ff33907f0d39fe128dfcdf5ab770c1f63033652a
[strongswan.git] / src / libcharon / config / peer_cfg.h
1 /*
2 * Copyright (C) 2007-2008 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup peer_cfg peer_cfg
20 * @{ @ingroup config
21 */
22
23 #ifndef PEER_CFG_H_
24 #define PEER_CFG_H_
25
26 typedef enum cert_policy_t cert_policy_t;
27 typedef enum unique_policy_t unique_policy_t;
28 typedef struct peer_cfg_t peer_cfg_t;
29
30 #include <library.h>
31 #include <utils/identification.h>
32 #include <utils/enumerator.h>
33 #include <selectors/traffic_selector.h>
34 #include <config/proposal.h>
35 #include <config/ike_cfg.h>
36 #include <config/child_cfg.h>
37 #include <sa/authenticators/authenticator.h>
38 #include <sa/authenticators/eap/eap_method.h>
39 #include <credentials/auth_cfg.h>
40
41 /**
42 * Certificate sending policy. This is also used for certificate
43 * requests when using this definition for the other peer. If
44 * it is CERT_NEVER_SEND, a certreq is omitted, otherwise its
45 * included.
46 *
47 * @warning These definitions must be the same as in pluto/starter,
48 * as they are sent over the stroke socket.
49 */
50 enum cert_policy_t {
51 /** always send certificates, even when not requested */
52 CERT_ALWAYS_SEND = 0,
53 /** send certificate upon cert request */
54 CERT_SEND_IF_ASKED = 1,
55 /** never send a certificate, even when requested */
56 CERT_NEVER_SEND = 2,
57 };
58
59 /**
60 * enum strings for cert_policy_t
61 */
62 extern enum_name_t *cert_policy_names;
63
64 /**
65 * Uniqueness of an IKE_SA, used to drop multiple connections with one peer.
66 */
67 enum unique_policy_t {
68 /** do not check for client uniqueness */
69 UNIQUE_NO,
70 /** replace unique IKE_SAs if new ones get established */
71 UNIQUE_REPLACE,
72 /** keep existing IKE_SAs, close the new ones on connection attept */
73 UNIQUE_KEEP,
74 };
75
76 /**
77 * enum strings for unique_policy_t
78 */
79 extern enum_name_t *unique_policy_names;
80
81 /**
82 * Configuration of a peer, specified by IDs.
83 *
84 * The peer config defines a connection between two given IDs. It contains
85 * exactly one ike_cfg_t, which is use for initiation. Additionally, it contains
86 * multiple child_cfg_t defining which CHILD_SAs are allowed for this peer.
87 * @verbatim
88 +-------------------+ +---------------+
89 +---------------+ | peer_cfg | +---------------+ |
90 | ike_cfg | +-------------------+ | child_cfg | |
91 +---------------+ | - ids | +---------------+ |
92 | - hosts | 1 1 | - cas | 1 n | - proposals | |
93 | - proposals |<-----| - auth info |----->| - traffic sel | |
94 | - ... | | - dpd config | | - ... |-+
95 +---------------+ | - ... | +---------------+
96 +-------------------+
97 | 1 0 |
98 | |
99 v n n V
100 +-------------------+ +-------------------+
101 +-------------------+ | +-------------------+ |
102 | auth_cfg | | | auth_cfg | |
103 +-------------------+ | +-------------------+ |
104 | - local rules |-+ | - remote constr. |-+
105 +-------------------+ +-------------------+
106 @endverbatim
107 *
108 * Each peer_cfg has two lists of authentication config attached. Local
109 * authentication configs define how to authenticate ourself against the remote
110 * peer. Each config is enforced using the multiple authentication extension
111 * (RFC4739).
112 * The remote authentication configs are handled as constraints. The peer has
113 * to fulfill each of these rules (using multiple authentication, in any order)
114 * to gain access to the configuration.
115 */
116 struct peer_cfg_t {
117
118 /**
119 * Get the name of the peer_cfg.
120 *
121 * Returned object is not getting cloned.
122 *
123 * @return peer_cfg's name
124 */
125 char* (*get_name) (peer_cfg_t *this);
126
127 /**
128 * Get the IKE version to use for initiating.
