /**
284 * Get a virtual IP for the remote peer.
285 *
286 * An IP may be supplied, if one was requested by the initiator. However,
287 * the suggestion is not more as it says, any address may be returned, even
288 * NULL to not use virtual IPs.
289 *
290 * @param suggestion NULL, %any or specific
291 * @return clone of an IP to use
292 */
293 host_t* (*get_other_virtual_ip) (peer_cfg_t *this, host_t *suggestion);
294
295 #ifdef ME
296 /**
297 * Is this a mediation connection?
298 *
299 * @return TRUE, if this is a mediation connection
300 */
301 bool (*is_mediation) (peer_cfg_t *this);
302
303 /**
304 * Get peer_cfg of the connection this one is mediated through.
305 *
306 * @return reference to peer_cfg of the mediation connection
307 */
308 peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
309
310 /**
311 * Get the id of the other peer at the mediation server.
312 *
313 * This is the leftid of the peer's connection with the mediation server.
314 *
315 * If it is not configured, it is assumed to be the same as the right id
316 * of this connection.
317 *
318 * @return the id of the other peer
319 */
320 identification_t* (*get_peer_id) (peer_cfg_t *this);
321 #endif /* ME */
322
323 /**
324 * Check if two peer configurations are equal.
325 *
326 * This method does not compare associated ike/child_cfg.
327 *
328 * @param other candidate to check for equality against this
329 * @return TRUE if peer_cfg and ike_cfg are equal
330 */
331 bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
332
333 /**
334 * Get a new reference.
335 *
336 * Get a new reference to this peer_cfg by increasing
337 * it's internal reference counter.
338 * Do not call get_ref or any other function until you
339 * already have a reference. Otherwise the object may get
340 * destroyed while calling get_ref(),
341 */
342 void (*get_ref) (peer_cfg_t *this);
343
344 /**
345 * Destroys the peer_cfg object.
346 *
347 * Decrements the internal reference counter and
348 * destroys the peer_cfg when it reaches zero.
349 */
350 void (*destroy) (peer_cfg_t *this);
351 };
352
353 /**
354 * Create a configuration object for IKE_AUTH and later.
355 *
356 * name-string gets cloned, ID's not.
357 * Virtual IPs are used if they are != NULL. A %any host means the virtual
358 * IP should be obtained from the other peer.
359 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
360 * same time, a jitter may be specified. Rekeying of an SA starts at
361 * (rekeylifetime - random(0, jitter)).
362 *
363 * @param name name of the peer_cfg
364 * @param ike_version which IKE version we sould use for this peer
365 * @param ike_cfg IKE config to use when acting as initiator
366 * @param my_id identification_t for ourselves
367 * @param other_id identification_t for the remote guy
368 * @param cert_policy should we send a certificate payload?
369 * @param auth_method auth method to use to authenticate us
370 * @param eap_type EAP type to use for peer authentication
371 * @param eap_vendor EAP vendor identifier, if vendor specific type is used
372 * @param keyingtries how many keying tries should be done before giving up
373 * @param rekey_time timeout before starting rekeying
374 * @param reauth_time timeout before starting reauthentication
375 * @param jitter_time timerange to randomly substract from rekey/reauth time
376 * @param over_time maximum overtime before closing a rekeying/reauth SA
377 * @param reauth sould be done reauthentication instead of rekeying?
378 * @param mobike use MOBIKE (RFC4555) if peer supports it
379 * @param dpd_delay after how many seconds of inactivity to check DPD
380 * @param dpd_action what to do with CHILD_SAs when detected a dead peer
381 * @param my_virtual_ip virtual IP for local host, or NULL
382 * @param other_virtual_ip virtual IP for remote host, or NULL
383 * @param mediation TRUE if this is a mediation connection
384 * @param mediated_by peer_cfg_t of the mediation connection to mediate through
385 * @param peer_id ID that identifies our peer at the mediation server
386 * @return peer_cfg_t object
387 */
388 peer_cfg_t *peer_cfg_create(char *name, u_int ikev_version, ike_cfg_t *ike_cfg,
389 identification_t *my_id, identification_t *other_id,
390 cert_policy_t cert_policy,
391 auth_method_t auth_method, eap_type_t eap_type,
392 u_int32_t eap_vendor,
393 u_int32_t keyingtries, u_int32_t rekey_time,
394 u_int32_t reauth_time, u_int32_t jitter_time,
395 u_int32_t over_time, bool mobike,
396 u_int32_t dpd_delay, dpd_action_t dpd_action,
397 host_t *my_virtual_ip, host_t *other_virtual_ip,
398 bool mediation, peer_cfg_t *mediated_by,
399 identification_t *peer_id);
400
401 #endif /* PEER_CFG_H_ @} */