a040434c1d6521717c902f02195a29411bdf2e81
[strongswan.git] / src / charon / config / policies / policy.h
1 /**
2 * @file policy.h
3 *
4 * @brief Interface of policy_t.
5 *
6 */
7
8 /*
9 * Copyright (C) 2005-2006 Martin Willi
10 * Copyright (C) 2005 Jan Hutter
11 * Hochschule fuer Technik Rapperswil
12 *
13 * This program is free software; you can redistribute it and/or modify it
14 * under the terms of the GNU General Public License as published by the
15 * Free Software Foundation; either version 2 of the License, or (at your
16 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
17 *
18 * This program is distributed in the hope that it will be useful, but
19 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
20 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
21 * for more details.
22 */
23
24 #ifndef POLICY_H_
25 #define POLICY_H_
26
27 typedef enum dpd_action_t dpd_action_t;
28 typedef struct policy_t policy_t;
29
30 #include <library.h>
31 #include <utils/identification.h>
32 #include <config/traffic_selector.h>
33 #include <config/proposal.h>
34 #include <sa/authenticators/authenticator.h>
35
36
37 /**
38 * @brief Actions to take when a peer does not respond (dead peer detected).
39 *
40 * These values are the same as in pluto/starter, so do not modify them!
41 *
42 * @ingroup config
43 */
44 enum dpd_action_t {
45 /** DPD disabled */
46 DPD_NONE,
47 /** remove CHILD_SA without replacement */
48 DPD_CLEAR,
49 /** route the CHILD_SA to resetup when needed */
50 DPD_ROUTE,
51 /** restart CHILD_SA in a new IKE_SA, immediately */
52 DPD_RESTART,
53 };
54
55 /**
56 * enum names for dpd_action_t.
57 */
58 extern enum_name_t *dpd_action_names;
59
60 /**
61 * @brief A policy_t defines the policies to apply to CHILD_SAs.
62 *
63 * The given two IDs identify a policy. These rules define how
64 * child SAs may be set up and which traffic may be IPsec'ed.
65 *
66 * @b Constructors:
67 * - policy_create()
68 *
69 * @ingroup config
70 */
71 struct policy_t {
72
73 /**
74 * @brief Get the name of the policy.
75 *
76 * Returned object is not getting cloned.
77 *
78 * @param this calling object
79 * @return policy's name
80 */
81 char *(*get_name) (policy_t *this);
82
83 /**
84 * @brief Get own id.
85 *
86 * Returned object is not getting cloned.
87 *
88 * @param this calling object
89 * @return own id
90 */
91 identification_t *(*get_my_id) (policy_t *this);
92
93 /**
94 * @brief Get peer id.
95 *
96 * Returned object is not getting cloned.
97 *
98 * @param this calling object
99 * @return other id
100 */
101 identification_t *(*get_other_id) (policy_t *this);
102
103 /**
104 * @brief Get own ca.
105 *
106 * Returned object is not getting cloned.
107 *
108 * @param this calling object
109 * @return own ca
110 */
111 identification_t *(*get_my_ca) (policy_t *this);
112
113 /**
114 * @brief Get peer ca.
115 *
116 * Returned object is not getting cloned.
117 *
118 * @param this calling object
119 * @return other ca
120 */
121 identification_t *(*get_other_ca) (policy_t *this);
122
123 /**
124 * @brief Get the authentication method to use.
125 *
126 * @param this calling object
127 * @return authentication method
128 */
129 auth_method_t (*get_auth_method) (policy_t *this);
130
131 /**
132 * @brief Get configured traffic selectors for our site.
133 *
134 * Returns a list with all traffic selectors for the local
135 * site. List and items must be destroyed after usage.
136 *
137 * @param this calling object
138 * @return list with traffic selectors
139 */
140 linked_list_t *(*get_my_traffic_selectors) (policy_t *this, host_t *me);
141
142 /**
143 * @brief Get configured traffic selectors for others site.
144 *
145 * Returns a list with all traffic selectors for the remote
146 * site. List and items must be destroyed after usage.
147 *
148 * @param this calling object
149 * @return list with traffic selectors
150 */
151 linked_list_t *(*get_other_traffic_selectors) (policy_t *this, host_t* other);
152
153 /**
154 * @brief Select traffic selectors from a supplied list for local site.
155 *
156 * Resulted list and traffic selectors must be destroyed after usage.
157 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
158 * addresses we don't know in previous, an address may be supplied to
159 * replace these 0.0.0.0 addresses on-the-fly.
160 *
161 * @param this calling object
162 * @param supplied linked list with traffic selectors
163 * @param me host address used by us
164 * @return list containing the selected traffic selectors
165 */
166 linked_list_t *(*select_my_traffic_selectors) (policy_t *this,
167 linked_list_t *supplied,
168 host_t *me);
169
170 /**
171 * @brief Select traffic selectors from a supplied list for remote site.
172 *
173 * Resulted list and traffic selectors must be destroyed after usage.
174 * As the traffic selectors may contain a wildcard address (0.0.0.0) for
175 * addresses we don't know in previous, an address may be supplied to
176 * replace these 0.0.0.0 addresses on-the-fly.
177 *
178 * @param this calling object
179 * @param supplied linked list with traffic selectors
180 * @return list containing the selected traffic selectors
181 */
182 linked_list_t *(*select_other_traffic_selectors) (policy_t *this,
183 linked_list_t *supplied,
184 host_t *other);
185
186 /**
187 * @brief Get the list of internally stored proposals.
