Moving charon to libcharon.
[strongswan.git] / src / libcharon / config / child_cfg.h
1 /*
2 * Copyright (C) 2008-2009 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup child_cfg child_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef CHILD_CFG_H_
24 #define CHILD_CFG_H_
25
26 typedef enum action_t action_t;
27 typedef enum ipcomp_transform_t ipcomp_transform_t;
28 typedef struct lifetime_cfg_t lifetime_cfg_t;
29 typedef struct child_cfg_t child_cfg_t;
30
31 #include <library.h>
32 #include <selectors/traffic_selector.h>
33 #include <config/proposal.h>
34 #include <kernel/kernel_ipsec.h>
35
36 /**
37 * Action to take when DPD detected/connection gets closed by peer.
38 */
39 enum action_t {
40 /** No action */
41 ACTION_NONE,
42 /** Route config to reestablish on demand */
43 ACTION_ROUTE,
44 /** Restart config immediately */
45 ACTION_RESTART,
46 };
47
48 /**
49 * enum names for action_t.
50 */
51 extern enum_name_t *action_names;
52
53 /**
54 * IPComp transform IDs, as in RFC 4306
55 */
56 enum ipcomp_transform_t {
57 IPCOMP_NONE = 241,
58 IPCOMP_OUI = 1,
59 IPCOMP_DEFLATE = 2,
60 IPCOMP_LZS = 3,
61 IPCOMP_LZJH = 4,
62 };
63
64 /**
65 * enum strings for ipcomp_transform_t.
66 */
67 extern enum_name_t *ipcomp_transform_names;
68
69 /**
70 * A lifetime_cfg_t defines the lifetime limits of a CHILD_SA.
71 *
72 * Set any of these values to 0 to ignore.
73 */
74 struct lifetime_cfg_t {
75 struct {
76 /** Limit before the CHILD_SA gets invalid. */
77 u_int64_t life;
78 /** Limit before the CHILD_SA gets rekeyed. */
79 u_int64_t rekey;
80 /** The range of a random value subtracted from rekey. */
81 u_int64_t jitter;
82 } time, bytes, packets;
83 };
84
85 /**
86 * A child_cfg_t defines the config template for a CHILD_SA.
87 *
88 * After creation, proposals and traffic selectors may be added to the config.
89 * A child_cfg object is referenced multiple times, and is not thread save.
90 * Reading from the object is save, adding things is not allowed while other
91 * threads may access the object.
92 * A reference counter handles the number of references hold to this config.
93 *
94 * @see peer_cfg_t to get an overview over the configurations.
95 */
96 struct child_cfg_t {
97
98 /**
99 * Get the name of the child_cfg.
100 *
101 * @return child_cfg's name
102 */
103 char *(*get_name) (child_cfg_t *this);
104
105 /**
106 * Add a proposal to the list.
107 *
108 * The proposals are stored by priority, first added
109 * is the most prefered.
110 * After add, proposal is owned by child_cfg.
111 *
112 * @param proposal proposal to add
113 */
114 void (*add_proposal) (child_cfg_t *this, proposal_t *proposal);
115
116 /**
117 * Get the list of proposals for the CHILD_SA.
118 *
119 * Resulting list and all of its proposals must be freed after use.
120 *
121 * @param strip_dh TRUE strip out diffie hellman groups
122 * @return list of proposals
123 */
124 linked_list_t* (*get_proposals)(child_cfg_t *this, bool strip_dh);
125
126 /**
127 * Select a proposal from a supplied list.
128 *
129 * Returned propsal is newly created and must be destroyed after usage.
130 *
131 * @param proposals list from from wich proposals are selected
132 * @param strip_dh TRUE strip out diffie hellman groups
133 * @param private accept algorithms from a private range
134 * @return selected proposal, or NULL if nothing matches
135 */
136 proposal_t* (*select_proposal)(child_cfg_t*this, linked_list_t *proposals,
137 bool strip_dh, bool private);
138
139 /**
140 * Add a traffic selector to the config.
141 *
142 * Use the "local" parameter to add it for the local or the remote side.
143 * After add, traffic selector is owned by child_cfg.
144 *
145 * @param local TRUE for local side, FALSE for remote
146 * @param ts traffic_selector to add
147 */
148 void (*add_traffic_selector)(child_cfg_t *this, bool local,
149 traffic_selector_t *ts);
150
151 /**
152 * Get a list of traffic selectors to use for the CHILD_SA.
153 *
154 * The config contains two set of traffic selectors, one for the local
155 * side, one for the remote side.
156 * If a list with traffic selectors is supplied, these are used to narrow
157 * down the traffic selector list to the greatest common divisor.
158 * Some traffic selector may be "dymamic", meaning they are narrowed down
159 * to a specific address (host-to-host or virtual-IP setups). Use
160 * the "host" parameter to narrow such traffic selectors to that address.
161 * Resulted list and its traffic selectors must be destroyed after use.
