Use the vararg list constructor in quick mode task
[strongswan.git] / src / libcharon / config / peer_cfg.h
1 /*
2 * Copyright (C) 2007-2008 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup peer_cfg peer_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef PEER_CFG_H_
24 #define PEER_CFG_H_
25
26 typedef enum ike_version_t ike_version_t;
27 typedef enum cert_policy_t cert_policy_t;
28 typedef enum unique_policy_t unique_policy_t;
29 typedef struct peer_cfg_t peer_cfg_t;
30
31 #include <library.h>
32 #include <utils/identification.h>
33 #include <utils/enumerator.h>
34 #include <selectors/traffic_selector.h>
35 #include <config/proposal.h>
36 #include <config/ike_cfg.h>
37 #include <config/child_cfg.h>
38 #include <credentials/auth_cfg.h>
39
40 /**
41 * IKE version.
42 */
43 enum ike_version_t {
44 /** any version */
45 IKE_ANY = 0,
46 /** IKE version 1 */
47 IKEV1 = 1,
48 /** IKE version 2 */
49 IKEV2 = 2,
50 };
51
52 /**
53 * enum strings fro ike_version_t
54 */
55 extern enum_name_t *ike_version_names;
56
57 /**
58 * Certificate sending policy. This is also used for certificate
59 * requests when using this definition for the other peer. If
60 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
61 * included.
62 *
63 * @warning These definitions must be the same as in pluto/starter,
64 * as they are sent over the stroke socket.
65 */
66 enum cert_policy_t {
67 /** always send certificates, even when not requested */
68 CERT_ALWAYS_SEND = 0,
69 /** send certificate upon cert request */
70 CERT_SEND_IF_ASKED = 1,
71 /** never send a certificate, even when requested */
72 CERT_NEVER_SEND = 2,
73 };
74
75 /**
76 * enum strings for cert_policy_t
77 */
78 extern enum_name_t *cert_policy_names;
79
80 /**
81 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
82 */
83 enum unique_policy_t {
84 /** never check for client uniqueness */
85 UNIQUE_NEVER,
86 /** only check for client uniqueness when receiving an INITIAL_CONTACT */
87 UNIQUE_NO,
88 /** replace existing IKE_SAs when new ones get established by a client */
89 UNIQUE_REPLACE,
90 /** keep existing IKE_SAs, close the new ones on connection attempt */
91 UNIQUE_KEEP,
92 };
93
94 /**
95 * enum strings for unique_policy_t
96 */
97 extern enum_name_t *unique_policy_names;
98
99 /**
100 * Configuration of a peer, specified by IDs.
101 *
102 * The peer config defines a connection between two given IDs. It contains
103 * exactly one ike_cfg_t, which is used for initiation. Additionally, it
104 * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
105 * peer.
106 * @verbatim
107 +-------------------+ +---------------+
108 +---------------+ | peer_cfg | +---------------+ |
109 | ike_cfg | +-------------------+ | child_cfg | |
110 +---------------+ | - ids | +---------------+ |
111 | - hosts | 1 1 | - cas | 1 n | - proposals | |
112 | - proposals |<-----| - auth info |----->| - traffic sel | |
113 | - ... | | - dpd config | | - ... |-+
114 +---------------+ | - ... | +---------------+
115 +-------------------+
116 | 1 0 |
117 | |
118 v n n V
119 +-------------------+ +-------------------+
120 +-------------------+ | +-------------------+ |
121 | auth_cfg | | | auth_cfg | |
122 +-------------------+ | +-------------------+ |
123 | - local rules |-+ | - remote constr. |-+
124 +-------------------+ +-------------------+
125 @endverbatim
126 *
127 * Each peer_cfg has two lists of authentication config attached. Local
128 * authentication configs define how to authenticate ourself against the remote
129 * peer. Each config is enforced using the multiple authentication extension
130 * (RFC4739).
131 * The remote authentication configs are handled as constraints. The peer has
132 * to fulfill each of these rules (using multiple authentication, in any order)
133 * to gain access to the configuration.
