2b41a0cc4ef19bb67942b7745f5d327be2cb73d9
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2008-2017 Tobias Brunner
3 * Copyright (C) 2016 Andreas Steffen
4 * Copyright (C) 2005-2007 Martin Willi
5 * Copyright (C) 2005 Jan Hutter
6 * HSR Hochschule fuer Technik Rapperswil
7 *
8 * This program is free software; you can redistribute it and/or modify it
9 * under the terms of the GNU General Public License as published by the
10 * Free Software Foundation; either version 2 of the License, or (at your
11 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
12 *
13 * This program is distributed in the hope that it will be useful, but
14 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
15 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
16 * for more details.
17 */
18
19 /**
20 * @defgroup child_cfg child_cfg
21 * @{ @ingroup config
22 */
23
24 #ifndef CHILD_CFG_H_
25 #define CHILD_CFG_H_
26
27 typedef enum action_t action_t;
28 typedef enum child_cfg_option_t child_cfg_option_t;
29 typedef struct child_cfg_t child_cfg_t;
30 typedef struct child_cfg_create_t child_cfg_create_t;
31
32 #include <library.h>
33 #include <selectors/traffic_selector.h>
34 #include <crypto/proposal/proposal.h>
35 #include <kernel/kernel_ipsec.h>
36
37 /**
38 * Action to take when connection is loaded, DPD is detected or
39 * connection gets closed by peer.
40 */
41 enum action_t {
42 /** No action */
43 ACTION_NONE,
44 /** Route config to establish or reestablish on demand */
45 ACTION_ROUTE,
46 /** Start or restart config immediately */
47 ACTION_RESTART,
48 };
49
50 /**
51 * enum names for action_t.
52 */
53 extern enum_name_t *action_names;
54
55 /**
56 * A child_cfg_t defines the config template for a CHILD_SA.
57 *
58 * After creation, proposals and traffic selectors may be added to the config.
59 * A child_cfg object is referenced multiple times, and is not thread save.
60 * Reading from the object is save, adding things is not allowed while other
61 * threads may access the object.
62 * A reference counter handles the number of references hold to this config.
63 *
64 * @see peer_cfg_t to get an overview over the configurations.
65 */
66 struct child_cfg_t {
67
68 /**
69 * Get the name of the child_cfg.
70 *
71 * @return child_cfg's name
72 */
73 char *(*get_name) (child_cfg_t *this);
74
75 /**
76 * Add a proposal to the list.
77 *
78 * The proposals are stored by priority, first added
79 * is the most preferred. It is safe to add NULL as proposal, which has no
80 * effect. After add, proposal is owned by child_cfg.
81 *
82 * @param proposal proposal to add, or NULL
83 */
84 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
85
86 /**
87 * Get the list of proposals for the CHILD_SA.
88 *
89 * Resulting list and all of its proposals must be freed after use.
90 *
91 * @param strip_dh TRUE strip out diffie hellman groups
92 * @return list of proposals
93 */
94 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
95
96 /**
97 * Select a proposal from a supplied list.
98 *
99 * Returned propsal is newly created and must be destroyed after usage.
100 *
101 * @param proposals list from which proposals are selected
102 * @param strip_dh TRUE strip out diffie hellman groups
103 * @param private accept algorithms from a private range
104 * @param prefer_self whether to prefer configured or supplied proposals
105 * @return selected proposal, or NULL if nothing matches
106 */
107 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
108 bool strip_dh, bool private,
109 bool prefer_self);
110
111 /**
112 * Add a traffic selector to the config.
113 *
114 * Use the "local" parameter to add it for the local or the remote side.
115 * After add, traffic selector is owned by child_cfg.
116 *
117 * @param local TRUE for local side, FALSE for remote
118 * @param ts traffic_selector to add
119 */
120 void (*add_traffic_selector)(child_cfg_t *this, bool local,
121 traffic_selector_t *ts);
122
123 /**
124 * Get a list of traffic selectors to use for the CHILD_SA.
