proposal: correctly enumerate registered AEADs to build default IKE proposal
[strongswan.git] / src / libcharon / config / peer_cfg.h
1 /*
2 * Copyright (C) 2007-2008 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup peer_cfg peer_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef PEER_CFG_H_
24 #define PEER_CFG_H_
25
26 typedef enum cert_policy_t cert_policy_t;
27 typedef enum unique_policy_t unique_policy_t;
28 typedef struct peer_cfg_t peer_cfg_t;
29
30 #include <library.h>
31 #include <utils/identification.h>
32 #include <collections/enumerator.h>
33 #include <selectors/traffic_selector.h>
34 #include <config/proposal.h>
35 #include <config/ike_cfg.h>
36 #include <config/child_cfg.h>
37 #include <credentials/auth_cfg.h>
38
39 /**
40 * Certificate sending policy. This is also used for certificate
41 * requests when using this definition for the other peer. If
42 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
43 * included.
44 *
45 * @warning These definitions must be the same as in pluto/starter,
46 * as they are sent over the stroke socket.
47 */
48 enum cert_policy_t {
49 /** always send certificates, even when not requested */
50 CERT_ALWAYS_SEND = 0,
51 /** send certificate upon cert request */
52 CERT_SEND_IF_ASKED = 1,
53 /** never send a certificate, even when requested */
54 CERT_NEVER_SEND = 2,
55 };
56
57 /**
58 * enum strings for cert_policy_t
59 */
60 extern enum_name_t *cert_policy_names;
61
62 /**
63 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
64 */
65 enum unique_policy_t {
66 /** never check for client uniqueness */
67 UNIQUE_NEVER,
68 /** only check for client uniqueness when receiving an INITIAL_CONTACT */
69 UNIQUE_NO,
70 /** replace existing IKE_SAs when new ones get established by a client */
71 UNIQUE_REPLACE,
72 /** keep existing IKE_SAs, close the new ones on connection attempt */
73 UNIQUE_KEEP,
74 };
75
76 /**
77 * enum strings for unique_policy_t
78 */
79 extern enum_name_t *unique_policy_names;
80
81 /**
82 * Configuration of a peer, specified by IDs.
83 *
84 * The peer config defines a connection between two given IDs. It contains
85 * exactly one ike_cfg_t, which is used for initiation. Additionally, it
86 * contains multiple child_cfg_t defining which CHILD_SAs are allowed for this
87 * peer.
88 * @verbatim
89 +-------------------+ +---------------+
90 +---------------+ | peer_cfg | +---------------+ |
91 | ike_cfg | +-------------------+ | child_cfg | |
92 +---------------+ | - ids | +---------------+ |
93 | - hosts | 1 1 | - cas | 1 n | - proposals | |
94 | - proposals |<-----| - auth info |----->| - traffic sel | |
95 | - ... | | - dpd config | | - ... |-+
96 +---------------+ | - ... | +---------------+
97 +-------------------+
98 | 1 0 |
99 | |
100 v n n V
101 +-------------------+ +-------------------+
102 +-------------------+ | +-------------------+ |
103 | auth_cfg | | | auth_cfg | |
104 +-------------------+ | +-------------------+ |
105 | - local rules |-+ | - remote constr. |-+
106 +-------------------+ +-------------------+
107 @endverbatim
108 *
109 * Each peer_cfg has two lists of authentication config attached. Local
110 * authentication configs define how to authenticate ourself against the remote
111 * peer. Each config is enforced using the multiple authentication extension
112 * (RFC4739).
113 * The remote authentication configs are handled as constraints. The peer has
114 * to fulfill each of these rules (using multiple authentication, in any order)
115 * to gain access to the configuration.
116 */
117 struct peer_cfg_t {
118
119 /**
120 * Get the name of the peer_cfg.
121 *
122 * Returned object is not getting cloned.
123 *
124 * @return peer_cfg's name
125 */
126 char* (*get_name) (peer_cfg_t *this);
127
128 /**
129 * Get the IKE version to use for initiating.
