Merge branch 'childless'
[strongswan.git] / src / libcharon / config / ike_cfg.h
1 /*
2 * Copyright (C) 2012-2019 Tobias Brunner
3 * Copyright (C) 2005-2007 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * HSR Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup ike_cfg ike_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef IKE_CFG_H_
24 #define IKE_CFG_H_
25
26 typedef enum ike_version_t ike_version_t;
27 typedef enum fragmentation_t fragmentation_t;
28 typedef enum childless_t childless_t;
29 typedef struct ike_cfg_t ike_cfg_t;
30 typedef struct ike_cfg_create_t ike_cfg_create_t;
31
32 #include <library.h>
33 #include <networking/host.h>
34 #include <collections/linked_list.h>
35 #include <utils/identification.h>
36 #include <crypto/proposal/proposal.h>
37 #include <crypto/diffie_hellman.h>
38
39 /**
40 * IKE version.
41 */
42 enum ike_version_t {
43 /** any version */
44 IKE_ANY = 0,
45 /** IKE version 1 */
46 IKEV1 = 1,
47 /** IKE version 2 */
48 IKEV2 = 2,
49 };
50
51 /**
52 * Proprietary IKEv1 fragmentation and IKEv2 fragmentation
53 */
54 enum fragmentation_t {
55 /** disable fragmentation */
56 FRAGMENTATION_NO,
57 /** announce support, but don't send any fragments */
58 FRAGMENTATION_ACCEPT,
59 /** enable fragmentation, if supported by peer */
60 FRAGMENTATION_YES,
61 /** force use of fragmentation (even for the first message for IKEv1) */
62 FRAGMENTATION_FORCE,
63 };
64
65 /**
66 * Childless IKE_SAs (RFC 6023)
67 */
68 enum childless_t {
69 /** Allow childless IKE_SAs as responder, but initiate regular IKE_SAs */
70 CHILDLESS_ALLOW,
71 /** Don't accept childless IKE_SAs as responder, don't initiate them */
72 CHILDLESS_NEVER,
73 /** Only accept the creation of childless IKE_SAs (also as responder) */
74 CHILDLESS_FORCE,
75 };
76
77 /**
78 * enum strings for ike_version_t
79 */
80 extern enum_name_t *ike_version_names;
81
82 /**
83 * An ike_cfg_t defines the rules to set up an IKE_SA.
84 *
85 * @see peer_cfg_t to get an overview over the configurations.
86 */
87 struct ike_cfg_t {
88
89 /**
90 * Get the IKE version to use with this configuration.
91 *
92 * @return IKE major version
93 */
94 ike_version_t (*get_version)(ike_cfg_t *this);
95
96 /**
97 * Resolve the local address to use for initiation.
98 *
99 * @param family address family to prefer, or AF_UNSPEC
100 * @return resolved host, NULL on error
101 */
102 host_t* (*resolve_me)(ike_cfg_t *this, int family);
103
104 /**
105 * Resolve the remote address to use for initiation.
106 *
107 * @param family address family to prefer, or AF_UNSPEC
108 * @return resolved host, NULL on error
109 */
110 host_t* (*resolve_other)(ike_cfg_t *this, int family);
111
112 /**
113 * Check how good a host matches to the configured local address.
114 *
115 * @param host host to check match quality
116 * @return quality of the match, 0 if not matching at all
117 */
118 u_int (*match_me)(ike_cfg_t *this, host_t *host);
119
120 /**
121 * Check how good a host matches to the configured remote address.
122 *
123 * @param host host to check match quality
124 * @return quality of the match, 0 if not matching at all
125 */
126 u_int (*match_other)(ike_cfg_t *this, host_t *host);
127
128 /**
129 * Get own address.
130 *
131 * @return string of address/DNS name
132 */
133 char* (*get_my_addr) (ike_cfg_t *this);
134
135 /**
136 * Get peer's address.
137 *
138 * @return string of address/DNS name
139 */
140 char* (*get_other_addr) (ike_cfg_t *this);
141
142 /**
143 * Get the port to use as our source port.
144 *
145 * @return source address port, host order
146 */
147 uint16_t (*get_my_port)(ike_cfg_t *this);
148
149 /**
150 * Get the port to use as destination port.
151 *
152 * @return destination address, host order
153 */
154 uint16_t (*get_other_port)(ike_cfg_t *this);
155
156 /**
157 * Get the DSCP value to use for IKE packets send from connections.
158 *
159 * @return DSCP value
160 */
161 uint8_t (*get_dscp)(ike_cfg_t *this);
162
163 /**
164 * Adds a proposal to the list.
165 *
166 * The first added proposal has the highest priority, the last
167 * added the lowest. It is safe to add NULL as proposal, which has no
168 * effect.
169 *
170 * @param proposal proposal to add, or NULL
171 */
172 void (*add_proposal) (ike_cfg_t *this, proposal_t *proposal);
173
174 /**
175 * Returns a list of all supported proposals.
