ike-cfg: Pass arguments as struct
[strongswan.git] / src / libcharon / config / ike_cfg.h
1 /*
2 * Copyright (C) 2012-2019 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ike_cfg ike_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef IKE_CFG_H_
24 #define IKE_CFG_H_
25
26 typedef enum ike_version_t ike_version_t;
27 typedef enum fragmentation_t fragmentation_t;
28 typedef struct ike_cfg_t ike_cfg_t;
29 typedef struct ike_cfg_create_t ike_cfg_create_t;
30
31 #include <library.h>
32 #include <networking/host.h>
33 #include <collections/linked_list.h>
34 #include <utils/identification.h>
35 #include <crypto/proposal/proposal.h>
36 #include <crypto/diffie_hellman.h>
37
38 /**
39 * IKE version.
40 */
41 enum ike_version_t {
42 /** any version */
43 IKE_ANY = 0,
44 /** IKE version 1 */
45 IKEV1 = 1,
46 /** IKE version 2 */
47 IKEV2 = 2,
48 };
49
50 /**
51 * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
52 */
53 enum fragmentation_t {
54 /** disable fragmentation */
55 FRAGMENTATION_NO,
56 /** announce support, but don't send any fragments */
57 FRAGMENTATION_ACCEPT,
58 /** enable fragmentation, if supported by peer */
59 FRAGMENTATION_YES,
60 /** force use of fragmentation (even for the first message for IKEv1) */
61 FRAGMENTATION_FORCE,
62 };
63
64 /**
65 * enum strings for ike_version_t
66 */
67 extern enum_name_t *ike_version_names;
68
69 /**
70 * An ike_cfg_t defines the rules to set up an IKE_SA.
71 *
72 * @see peer_cfg_t to get an overview over the configurations.
73 */
74 struct ike_cfg_t {
75
76 /**
77 * Get the IKE version to use with this configuration.
78 *
79 * @return IKE major version
80 */
81 ike_version_t (*get_version)(ike_cfg_t *this);
82
83 /**
84 * Resolve the local address to use for initiation.
85 *
86 * @param family address family to prefer, or AF_UNSPEC
87 * @return resolved host, NULL on error
88 */
89 host_t* (*resolve_me)(ike_cfg_t *this, int family);
90
91 /**
92 * Resolve the remote address to use for initiation.
93 *
94 * @param family address family to prefer, or AF_UNSPEC
95 * @return resolved host, NULL on error
96 */
97 host_t* (*resolve_other)(ike_cfg_t *this, int family);
98
99 /**
100 * Check how good a host matches to the configured local address.
101 *
102 * @param host host to check match quality
103 * @return quality of the match, 0 if not matching at all
104 */
105 u_int (*match_me)(ike_cfg_t *this, host_t *host);
106
107 /**
108 * Check how good a host matches to the configured remote address.
109 *
110 * @param host host to check match quality
111 * @return quality of the match, 0 if not matching at all
112 */
113 u_int (*match_other)(ike_cfg_t *this, host_t *host);
114
115 /**
116 * Get own address.
117 *
118 * @return string of address/DNS name
119 */
120 char* (*get_my_addr) (ike_cfg_t *this);
121
122 /**
123 * Get peer's address.
124 *
125 * @return string of address/DNS name
126 */
127 char* (*get_other_addr) (ike_cfg_t *this);
128
129 /**
130 * Get the port to use as our source port.
131 *
132 * @return source address port, host order
133 */
134 uint16_t (*get_my_port)(ike_cfg_t *this);
135
136 /**
137 * Get the port to use as destination port.
138 *
139 * @return destination address, host order
140 */
141 uint16_t (*get_other_port)(ike_cfg_t *this);
142
143 /**
144 * Get the DSCP value to use for IKE packets send from connections.
145 *
146 * @return DSCP value
147 */
148 uint8_t (*get_dscp)(ike_cfg_t *this);
149
150 /**
151 * Adds a proposal to the list.
152 *
153 * The first added proposal has the highest priority, the last
154 * added the lowest. It is safe to add NULL as proposal, which has no
155 * effect.
156 *
157 * @param proposal proposal to add, or NULL
158 */
159 void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
160
161 /**
162 * Returns a list of all supported proposals.