130 *
131 * @return IKE major version
132 */
133 ike_version_t (*get_ike_version)(peer_cfg_t *this);
134
135 /**
136 * Get the IKE config to use for initiaton.
137 *
138 * @return the IKE config to use
139 */
140 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
141
142 /**
143 * Attach a CHILD config.
144 *
145 * @param child_cfg CHILD config to add
146 */
147 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
148
149 /**
150 * Detach a CHILD config, pointed to by an enumerator.
151 *
152 * @param enumerator enumerator indicating element position
153 */
154 void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
155
156 /**
157 * Create an enumerator for all attached CHILD configs.
158 *
159 * @return an enumerator over all CHILD configs.
160 */
161 enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
162
163 /**
164 * Select a CHILD config from traffic selectors.
165 *
166 * @param my_ts TS for local side
167 * @param other_ts TS for remote side
168 * @param my_hosts hosts to narrow down dynamic TS for local side
169 * @param other_hosts hosts to narrow down dynamic TS for remote side
170 * @return selected CHILD config, or NULL if no match found
171 */
172 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this,
173 linked_list_t *my_ts, linked_list_t *other_ts,
174 linked_list_t *my_hosts, linked_list_t *other_hosts);
175
176 /**
177 * Add an authentication config to the peer configuration.
178 *
179 * @param cfg config to add
180 * @param local TRUE for local rules, FALSE for remote constraints
181 */
182 void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
183
184 /**
185 * Create an enumerator over registered authentication configs.
186 *
187 * @param local TRUE for local rules, FALSE for remote constraints
188 * @return enumerator over auth_cfg_t*
189 */
190 enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
191
192 /**
193 * Should a certificate be sent for this connection?
194 *
195 * @return certificate sending policy
196 */
197 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
198
199 /**
200 * How to handle uniqueness of IKE_SAs?
201 *
202 * @return unique policy
203 */
204 unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
205
206 /**
207 * Get the max number of retries after timeout.
208 *
209 * @return max number retries
210 */
211 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
212
213 /**
214 * Get a time to start rekeying.
215 *
216 * @param jitter remove a jitter value to randomize time
217 * @return time in s when to start rekeying, 0 disables rekeying
218 */
219 u_int32_t (*get_rekey_time)(peer_cfg_t *this, bool jitter);
220
221 /**
222 * Get a time to start reauthentication.
223 *
224 * @param jitter remove a jitter value to randomize time
225 * @return time in s when to start reauthentication, 0 disables it
226 */
227 u_int32_t (*get_reauth_time)(peer_cfg_t *this, bool jitter);
228
229 /**
230 * Get the timeout of a rekeying/reauthenticating SA.
231 *
232 * @return timeout in s
233 */
234 u_int32_t (*get_over_time)(peer_cfg_t *this);
235
236 /**
237 * Use MOBIKE (RFC4555) if peer supports it?
238 *
239 * @return TRUE to enable MOBIKE support
240 */
241 bool (*use_mobike) (peer_cfg_t *this);
242
243 /**
244 * Use/Accept aggressive mode with IKEv1?.
245 *
246 * @return TRUE to use aggressive mode
247 */
248 bool (*use_aggressive)(peer_cfg_t *this);
249
250 /**
251 * Get the DPD check interval.
252 *
253 * @return dpd_delay in seconds
254 */
255 u_int32_t (*get_dpd) (peer_cfg_t *this);
256
257 /**
258 * Get the DPD timeout interval (IKEv1 only)
259 *
260 * @return dpd_timeout in seconds
261 */
262 u_int32_t (*get_dpd_timeout) (peer_cfg_t *this);
263
264 /**
265 * Add a virtual IP to request as initiator.
266 *
267 * @param vip virtual IP to request, may be %any or %any6
268 */
269 void (*add_virtual_ip)(peer_cfg_t *this, host_t *vip);
270
271 /**
272 * Create an enumerator over virtual IPs to request.
273 *
274 * The returned enumerator enumerates over IPs added with add_virtual_ip().
