6e0d0519c3d2371a0ba27b01e11c08ac88284304
[strongswan.git] / src / libcharon / config / ike_cfg.h
1 /*
2 * Copyright (C) 2012 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ike_cfg ike_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef IKE_CFG_H_
24 #define IKE_CFG_H_
25
26 typedef enum ike_version_t ike_version_t;
27 typedef enum fragmentation_t fragmentation_t;
28 typedef struct ike_cfg_t ike_cfg_t;
29
30 #include <library.h>
31 #include <networking/host.h>
32 #include <collections/linked_list.h>
33 #include <utils/identification.h>
34 #include <config/proposal.h>
35 #include <crypto/diffie_hellman.h>
36
37 /**
38 * IKE version.
39 */
40 enum ike_version_t {
41 /** any version */
42 IKE_ANY = 0,
43 /** IKE version 1 */
44 IKEV1 = 1,
45 /** IKE version 2 */
46 IKEV2 = 2,
47 };
48
49 /**
50 * Proprietary IKEv1 fragmentation
51 */
52 enum fragmentation_t {
53 /** disable fragmentation */
54 FRAGMENTATION_NO,
55 /** enable fragmentation if supported by peer */
56 FRAGMENTATION_YES,
57 /** force use of fragmentation (even for the first message) */
58 FRAGMENTATION_FORCE,
59 };
60
61 /**
62 * enum strings fro ike_version_t
63 */
64 extern enum_name_t *ike_version_names;
65
66 /**
67 * An ike_cfg_t defines the rules to set up an IKE_SA.
68 *
69 * @see peer_cfg_t to get an overview over the configurations.
70 */
71 struct ike_cfg_t {
72
73 /**
74 * Get the IKE version to use with this configuration.
75 *
76 * @return IKE major version
77 */
78 ike_version_t (*get_version)(ike_cfg_t *this);
79
80 /**
81 * Resolve the local address to use for initiation.
82 *
83 * @param family address family to prefer, or AF_UNSPEC
84 * @return resolved host, NULL on error
85 */
86 host_t* (*resolve_me)(ike_cfg_t *this, int family);
87
88 /**
89 * Resolve the remote address to use for initiation.
90 *
91 * @param family address family to prefer, or AF_UNSPEC
92 * @return resolved host, NULL on error
93 */
94 host_t* (*resolve_other)(ike_cfg_t *this, int family);
95
96 /**
97 * Check how good a host matches to the configured local address.
98 *
99 * @param host host to check match quality
100 * @return quality of the match, 0 if not matching at all
101 */
102 u_int (*match_me)(ike_cfg_t *this, host_t *host);
103
104 /**
105 * Check how good a host matches to the configured remote address.
106 *
107 * @param host host to check match quality
108 * @return quality of the match, 0 if not matching at all
109 */
110 u_int (*match_other)(ike_cfg_t *this, host_t *host);
111
112 /**
113 * Get own address.
114 *
115 * @param allow_any allow any address to match
116 * @return string of address/DNS name
117 */
118 char* (*get_my_addr) (ike_cfg_t *this, bool *allow_any);
119
120 /**
121 * Get peer's address.
122 *
123 * @param allow_any allow any address to match
124 * @return string of address/DNS name
125 */
126 char* (*get_other_addr) (ike_cfg_t *this, bool *allow_any);
127
128 /**
129 * Get the port to use as our source port.
130 *
131 * @return source address port, host order
132 */
133 u_int16_t (*get_my_port)(ike_cfg_t *this);
134
135 /**
136 * Get the port to use as destination port.
137 *
138 * @return destination address, host order
139 */
140 u_int16_t (*get_other_port)(ike_cfg_t *this);
141
142 /**
143 * Get the DSCP value to use for IKE packets send from connections.
144 *
145 * @return DSCP value
146 */
147 u_int8_t (*get_dscp)(ike_cfg_t *this);
148
149 /**
150 * Adds a proposal to the list.
151 *
152 * The first added proposal has the highest priority, the last
153 * added the lowest.
154 *
155 * @param proposal proposal to add
156 */
157 void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
158
159 /**
160 * Returns a list of all supported proposals.
161 *
162 * Returned list and its proposals must be destroyed after use.
163 *
164 * @return list containing all the proposals
165 */
166 linked_list_t* (*get_proposals) (ike_cfg_t *this);
167
168 /**
169 * Select a proposed from suggested proposals.
170 *
171 * Returned proposal must be destroyed after use.
172 *
173 * @param proposals list of proposals to select from
174 * @param private accept algorithms from a private range
175 * @return selected proposal, or NULL if none matches.
176 */
177 proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
178 bool private);
179
180 /**
181 * Should we send a certificate request in IKE_SA_INIT?
182 *
183 * @return certificate request sending policy
184 */
185 bool (*send_certreq) (ike_cfg_t *this);
186
187 /**
188 * Enforce UDP encapsulation by faking NATD notifies?
189 *
190 * @return TRUE to enforce UDP encapsulation
191 */
192 bool (*force_encap) (ike_cfg_t *this);
193
194 /**
195 * Use proprietary IKEv1 fragmentation
196 *
197 * @return TRUE to use fragmentation
198 */
199 fragmentation_t (*fragmentation) (ike_cfg_t *this);
200
201 /**
202 * Get the DH group to use for IKE_SA setup.
203 *
204 * @return dh group to use for initialization
205 */
206 diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
207
208 /**
209 * Check if two IKE configs are equal.
210 *
211 * @param other other to check for equality
212 * @return TRUE if other equal to this
213 */
214 bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
215
216 /**
217 * Increase reference count.
218 *
219 * @return reference to this
220 */
221 ike_cfg_t* (*get_ref) (ike_cfg_t *this);
222
223 /**
224 * Destroys a ike_cfg_t object.
225 *
226 * Decrements the internal reference counter and
227 * destroys the ike_cfg when it reaches zero.
228 */
229 void (*destroy) (ike_cfg_t *this);
230 };
231
232 /**
233 * Creates a ike_cfg_t object.
234 *
235 * Supplied hosts become owned by ike_cfg, the name gets cloned.
236 *
237 * @param version IKE major version to use for this config
238 * @param certreq TRUE to send a certificate request
239 * @param force_encap enforce UDP encapsulation by faking NATD notify
240 * @param me address/DNS name of local peer
241 * @param my_allow_any allow override of local address by any address
242 * @param my_port IKE port to use as source, 500 uses IKEv2 port floating
243 * @param other address/DNS name of remote peer
244 * @param other_allow_any allow override of remote address by any address
245 * @param other_port IKE port to use as dest, 500 uses IKEv2 port floating
246 * @param fragmentation use IKEv1 fragmentation
247 * @param dscp DSCP value to send IKE packets with
248 * @return ike_cfg_t object.
249 */
250 ike_cfg_t *ike_cfg_create(ike_version_t version, bool certreq, bool force_encap,
251 char *me, bool my_allow_any, u_int16_t my_port,
252 char *other, bool other_allow_any, u_int16_t other_port,
253 fragmentation_t fragmentation, u_int8_t dscp);
254
255 #endif /** IKE_CFG_H_ @}*/