proposal-substructure: Fix incorrect type for IKEv2 proposals
[strongswan.git] / src / libcharon / config / ike_cfg.h
1 /*
2 * Copyright (C) 2012-2018 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ike_cfg ike_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef IKE_CFG_H_
24 #define IKE_CFG_H_
25
26 typedef enum ike_version_t ike_version_t;
27 typedef enum fragmentation_t fragmentation_t;
28 typedef struct ike_cfg_t ike_cfg_t;
29
30 #include <library.h>
31 #include <networking/host.h>
32 #include <collections/linked_list.h>
33 #include <utils/identification.h>
34 #include <crypto/proposal/proposal.h>
35 #include <crypto/diffie_hellman.h>
36
37 /**
38 * IKE version.
39 */
40 enum ike_version_t {
41 /** any version */
42 IKE_ANY = 0,
43 /** IKE version 1 */
44 IKEV1 = 1,
45 /** IKE version 2 */
46 IKEV2 = 2,
47 };
48
49 /**
50 * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
51 */
52 enum fragmentation_t {
53 /** disable fragmentation */
54 FRAGMENTATION_NO,
55 /** announce support, but don't send any fragments */
56 FRAGMENTATION_ACCEPT,
57 /** enable fragmentation, if supported by peer */
58 FRAGMENTATION_YES,
59 /** force use of fragmentation (even for the first message for IKEv1) */
60 FRAGMENTATION_FORCE,
61 };
62
63 /**
64 * enum strings for ike_version_t
65 */
66 extern enum_name_t *ike_version_names;
67
68 /**
69 * An ike_cfg_t defines the rules to set up an IKE_SA.
70 *
71 * @see peer_cfg_t to get an overview over the configurations.
72 */
73 struct ike_cfg_t {
74
75 /**
76 * Get the IKE version to use with this configuration.
77 *
78 * @return IKE major version
79 */
80 ike_version_t (*get_version)(ike_cfg_t *this);
81
82 /**
83 * Resolve the local address to use for initiation.
84 *
85 * @param family address family to prefer, or AF_UNSPEC
86 * @return resolved host, NULL on error
87 */
88 host_t* (*resolve_me)(ike_cfg_t *this, int family);
89
90 /**
91 * Resolve the remote address to use for initiation.
92 *
93 * @param family address family to prefer, or AF_UNSPEC
94 * @return resolved host, NULL on error
95 */
96 host_t* (*resolve_other)(ike_cfg_t *this, int family);
97
98 /**
99 * Check how good a host matches to the configured local address.
100 *
101 * @param host host to check match quality
102 * @return quality of the match, 0 if not matching at all
103 */
104 u_int (*match_me)(ike_cfg_t *this, host_t *host);
105
106 /**
107 * Check how good a host matches to the configured remote address.
108 *
109 * @param host host to check match quality
110 * @return quality of the match, 0 if not matching at all
111 */
112 u_int (*match_other)(ike_cfg_t *this, host_t *host);
113
114 /**
115 * Get own address.
116 *
117 * @return string of address/DNS name
118 */
119 char* (*get_my_addr) (ike_cfg_t *this);
120
121 /**
122 * Get peer's address.
123 *
124 * @return string of address/DNS name
125 */
126 char* (*get_other_addr) (ike_cfg_t *this);
127
128 /**
129 * Get the port to use as our source port.
130 *
131 * @return source address port, host order
132 */
133 uint16_t (*get_my_port)(ike_cfg_t *this);
134
135 /**
136 * Get the port to use as destination port.
137 *
138 * @return destination address, host order
139 */
140 uint16_t (*get_other_port)(ike_cfg_t *this);
141
142 /**
143 * Get the DSCP value to use for IKE packets send from connections.
144 *
145 * @return DSCP value
146 */
147 uint8_t (*get_dscp)(ike_cfg_t *this);
148
149 /**
150 * Adds a proposal to the list.
151 *
152 * The first added proposal has the highest priority, the last
153 * added the lowest. It is safe to add NULL as proposal, which has no
154 * effect.