188 *
189 * policy_t does store proposals for AH/ESP, IKE proposals are in
190 * the connection_t.
191 * Resulting list and all of its proposals must be freed after usage.
192 *
193 * @param this calling object
194 * @return lists with proposals
195 */
196 linked_list_t *(*get_proposals) (policy_t *this);
197
198 /**
199 * @brief Select a proposal from a supplied list.
200 *
201 * Returned propsal is newly created and must be destroyed after usage.
202 *
203 * @param this calling object
204 * @param proposals list from from wich proposals are selected
205 * @return selected proposal, or NULL if nothing matches
206 */
207 proposal_t *(*select_proposal) (policy_t *this, linked_list_t *proposals);
208
209 /**
210 * @brief Add a traffic selector to the list for local site.
211 *
212 * After add, traffic selector is owned by policy.
213 *
214 * @param this calling object
215 * @param traffic_selector traffic_selector to add
216 */
217 void (*add_my_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
218
219 /**
220 * @brief Add a traffic selector to the list for remote site.
221 *
222 * After add, traffic selector is owned by policy.
223 *
224 * @param this calling object
225 * @param traffic_selector traffic_selector to add
226 */
227 void (*add_other_traffic_selector) (policy_t *this, traffic_selector_t *traffic_selector);
228
229 /**
230 * @brief Add a proposal to the list.
231 *
232 * The proposals are stored by priority, first added
233 * is the most prefered.
234 * After add, proposal is owned by policy.
235 *
236 * @param this calling object
237 * @param proposal proposal to add
238 */
239 void (*add_proposal) (policy_t *this, proposal_t *proposal);
240
241 /**
242 * @brief Add certification authorities.
243 *
244 * @param this calling object
245 * @param my_ca issuer of my certificate
246 * @param other_ca required issuer of the peer's certificate
247 */
248 void (*add_authorities) (policy_t *this, identification_t *my_ca, identification_t *other_ca);
249
250 /**
251 * @brief Get updown script
252 *
253 * @param this calling object
254 * @return path to updown script
255 */
256 char* (*get_updown) (policy_t *this);
257
258 /**
259 * @brief Get hostaccess flag
260 *
261 * @param this calling object
262 * @return value of hostaccess flag
263 */
264 bool (*get_hostaccess) (policy_t *this);
265
266 /**
267 * @brief What should be done with a CHILD_SA, when other peer does not respond.
268 *
269 * @param this calling object
270 * @return dpd action
271 */
272 dpd_action_t (*get_dpd_action) (policy_t *this);
273
274 /**
275 * @brief Get the lifetime of a policy, before rekeying starts.
276 *
277 * A call to this function automatically adds a jitter to
278 * avoid simultanous rekeying.
279 *
280 * @param this policy
281 * @return lifetime in seconds
282 */
283 u_int32_t (*get_soft_lifetime) (policy_t *this);
284
285 /**
286 * @brief Get the lifetime of a policy, before SA gets deleted.
287 *
288 * @param this policy
289 * @return lifetime in seconds
290 */
291 u_int32_t (*get_hard_lifetime) (policy_t *this);
292
293 /**
294 * @brief Get a new reference.
295 *
296 * Get a new reference to this policy by increasing
297 * it's internal reference counter.
298 * Do not call get_ref or any other function until you
299 * already have a reference. Otherwise the object may get
300 * destroyed while calling get_ref(),
301 *
302 * @param this calling object
303 */
304 void (*get_ref) (policy_t *this);
305
306 /**
307 * @brief Destroys the policy object.
308 *
309 * Decrements the internal reference counter and
310 * destroys the policy when it reaches zero.
311 *
312 * @param this calling object
313 */
314 void (*destroy) (policy_t *this);
315 };
316
317 /**
318 * @brief Create a configuration object for IKE_AUTH and later.
319 *
320 * name-string gets cloned, ID's not.
321 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
322 * same time, a jitter may be specified. Rekeying of an SA starts at
323 * (soft_lifetime - random(0, jitter)). After a successful rekeying,
324 * the hard_lifetime limit counter is reset. You should specify
325 * hard_lifetime > soft_lifetime > jitter.
326 * After a call to create, a reference is obtained (refcount = 1).
327 *
328 * @param name name of the policy
329 * @param my_id identification_t for ourselves
330 * @param other_id identification_t for the remote guy
331 * @param auth_method Authentication method to use for our(!) auth data
332 * @param hard_lifetime lifetime before deleting an SA
333 * @param soft_lifetime lifetime before rekeying an SA
334 * @param jitter range of randomization time
335 * @param updown updown script to execute on up/down event
336 * @param hostaccess allow access to the host itself (used by the updown script)
337 * @param dpd_action what to to with a CHILD_SA when other peer does not respond
338 * @return policy_t object
339 *
340 * @ingroup config
341 */
342 policy_t *policy_create(char *name,
343 identification_t *my_id, identification_t *other_id,
344 auth_method_t auth_method,
345 u_int32_t hard_lifetime, u_int32_t soft_lifetime,
346 u_int32_t jitter,
347 char *updown, bool hostaccess,
348 dpd_action_t dpd_action);
349
350 #endif /* POLICY_H_ */