134 */
135 struct peer_cfg_t {
136
137 /**
138 * Get the name of the peer_cfg.
139 *
140 * Returned object is not getting cloned.
141 *
142 * @return peer_cfg's name
143 */
144 char* (*get_name) (peer_cfg_t *this);
145
146 /**
147 * Get the IKE version to use for initiating.
148 *
149 * @return IKE major version
150 */
151 ike_version_t (*get_ike_version)(peer_cfg_t *this);
152
153 /**
154 * Get the IKE config to use for initiaton.
155 *
156 * @return the IKE config to use
157 */
158 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
159
160 /**
161 * Attach a CHILD config.
162 *
163 * @param child_cfg CHILD config to add
164 */
165 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
166
167 /**
168 * Detach a CHILD config, pointed to by an enumerator.
169 *
170 * @param enumerator enumerator indicating element position
171 */
172 void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
173
174 /**
175 * Create an enumerator for all attached CHILD configs.
176 *
177 * @return an enumerator over all CHILD configs.
178 */
179 enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
180
181 /**
182 * Select a CHILD config from traffic selectors.
183 *
184 * @param my_ts TS for local side
185 * @param other_ts TS for remote side
186 * @param my_host host to narrow down dynamic TS for local side
187 * @param other_host host to narrow down dynamic TS for remote side
188 * @return selected CHILD config, or NULL if no match found
189 */
190 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
191 linked_list_t *other_ts, host_t *my_host,
192 host_t *other_host);
193
194 /**
195 * Add an authentication config to the peer configuration.
196 *
197 * @param config config to add
198 * @param local TRUE for local rules, FALSE for remote constraints
199 */
200 void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
201
202 /**
203 * Create an enumerator over registered authentication configs.
204 *
205 * @param local TRUE for local rules, FALSE for remote constraints
206 * @return enumerator over auth_cfg_t*
207 */
208 enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
209
210 /**
211 * Should be sent a certificate for this connection?
212 *
213 * @return certificate sending policy
214 */
215 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
216
217 /**
218 * How to handle uniqueness of IKE_SAs?
219 *
220 * @return unique policy
221 */
222 unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
223
224 /**
225 * Get the max number of retries after timeout.
226 *
227 * @return max number retries
228 */
229 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
230
231 /**
232 * Get a time to start rekeying.
233 *
234 * @param jitter remove a jitter value to randomize time
235 * @return time in s when to start rekeying, 0 disables rekeying
236 */
237 u_int32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
238
239 /**
240 * Get a time to start reauthentication.
241 *
242 * @param jitter remove a jitter value to randomize time
243 * @return time in s when to start reauthentication, 0 disables it
244 */
245 u_int32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
246
247 /**
248 * Get the timeout of a rekeying/reauthenticating SA.
249 *
250 * @return timeout in s
251 */
252 u_int32_t (*get_over_time)(peer_cfg_t *this);
253
254 /**
255 * Use MOBIKE (RFC4555) if peer supports it?
256 *
257 * @return TRUE to enable MOBIKE support
258 */
259 bool (*use_mobike) (peer_cfg_t *this);
260
261 /**
262 * Use/Accept aggressive mode with IKEv1?.
263 *
264 * @return TRUE to use aggressive mode
265 */
266 bool (*use_aggressive)(peer_cfg_t *this);
267
268 /**
269 * Get the DPD check interval.
270 *
271 * @return dpd_delay in seconds
272 */
273 u_int32_t (*get_dpd) (peer_cfg_t *this);
274
275 /**
276 * Get the DPD timeout interval (IKEv1 only)
277 *
278 * @return dpd_timeout in seconds
279 */
280 u_int32_t (*get_dpd_timeout) (peer_cfg_t *this);
281
282 /**
283 * Add a virtual IP to request as initiator.
284 *
285 * @param vip virtual IP to request, may be %any or %any6
286 */
287 void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);
288
289 /**
290 * Create an enumerator over virtual IPs to request.