129 *
130 * @return IKE major version
131 */
132 u_int (*get_ike_version)(peer_cfg_t *this);
133
134 /**
135 * Get the IKE config to use for initiaton.
136 *
137 * @return the IKE config to use
138 */
139 ike_cfg_t* (*get_ike_cfg) (peer_cfg_t *this);
140
141 /**
142 * Attach a CHILD config.
143 *
144 * @param child_cfg CHILD config to add
145 */
146 void (*add_child_cfg) (peer_cfg_t *this, child_cfg_t *child_cfg);
147
148 /**
149 * Detach a CHILD config, pointed to by an enumerator.
150 *
151 * @param enumerator enumerator indicating element position
152 */
153 void (*remove_child_cfg)(peer_cfg_t *this, enumerator_t *enumerator);
154
155 /**
156 * Create an enumerator for all attached CHILD configs.
157 *
158 * @return an enumerator over all CHILD configs.
159 */
160 enumerator_t* (*create_child_cfg_enumerator) (peer_cfg_t *this);
161
162 /**
163 * Select a CHILD config from traffic selectors.
164 *
165 * @param my_ts TS for local side
166 * @param other_ts TS for remote side
167 * @param my_host host to narrow down dynamic TS for local side
168 * @param other_host host to narrow down dynamic TS for remote side
169 * @return selected CHILD config, or NULL if no match found
170 */
171 child_cfg_t* (*select_child_cfg) (peer_cfg_t *this, linked_list_t *my_ts,
172 linked_list_t *other_ts, host_t *my_host,
173 host_t *other_host);
174
175 /**
176 * Add an authentication config to the peer configuration.
177 *
178 * @param config config to add
179 * @param local TRUE for local rules, FALSE for remote constraints
180 */
181 void (*add_auth_cfg)(peer_cfg_t *this, auth_cfg_t *cfg, bool local);
182
183 /**
184 * Create an enumerator over registered authentication configs.
185 *
186 * @param local TRUE for local rules, FALSE for remote constraints
187 * @return enumerator over auth_cfg_t*
188 */
189 enumerator_t* (*create_auth_cfg_enumerator)(peer_cfg_t *this, bool local);
190
191 /**
192 * Should be sent a certificate for this connection?
193 *
194 * @return certificate sending policy
195 */
196 cert_policy_t (*get_cert_policy) (peer_cfg_t *this);
197
198 /**
199 * How to handle uniqueness of IKE_SAs?
200 *
201 * @return unique policy
202 */
203 unique_policy_t (*get_unique_policy) (peer_cfg_t *this);
204
205 /**
206 * Get the max number of retries after timeout.
207 *
208 * @return max number retries
209 */
210 u_int32_t (*get_keyingtries) (peer_cfg_t *this);
211
212 /**
213 * Get a time to start rekeying (is randomized with jitter).
214 *
215 * @return time in s when to start rekeying, 0 disables rekeying
216 */
217 u_int32_t (*get_rekey_time)(peer_cfg_t *this);
218
219 /**
220 * Get a time to start reauthentication (is randomized with jitter).
221 *
222 * @return time in s when to start reauthentication, 0 disables it
223 */
224 u_int32_t (*get_reauth_time)(peer_cfg_t *this);
225
226 /**
227 * Get the timeout of a rekeying/reauthenticating SA.
228 *
229 * @return timeout in s
230 */
231 u_int32_t (*get_over_time)(peer_cfg_t *this);
232
233 /**
234 * Use MOBIKE (RFC4555) if peer supports it?
235 *
236 * @return TRUE to enable MOBIKE support
237 */
238 bool (*use_mobike) (peer_cfg_t *this);
239
240 /**
241 * Get the DPD check interval.
242 *
243 * @return dpd_delay in seconds
244 */
245 u_int32_t (*get_dpd) (peer_cfg_t *this);
246
247 /**
248 * Get a virtual IP for the local peer.
249 *
250 * If no virtual IP should be used, NULL is returned. %any means to request
251 * a virtual IP using configuration payloads. A specific address is also
252 * used for a request and may be changed by the server.