125 *
126 * The config contains two set of traffic selectors, one for the local
127 * side, one for the remote side.
128 * If a list with traffic selectors is supplied, these are used to narrow
129 * down the traffic selector list to the greatest common divisor.
130 * Some traffic selector may be "dymamic", meaning they are narrowed down
131 * to a specific address (host-to-host or virtual-IP setups). Use
132 * the "host" parameter to narrow such traffic selectors to that address.
133 * Resulted list and its traffic selectors must be destroyed after use.
134 *
135 * @param local TRUE for TS on local side, FALSE for remote
136 * @param supplied list with TS to select from, or NULL
137 * @param hosts addresses to use for narrowing "dynamic" TS', host_t
138 * @param log FALSE to avoid logging details about the selection
139 * @return list containing the traffic selectors
140 */
141 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
142 linked_list_t *supplied,
143 linked_list_t *hosts, bool log);
144
145 /**
146 * Get the updown script to run for the CHILD_SA.
147 *
148 * @return path to updown script
149 */
150 char* (*get_updown)(child_cfg_t *this);
151
152 /**
153 * Get the lifetime configuration of a CHILD_SA.
154 *
155 * The rekey limits automatically contain a jitter to avoid simultaneous
156 * rekeying. These values will change with each call to this function.
157 *
158 * @param jitter subtract jitter value to randomize lifetimes
159 * @return lifetime_cfg_t (has to be freed)
160 */
161 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this, bool jitter);
162
163 /**
164 * Get the mode to use for the CHILD_SA.
165 *
166 * The mode is either tunnel, transport or BEET. The peer must agree
167 * on the method, fallback is tunnel mode.
168 *
169 * @return ipsec mode
170 */
171 ipsec_mode_t (*get_mode) (child_cfg_t *this);
172
173 /**
174 * Action to take to start CHILD_SA.
175 *
176 * @return start action
177 */
178 action_t (*get_start_action) (child_cfg_t *this);
179
180 /**
181 * Action to take on DPD.
182 *
183 * @return DPD action
184 */
185 action_t (*get_dpd_action) (child_cfg_t *this);
186
187 /**
188 * Get the HW offload mode to use for the CHILD_SA.
189 *
190 * @return hw offload mode
191 */
192 hw_offload_t (*get_hw_offload) (child_cfg_t *this);
193
194 /**
195 * Action to take if CHILD_SA gets closed.
196 *
197 * @return close action
198 */
199 action_t (*get_close_action) (child_cfg_t *this);
200
201 /**
202 * Get the DH group to use for CHILD_SA setup.
203 *
204 * @return dh group to use
205 */
206 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
207
208 /**
209 * Get the inactivity timeout value.
210 *
211 * @return inactivity timeout in s
212 */
213 uint32_t (*get_inactivity)(child_cfg_t *this);
214
215 /**
216 * Specific reqid to use for CHILD_SA.
217 *
218 * @return reqid
219 */
220 uint32_t (*get_reqid)(child_cfg_t *this);
221
222 /**
223 * Optional mark for CHILD_SA.
224 *
225 * @param inbound TRUE for inbound, FALSE for outbound
226 * @return mark
227 */
228 mark_t (*get_mark)(child_cfg_t *this, bool inbound);
229
230 /**
231 * Get the TFC padding value to use for CHILD_SA.
232 *
233 * @return TFC padding, 0 to disable, -1 for MTU
234 */
235 uint32_t (*get_tfc)(child_cfg_t *this);
236
237 /**
238 * Get optional manually-set IPsec policy priority
239 *
240 * @return manually-set IPsec policy priority (automatic if 0)
241 */
242 uint32_t (*get_manual_prio)(child_cfg_t *this);
243
244 /**
245 * Get optional network interface restricting IPsec policy
246 *
247 * @return network interface)
248 */
249 char* (*get_interface)(child_cfg_t *this);
250
251 /**
252 * Get anti-replay window size
253 *
254 * @return anti-replay window size
255 */
256 uint32_t (*get_replay_window)(child_cfg_t *this);
257
258 /**
259 * Set anti-replay window size
260 *
261 * @param window anti-replay window size
262 */
263 void (*set_replay_window)(child_cfg_t *this, uint32_t window);
264
265 /**
266 * Check if an option flag is set.