291 *
292 * The returned enumerator enumerates over IPs added with add_virtual_ip().
293 *
294 * @return enumerator over host_t*
295 */
296 enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
297
298 /**
299 * Add a pool name this configuration uses to select virtual IPs.
300 *
301 * @param name pool name to use for virtual IP lookup
302 */
303 void (*add_pool)(peer_cfg_t *this, char *name);
304
305 /**
306 * Create an enumerator over pool names of this config.
307 *
308 * @return enumerator over char*
309 */
310 enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
311
312 #ifdef ME
313 /**
314 * Is this a mediation connection?
315 *
316 * @return TRUE, if this is a mediation connection
317 */
318 bool (*is_mediation) (peer_cfg_t *this);
319
320 /**
321 * Get peer_cfg of the connection this one is mediated through.
322 *
323 * @return the peer_cfg of the mediation connection
324 */
325 peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
326
327 /**
328 * Get the id of the other peer at the mediation server.
329 *
330 * This is the leftid of the peer's connection with the mediation server.
331 *
332 * If it is not configured, it is assumed to be the same as the right id
333 * of this connection.
334 *
335 * @return the id of the other peer
336 */
337 identification_t* (*get_peer_id) (peer_cfg_t *this);
338 #endif /* ME */
339
340 /**
341 * Check if two peer configurations are equal.
342 *
343 * This method does not compare associated ike/child_cfg.
344 *
345 * @param other candidate to check for equality against this
346 * @return TRUE if peer_cfg and ike_cfg are equal
347 */
348 bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
349
350 /**
351 * Increase reference count.
352 *
353 * @return reference to this
354 */
355 peer_cfg_t* (*get_ref) (peer_cfg_t *this);
356
357 /**
358 * Destroys the peer_cfg object.
359 *
360 * Decrements the internal reference counter and
361 * destroys the peer_cfg when it reaches zero.
362 */
363 void (*destroy) (peer_cfg_t *this);
364 };
365
366 /**
367 * Create a configuration object for IKE_AUTH and later.
368 *
369 * name-string gets cloned, ID's not.
370 * Virtual IPs are used if they are != NULL. A %any host means the virtual
371 * IP should be obtained from the other peer.
372 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
373 * same time, a jitter may be specified. Rekeying of an SA starts at
374 * (rekeylifetime - random(0, jitter)).
375 *
376 * @param name name of the peer_cfg
377 * @param ike_version which IKE version we should use for this peer
378 * @param ike_cfg IKE config to use when acting as initiator
379 * @param cert_policy should we send a certificate payload?
380 * @param unique uniqueness of an IKE_SA
381 * @param keyingtries how many keying tries should be done before giving up
382 * @param rekey_time timeout before starting rekeying
383 * @param reauth_time timeout before starting reauthentication
384 * @param jitter_time timerange to randomly subtract from rekey/reauth time
385 * @param over_time maximum overtime before closing a rekeying/reauth SA
386 * @param mobike use MOBIKE (RFC4555) if peer supports it
387 * @param aggressive use/accept aggressive mode with IKEv1
388 * @param dpd DPD check interval, 0 to disable
389 * @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
390 * @param mediation TRUE if this is a mediation connection
391 * @param mediated_by peer_cfg_t of the mediation connection to mediate through
392 * @param peer_id ID that identifies our peer at the mediation server
393 * @return peer_cfg_t object
394 */
395 peer_cfg_t *peer_cfg_create(char *name, ike_version_t ike_version,
396 ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
397 unique_policy_t unique, u_int32_t keyingtries,
398 u_int32_t rekey_time, u_int32_t reauth_time,
399 u_int32_t jitter_time, u_int32_t over_time,
400 bool mobike, bool aggressive, u_int32_t dpd,
401 u_int32_t dpd_timeout,
402 bool mediation, peer_cfg_t *mediated_by,
403 identification_t *peer_id);
404
405 #endif /** PEER_CFG_H_ @}*/