253 *
254 * @param suggestion NULL, %any or specific
255 * @return virtual IP, %any or NULL
256 */
257 host_t* (*get_virtual_ip) (peer_cfg_t *this);
258
259 /**
260 * Get the name of the pool to acquire configuration attributes from.
261 *
262 * @return pool name, NULL if none defined
263 */
264 char* (*get_pool)(peer_cfg_t *this);
265
266 #ifdef ME
267 /**
268 * Is this a mediation connection?
269 *
270 * @return TRUE, if this is a mediation connection
271 */
272 bool (*is_mediation) (peer_cfg_t *this);
273
274 /**
275 * Get peer_cfg of the connection this one is mediated through.
276 *
277 * @return the peer_cfg of the mediation connection
278 */
279 peer_cfg_t* (*get_mediated_by) (peer_cfg_t *this);
280
281 /**
282 * Get the id of the other peer at the mediation server.
283 *
284 * This is the leftid of the peer's connection with the mediation server.
285 *
286 * If it is not configured, it is assumed to be the same as the right id
287 * of this connection.
288 *
289 * @return the id of the other peer
290 */
291 identification_t* (*get_peer_id) (peer_cfg_t *this);
292 #endif /* ME */
293
294 /**
295 * Check if two peer configurations are equal.
296 *
297 * This method does not compare associated ike/child_cfg.
298 *
299 * @param other candidate to check for equality against this
300 * @return TRUE if peer_cfg and ike_cfg are equal
301 */
302 bool (*equals)(peer_cfg_t *this, peer_cfg_t *other);
303
304 /**
305 * Increase reference count.
306 *
307 * @return reference to this
308 */
309 peer_cfg_t* (*get_ref) (peer_cfg_t *this);
310
311 /**
312 * Destroys the peer_cfg object.
313 *
314 * Decrements the internal reference counter and
315 * destroys the peer_cfg when it reaches zero.
316 */
317 void (*destroy) (peer_cfg_t *this);
318 };
319
320 /**
321 * Create a configuration object for IKE_AUTH and later.
322 *
323 * name-string gets cloned, ID's not.
324 * Virtual IPs are used if they are != NULL. A %any host means the virtual
325 * IP should be obtained from the other peer.
326 * Lifetimes are in seconds. To prevent to peers to start rekeying at the
327 * same time, a jitter may be specified. Rekeying of an SA starts at
328 * (rekeylifetime - random(0, jitter)).
329 *
330 * @param name name of the peer_cfg
331 * @param ike_version which IKE version we should use for this peer
332 * @param ike_cfg IKE config to use when acting as initiator
333 * @param cert_policy should we send a certificate payload?
334 * @param unique uniqueness of an IKE_SA
335 * @param keyingtries how many keying tries should be done before giving up
336 * @param rekey_time timeout before starting rekeying
337 * @param reauth_time timeout before starting reauthentication
338 * @param jitter_time timerange to randomly subtract from rekey/reauth time
339 * @param over_time maximum overtime before closing a rekeying/reauth SA
340 * @param mobike use MOBIKE (RFC4555) if peer supports it
341 * @param dpd DPD check interval, 0 to disable
342 * @param virtual_ip virtual IP for local host, or NULL
343 * @param pool pool name to get configuration attributes from, or NULL
344 * @param mediation TRUE if this is a mediation connection
345 * @param mediated_by peer_cfg_t of the mediation connection to mediate through
346 * @param peer_id ID that identifies our peer at the mediation server
347 * @return peer_cfg_t object
348 */
349 peer_cfg_t *peer_cfg_create(char *name, u_int ike_version, ike_cfg_t *ike_cfg,
350 cert_policy_t cert_policy, unique_policy_t unique,
351 u_int32_t keyingtries, u_int32_t rekey_time,
352 u_int32_t reauth_time, u_int32_t jitter_time,
353 u_int32_t over_time, bool mobike, u_int32_t dpd,
354 host_t *virtual_ip, char *pool,
355 bool mediation, peer_cfg_t *mediated_by,
356 identification_t *peer_id);
357
358 #endif /** PEER_CFG_H_ @}*/