275 *
276 * @return enumerator over host_t*
277 */
278 enumerator_t* (*create_virtual_ip_enumerator)(peer_cfg_t *this);
279
280 /**
281 * Add a pool name this configuration uses to select virtual IPs.
282 *
283 * @param name pool name to use for virtual IP lookup
284 */
285 void (*add_pool)(peer_cfg_t *this, char *name);
286
287 /**
288 * Create an enumerator over pool names of this config.
289 *
290 * @return enumerator over char*
291 */
292 enumerator_t* (*create_pool_enumerator)(peer_cfg_t *this);
293
294 #ifdef ME
295 /**
296 * Is this a mediation connection?
297 *
298 * @return TRUE, if this is a mediation connection
299 */
300 bool (*is_mediation) (peer_cfg_t *this);
301
302 /**
303 * Get peer_cfg of the connection this one is mediated through.
304 *
305 * @return the peer_cfg of the mediation connection
306 */
307 peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
308
309 /**
310 * Get the id of the other peer at the mediation server.
311 *
312 * This is the leftid of the peer's connection with the mediation server.
313 *
314 * If it is not configured, it is assumed to be the same as the right id
315 * of this connection.
316 *
317 * @return the id of the other peer
318 */
319 identification_t* (*get_peer_id) (peer_cfg_t *this);
320 #endif /* ME */
321
322 /**
323 * Check if two peer configurations are equal.
324 *
325 * This method does not compare associated ike/child_cfg.
326 *
327 * @param other candidate to check for equality against this
328 * @return TRUE if peer_cfg and ike_cfg are equal
329 */
330 bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
331
332 /**
333 * Increase reference count.
334 *
335 * @return reference to this
336 */
337 peer_cfg_t* (*get_ref) (peer_cfg_t *this);
338
339 /**
340 * Destroys the peer_cfg object.
341 *
342 * Decrements the internal reference counter and
343 * destroys the peer_cfg when it reaches zero.
344 */
345 void (*destroy) (peer_cfg_t *this);
346 };
347
348 /**
349 * Create a configuration object for IKE_AUTH and later.
350 *
351 * name-string gets cloned, ID's not.
352 * Virtual IPs are used if they are != NULL. A %any host means the virtual
353 * IP should be obtained from the other peer.
354 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
355 * same time, a jitter may be specified. Rekeying of an SA starts at
356 * (rekeylifetime - random(0, jitter)).
357 *
358 * @param name name of the peer_cfg
359 * @param ike_cfg IKE config to use when acting as initiator
360 * @param cert_policy should we send a certificate payload?
361 * @param unique uniqueness of an IKE_SA
362 * @param keyingtries how many keying tries should be done before giving up
363 * @param rekey_time timeout before starting rekeying
364 * @param reauth_time timeout before starting reauthentication
365 * @param jitter_time timerange to randomly subtract from rekey/reauth time
366 * @param over_time maximum overtime before closing a rekeying/reauth SA
367 * @param mobike use MOBIKE (RFC4555) if peer supports it
368 * @param aggressive use/accept aggressive mode with IKEv1
369 * @param dpd DPD check interval, 0 to disable
370 * @param dpd_timeout DPD timeout interval (IKEv1 only), if 0 default applies
371 * @param mediation TRUE if this is a mediation connection
372 * @param mediated_by peer_cfg_t of the mediation connection to mediate through
373 * @param peer_id ID that identifies our peer at the mediation server
374 * @return peer_cfg_t object
375 */
376 peer_cfg_t *peer_cfg_create(char *name,
377 ike_cfg_t *ike_cfg, cert_policy_t cert_policy,
378 unique_policy_t unique, u_int32_t keyingtries,
379 u_int32_t rekey_time, u_int32_t reauth_time,
380 u_int32_t jitter_time, u_int32_t over_time,
381 bool mobike, bool aggressive, u_int32_t dpd,
382 u_int32_t dpd_timeout,
383 bool mediation, peer_cfg_t *mediated_by,
384 identification_t *peer_id);
385
386 #endif /** PEER_CFG_H_ @}*/