176 *
177 * Returned list and its proposals must be destroyed after use.
178 *
179 * @return list containing all the proposals
180 */
181 linked_list_t* (*get_proposals) (ike_cfg_t *this);
182
183 /**
184 * Select a proposal from a list of supplied proposals.
185 *
186 * Returned proposal must be destroyed after use.
187 *
188 * @param proposals list of proposals to select from
189 * @param private accept algorithms from a private range
190 * @param prefer_self whether to prefer configured or supplied proposals
191 * @return selected proposal, or NULL if none matches.
192 */
193 proposal_t *(*select_proposal) (ike_cfg_t *this, linked_list_t *proposals,
194 bool private, bool prefer_self);
195
196 /**
197 * Check if the config has a matching proposal.
198 *
199 * @param match proposal to check
200 * @param private accept algorithms from a private range
201 * @return TRUE if a matching proposal is contained
202 */
203 bool(*has_proposal)(ike_cfg_t *this, proposal_t *match, bool private);
204
205 /**
206 * Should we send a certificate request in IKE_SA_INIT?
207 *
208 * @return certificate request sending policy
209 */
210 bool (*send_certreq) (ike_cfg_t *this);
211
212 /**
213 * Enforce UDP encapsulation by faking NATD notifies?
214 *
215 * @return TRUE to enforce UDP encapsulation
216 */
217 bool (*force_encap) (ike_cfg_t *this);
218
219 /**
220 * Use IKE fragmentation
221 *
222 * @return TRUE to use fragmentation
223 */
224 fragmentation_t (*fragmentation) (ike_cfg_t *this);
225
226 /**
227 * Whether to initiate/accept childless IKE_SAs
228 *
229 * @return initiate/accept childless IKE_SAs
230 */
231 childless_t (*childless)(ike_cfg_t *this);
232
233 /**
234 * Get the DH group to use for IKE_SA setup.
235 *
236 * @return dh group to use for initialization
237 */
238 diffie_hellman_group_t (*get_dh_group)(ike_cfg_t *this);
239
240 /**
241 * Check if two IKE configs are equal.
242 *
243 * @param other other to check for equality
244 * @return TRUE if other equal to this
245 */
246 bool (*equals)(ike_cfg_t *this, ike_cfg_t *other);
247
248 /**
249 * Increase reference count.
250 *
251 * @return reference to this
252 */
253 ike_cfg_t* (*get_ref) (ike_cfg_t *this);
254
255 /**
256 * Destroys a ike_cfg_t object.
257 *
258 * Decrements the internal reference counter and
259 * destroys the ike_cfg when it reaches zero.
260 */
261 void (*destroy) (ike_cfg_t *this);
262 };
263
264 /**
265 * Data passed to the constructor of an ike_cfg_t object.
266 *
267 * local and remote are comma separated lists of IP addresses, DNS names,
268 * IP ranges or subnets. When initiating, the first non-range/subnet address is
269 * used as address. When responding, a match is performed against all items in
270 * the list.
271 */
272 struct ike_cfg_create_t {
273 /** IKE major version to use for this config */
274 ike_version_t version;
275 /** Address/DNS name of local peer (cloned) */
276 char *local;
277 /** IKE port to use as source, 500 uses IKEv2 port floating */
278 uint16_t local_port;
279 /** Address/DNS name of remote peer (cloned) */
280 char *remote;
281 /** IKE port to use as dest, 500 uses IKEv2 port floating */
282 uint16_t remote_port;
283 /** TRUE to not send any certificate requests */
284 bool no_certreq;
285 /** Enforce UDP encapsulation by faking NATD notify */
286 bool force_encap;
287 /** Use IKE fragmentation */
288 fragmentation_t fragmentation;
289 /** Childless IKE_SA configuration */
290 childless_t childless;
291 /** DSCP value to send IKE packets with */
292 uint8_t dscp;
293 };
294
295 /**
296 * Creates an ike_cfg_t object.
297 *
298 * @param data data for this ike_cfg
299 * @return ike_cfg_t object.
300 */
301 ike_cfg_t *ike_cfg_create(ike_cfg_create_t *data);
302
303 /**
304 * Determine the address family of the local or remote address(es). If multiple
305 * families are configured AF_UNSPEC is returned. %any is ignored (%any4|6 are
306 * not though).
307 *
308 * @param this ike config to check
309 * @param local TRUE to check local addresses, FALSE for remote
310 * @return address family of address(es) if distinct
311 */
312 int ike_cfg_get_family(ike_cfg_t *this, bool local);
313
314 /**
315 * Determine if the given address was explicitly configured as local or remote
316 * address.
317 *
318 * @param this ike config to check
319 * @param addr address to check
320 * @param local TRUE to check local addresses, FALSE for remote
321 * @return TRUE if address was configured
322 */
323 bool ike_cfg_has_address(ike_cfg_t *this, host_t *addr, bool local);
324
325 #endif /** IKE_CFG_H_ @}*/