155 *
156 * @param proposal proposal to add, or NULL
157 */
158 void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
159
160 /**
161 * Returns a list of all supported proposals.
162 *
163 * Returned list and its proposals must be destroyed after use.
164 *
165 * @return list containing all the proposals
166 */
167 linked_list_t* (*get_proposals) (ike_cfg_t *this);
168
169 /**
170 * Select a proposal from a list of supplied proposals.
171 *
172 * Returned proposal must be destroyed after use.
173 *
174 * @param proposals list of proposals to select from
175 * @param private accept algorithms from a private range
176 * @param prefer_self whether to prefer configured or supplied proposals
177 * @return selected proposal, or NULL if none matches.
178 */
179 proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
180 bool private, bool prefer_self);
181
182 /**
183 * Check if the config has a matching proposal.
184 *
185 * @param match proposal to check
186 * @param private accept algorithms from a private range
187 * @return TRUE if a matching proposal is contained
188 */
189 bool(*has_proposal)(ike_cfg_t *this, proposal_t *match, bool private);
190
191 /**
192 * Should we send a certificate request in IKE_SA_INIT?
193 *
194 * @return certificate request sending policy
195 */
196 bool (*send_certreq) (ike_cfg_t *this);
197
198 /**
199 * Enforce UDP encapsulation by faking NATD notifies?
200 *
201 * @return TRUE to enforce UDP encapsulation
202 */
203 bool (*force_encap) (ike_cfg_t *this);
204
205 /**
206 * Use proprietary IKEv1 fragmentation
207 *
208 * @return TRUE to use fragmentation
209 */
210 fragmentation_t (*fragmentation) (ike_cfg_t *this);
211
212 /**
213 * Get the DH group to use for IKE_SA setup.
214 *
215 * @return dh group to use for initialization
216 */
217 diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
218
219 /**
220 * Check if two IKE configs are equal.
221 *
222 * @param other other to check for equality
223 * @return TRUE if other equal to this
224 */
225 bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
226
227 /**
228 * Increase reference count.
229 *
230 * @return reference to this
231 */
232 ike_cfg_t* (*get_ref) (ike_cfg_t *this);
233
234 /**
235 * Destroys a ike_cfg_t object.
236 *
237 * Decrements the internal reference counter and
238 * destroys the ike_cfg when it reaches zero.
239 */
240 void (*destroy) (ike_cfg_t *this);
241 };
242
243 /**
244 * Creates a ike_cfg_t object.
245 *
246 * Supplied hosts become owned by ike_cfg, strings get cloned.
247 *
248 * me and other are comma separated lists of IP addresses, DNS names, IP ranges
249 * or subnets. When initiating, the first non-range/subnet address is used
250 * as address. When responding, a match is performed against all items in the
251 * list.
252 *
253 * @param version IKE major version to use for this config
254 * @param certreq TRUE to send a certificate request
255 * @param force_encap enforce UDP encapsulation by faking NATD notify
256 * @param me address/DNS name of local peer
257 * @param my_port IKE port to use as source, 500 uses IKEv2 port floating
258 * @param other address/DNS name of remote peer
259 * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating
260 * @param fragmentation use IKEv1 fragmentation
261 * @param dscp DSCP value to send IKE packets with
262 * @return ike_cfg_t object.
263 */
264 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
265 char *me, uint16_t my_port,
266 char *other, uint16_t other_port,
267 fragmentation_t fragmentation, uint8_t dscp);
268
269 /**
270 * Determine the address family of the local or remote address(es). If multiple
271 * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are
272 * not though).
273 *
274 * @param this ike config to check
275 * @param local TRUE to check local addresses, FALSE for remote
276 * @return address family of address(es) if distinct
277 */
278 int ike_cfg_get_family(ike_cfg_t *this, bool local);
279
280 /**
281 * Determine if the given address was explicitly configured as local or remote
282 * address.
283 *
284 * @param this ike config to check
285 * @param addr address to check
286 * @param local TRUE to check local addresses, FALSE for remote
287 * @return TRUE if address was configured
288 */
289 bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
290
291 #endif /** IKE_CFG_H_ @}*/