267 *
268 * @param option option flag to check
269 * @return TRUE if option flag set, FALSE otherwise
270 */
271 bool (*has_option)(child_cfg_t *this, child_cfg_option_t option);
272
273 /**
274 * Check if two child_cfg objects are equal.
275 *
276 * @param other candidate to check for equality against this
277 * @return TRUE if equal
278 */
279 bool (*equals)(child_cfg_t *this, child_cfg_t *other);
280
281 /**
282 * Increase the reference count.
283 *
284 * @return reference to this
285 */
286 child_cfg_t* (*get_ref) (child_cfg_t *this);
287
288 /**
289 * Destroys the child_cfg object.
290 *
291 * Decrements the internal reference counter and
292 * destroys the child_cfg when it reaches zero.
293 */
294 void (*destroy) (child_cfg_t *this);
295 };
296
297 /**
298 * Option flags that may be set on a child_cfg_t object
299 */
300 enum child_cfg_option_t {
301
302 /** Use IPsec transport proxy mode */
303 OPT_PROXY_MODE = (1<<0),
304
305 /** Use IPComp, if peer supports it */
306 OPT_IPCOMP = (1<<1),
307
308 /** Allow access to the local host */
309 OPT_HOSTACCESS = (1<<2),
310
311 /** Don't install any IPsec policies */
312 OPT_NO_POLICIES = (1<<3),
313
314 /** Install outbound FWD IPsec policies to bypass drop policies */
315 OPT_FWD_OUT_POLICIES = (1<<4),
316
317 /** Force 96-bit truncation for SHA-256 */
318 OPT_SHA256_96 = (1<<5),
319
320 /** Set mark on inbound SAs */
321 OPT_MARK_IN_SA = (1<<6),
322
323 /** Disable copying the DF bit to the outer IPv4 header in tunnel mode */
324 OPT_NO_COPY_DF = (1<<7),
325
326 /** Disable copying the ECN header field in tunnel mode */
327 OPT_NO_COPY_ECN = (1<<8),
328 };
329
330 /**
331 * Data passed to the constructor of a child_cfg_t object.
332 */
333 struct child_cfg_create_t {
334 /** Options set for CHILD_SA */
335 child_cfg_option_t options;
336 /** Specific reqid to use for CHILD_SA, 0 for auto assignment */
337 uint32_t reqid;
338 /** Optional inbound mark */
339 mark_t mark_in;
340 /** Optional outbound mark */
341 mark_t mark_out;
342 /** Mode to propose for CHILD_SA */
343 ipsec_mode_t mode;
344 /** TFC padding size, 0 to disable, -1 to pad to PMTU */
345 uint32_t tfc;
346 /** Optional manually-set IPsec policy priority */
347 uint32_t priority;
348 /** Optional network interface restricting IPsec policy (cloned) */
349 char *interface;
350 /** lifetime_cfg_t for this child_cfg */
351 lifetime_cfg_t lifetime;
352 /** Inactivity timeout in s before closing a CHILD_SA */
353 uint32_t inactivity;
354 /** Start action */
355 action_t start_action;
356 /** DPD action */
357 action_t dpd_action;
358 /** Close action */
359 action_t close_action;
360 /** updown script to execute on up/down event (cloned) */
361 char *updown;
362 /** HW offload mode */
363 hw_offload_t hw_offload;
364 };
365
366 /**
367 * Create a configuration template for CHILD_SA setup.
368 *
369 * After a call to create, a reference is obtained (refcount = 1).
370 *
371 * @param name name of the child_cfg (cloned)
372 * @param data data for this child_cfg
373 * @return child_cfg_t object
374 */
375 child_cfg_t *child_cfg_create(char *name, child_cfg_create_t *data);
376
377 #endif /** CHILD_CFG_H_ @}*/