163 *
164 * Returned list and its proposals must be destroyed after use.
165 *
166 * @return list containing all the proposals
167 */
168 linked_list_t* (*get_proposals) (ike_cfg_t *this);
169
170 /**
171 * Select a proposal from a list of supplied proposals.
172 *
173 * Returned proposal must be destroyed after use.
174 *
175 * @param proposals list of proposals to select from
176 * @param private accept algorithms from a private range
177 * @param prefer_self whether to prefer configured or supplied proposals
178 * @return selected proposal, or NULL if none matches.
179 */
180 proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
181 bool private, bool prefer_self);
182
183 /**
184 * Check if the config has a matching proposal.
185 *
186 * @param match proposal to check
187 * @param private accept algorithms from a private range
188 * @return TRUE if a matching proposal is contained
189 */
190 bool(*has_proposal)(ike_cfg_t *this, proposal_t *match, bool private);
191
192 /**
193 * Should we send a certificate request in IKE_SA_INIT?
194 *
195 * @return certificate request sending policy
196 */
197 bool (*send_certreq) (ike_cfg_t *this);
198
199 /**
200 * Enforce UDP encapsulation by faking NATD notifies?
201 *
202 * @return TRUE to enforce UDP encapsulation
203 */
204 bool (*force_encap) (ike_cfg_t *this);
205
206 /**
207 * Use proprietary IKEv1 fragmentation
208 *
209 * @return TRUE to use fragmentation
210 */
211 fragmentation_t (*fragmentation) (ike_cfg_t *this);
212
213 /**
214 * Get the DH group to use for IKE_SA setup.
215 *
216 * @return dh group to use for initialization
217 */
218 diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
219
220 /**
221 * Check if two IKE configs are equal.
222 *
223 * @param other other to check for equality
224 * @return TRUE if other equal to this
225 */
226 bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
227
228 /**
229 * Increase reference count.
230 *
231 * @return reference to this
232 */
233 ike_cfg_t* (*get_ref) (ike_cfg_t *this);
234
235 /**
236 * Destroys a ike_cfg_t object.
237 *
238 * Decrements the internal reference counter and
239 * destroys the ike_cfg when it reaches zero.
240 */
241 void (*destroy) (ike_cfg_t *this);
242 };
243
244 /**
245 * Data passed to the constructor of an ike_cfg_t object.
246 *
247 * local and remote are comma separated lists of IP addresses, DNS names,
248 * IP ranges or subnets. When initiating, the first non-range/subnet address is
249 * used as address. When responding, a match is performed against all items in
250 * the list.
251 */
252 struct ike_cfg_create_t {
253 /** IKE major version to use for this config */
254 ike_version_t version;
255 /** Address/DNS name of local peer (cloned) */
256 char *local;
257 /** IKE port to use as source, 500 uses IKEv2 port floating */
258 uint16_t local_port;
259 /** Address/DNS name of remote peer (cloned) */
260 char *remote;
261 /** IKE port to use as dest, 500 uses IKEv2 port floating */
262 uint16_t remote_port;
263 /** TRUE to not send any certificate requests */
264 bool no_certreq;
265 /** Enforce UDP encapsulation by faking NATD notify */
266 bool force_encap;
267 /** Use IKE fragmentation */
268 fragmentation_t fragmentation;
269 /** DSCP value to send IKE packets with */
270 uint8_t dscp;
271 };
272
273 /**
274 * Creates an ike_cfg_t object.
275 *
276 * @param data data for this ike_cfg
277 * @return ike_cfg_t object.
278 */
279 ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data);
280
281 /**
282 * Determine the address family of the local or remote address(es). If multiple
283 * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are
284 * not though).
285 *
286 * @param this ike config to check
287 * @param local TRUE to check local addresses, FALSE for remote
288 * @return address family of address(es) if distinct
289 */
290 int ike_cfg_get_family(ike_cfg_t *this, bool local);
291
292 /**
293 * Determine if the given address was explicitly configured as local or remote
294 * address.
295 *
296 * @param this ike config to check
297 * @param addr address to check
298 * @param local TRUE to check local addresses, FALSE for remote
299 * @return TRUE if address was configured
300 */
301 bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
302
303 #endif /** IKE_CFG_H_ @}*/