162 *
163 * @param local TRUE for TS on local side, FALSE for remote
164 * @param supplied list with TS to select from, or NULL
165 * @param host address to use for narrowing "dynamic" TS', or NULL
166 * @return list containing the traffic selectors
167 */
168 linked_list_t *(*get_traffic_selectors)(child_cfg_t *this, bool local,
169 linked_list_t *supplied,
170 host_t *host);
171 /**
172 * Get the updown script to run for the CHILD_SA.
173 *
174 * @return path to updown script
175 */
176 char* (*get_updown)(child_cfg_t *this);
177
178 /**
179 * Should we allow access to the local host (gateway)?
180 *
181 * @return value of hostaccess flag
182 */
183 bool (*get_hostaccess) (child_cfg_t *this);
184
185 /**
186 * Get the lifetime configuration of a CHILD_SA.
187 *
188 * The rekey limits automatically contain a jitter to avoid simultaneous
189 * rekeying. These values will change with each call to this function.
190 *
191 * @return lifetime_cfg_t (has to be freed)
192 */
193 lifetime_cfg_t* (*get_lifetime) (child_cfg_t *this);
194
195 /**
196 * Get the mode to use for the CHILD_SA.
197 *
198 * The mode is either tunnel, transport or BEET. The peer must agree
199 * on the method, fallback is tunnel mode.
200 *
201 * @return ipsec mode
202 */
203 ipsec_mode_t (*get_mode) (child_cfg_t *this);
204
205 /**
206 * Action to take on DPD.
207 *
208 * @return DPD action
209 */
210 action_t (*get_dpd_action) (child_cfg_t *this);
211
212 /**
213 * Action to take if CHILD_SA gets closed.
214 *
215 * @return close action
216 */
217 action_t (*get_close_action) (child_cfg_t *this);
218
219 /**
220 * Get the DH group to use for CHILD_SA setup.
221 *
222 * @return dh group to use
223 */
224 diffie_hellman_group_t (*get_dh_group)(child_cfg_t *this);
225
226 /**
227 * Check whether IPComp should be used, if the other peer supports it.
228 *
229 * @return TRUE, if IPComp should be used
230 * FALSE, otherwise
231 */
232 bool (*use_ipcomp)(child_cfg_t *this);
233
234 /**
235 * Get the inactivity timeout value.
236 *
237 * @return inactivity timeout in s
238 */
239 u_int32_t (*get_inactivity)(child_cfg_t *this);
240
241 /**
242 * Sets two options needed for Mobile IPv6 interoperability
243 *
244 * @param proxy_mode use IPsec transport proxy mode (default FALSE)
245 * @param install_policy install IPsec kernel policies (default TRUE)
246 */
247 void (*set_mipv6_options)(child_cfg_t *this, bool proxy_mode,
248 bool install_policy);
249
250 /**
251 * Check whether IPsec transport SA should be set up in proxy mode
252 *
253 * @return TRUE, if proxy mode should be used
254 * FALSE, otherwise
255 */
256 bool (*use_proxy_mode)(child_cfg_t *this);
257
258 /**
259 * Check whether IPsec policies should be installed in the kernel
260 *
261 * @return TRUE, if IPsec kernel policies should be installed
262 * FALSE, otherwise
263 */
264 bool (*install_policy)(child_cfg_t *this);
265
266 /**
267 * Increase the reference count.
268 *
269 * @return reference to this
270 */
271 child_cfg_t* (*get_ref) (child_cfg_t *this);
272
273 /**
274 * Destroys the child_cfg object.
275 *
276 * Decrements the internal reference counter and
277 * destroys the child_cfg when it reaches zero.
278 */
279 void (*destroy) (child_cfg_t *this);
280 };
281
282 /**
283 * Create a configuration template for CHILD_SA setup.
284 *
285 * The "name" string gets cloned.
286 *
287 * The lifetime_cfg_t object gets cloned.
288 * To prevent two peers to start rekeying at the same time, a jitter may be
289 * specified. Rekeying of an SA starts at (x.rekey - random(0, x.jitter)).
290 *
291 * After a call to create, a reference is obtained (refcount = 1).
292 *
293 * @param name name of the child_cfg
294 * @param lifetime lifetime_cfg_t for this child_cfg
295 * @param updown updown script to execute on up/down event
296 * @param hostaccess TRUE to allow access to the local host
297 * @param mode mode to propose for CHILD_SA, transport, tunnel or BEET
298 * @param dpd_action DPD action
299 * @param close_action close action
300 * @param ipcomp use IPComp, if peer supports it
301 * @param inactivity inactivity timeout in s before closing a CHILD_SA
302 * @return child_cfg_t object
303 */
304 child_cfg_t *child_cfg_create(char *name, lifetime_cfg_t *lifetime,
305 char *updown, bool hostaccess,
306 ipsec_mode_t mode, action_t dpd_action,
307 action_t close_action, bool ipcomp,
308 u_int32_t inactivity);
309
310 #endif /** CHILD_CFG_H_ @}*/