projects / strongswan.git / blob
? search:


5e0e0f255476a68202a4821ce109d308b20a7279
[strongswan.git] / src / starter / confread.h
1 /* strongSwan IPsec config file parser
2 * Copyright (C) 2001-2002 Mathieu Lafon
3 * Arkoon Network Security
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #ifndef _IPSEC_CONFREAD_H_
17 #define _IPSEC_CONFREAD_H_
18
19 #include <kernel/kernel_ipsec.h>
20
21 #include "ipsec-parser.h"
22
23 /** to mark seen keywords */
24 typedef u_int64_t seen_t;
25 #define SEEN_NONE 0;
26 #define SEEN_KW(kw, base) ((seen_t)1 << ((kw) - (base)))
27
28 typedef enum {
29 STARTUP_NO,
30 STARTUP_ADD,
31 STARTUP_ROUTE,
32 STARTUP_START
33 } startup_t;
34
35 typedef enum {
36 STATE_IGNORE,
37 STATE_TO_ADD,
38 STATE_ADDED,
39 STATE_REPLACED,
40 STATE_INVALID
41 } starter_state_t;
42
43 typedef enum {
44 /* shared with ike_version_t */
45 KEY_EXCHANGE_IKE = 0,
46 KEY_EXCHANGE_IKEV1 = 1,
47 KEY_EXCHANGE_IKEV2 = 2,
48 } keyexchange_t;
49
50 typedef enum {
51 STRICT_NO,
52 STRICT_YES,
53 STRICT_IFURI
54 } strict_t;
55
56 typedef enum {
57 CERT_ALWAYS_SEND,
58 CERT_SEND_IF_ASKED,
59 CERT_NEVER_SEND,
60 CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */
61 CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */
62 } certpolicy_t;
63
64 typedef enum {
65 DPD_ACTION_NONE,
66 DPD_ACTION_CLEAR,
67 DPD_ACTION_HOLD,
68 DPD_ACTION_RESTART,
69 DPD_ACTION_UNKNOW,
70 } dpd_action_t;
71
72 typedef enum {
73 /* IPsec options */
74 SA_OPTION_AUTHENTICATE = 1 << 0, /* use AH instead of ESP? */
75 SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */
76
77 /* IKE and other other options */
78 SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */
79 SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
80 SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */
81 SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */
82 SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */
83 SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */
84 SA_OPTION_FRAGMENTATION = 1 << 8, /* enable IKEv1 fragmentation */
85 } sa_option_t;
86
87 typedef struct starter_end starter_end_t;
88
89 struct starter_end {
90 seen_t seen;
91 char *auth;
92 char *auth2;
93 char *id;
94 char *id2;
95 char *rsakey;
96 char *cert;
97 char *cert2;
98 char *ca;
99 char *ca2;
100 char *groups;
101 char *groups2;
102 char *cert_policy;
103 char *host;
104 u_int ikeport;
105 char *subnet;
106 bool modecfg;
107 certpolicy_t sendcert;
108 bool firewall;
109 bool hostaccess;
110 bool allow_any;
111 char *updown;
112 u_int16_t port;
113 u_int8_t protocol;
114 char *sourceip;
115 char *dns;
116 };
117
118 typedef struct also also_t;
119
120 struct also {
121 char *name;
122 bool included;
123 also_t *next;
124 };
125
126 typedef struct starter_conn starter_conn_t;
127
128 struct starter_conn {
129 seen_t seen;
130 char *name;
131 also_t *also;
132 kw_list_t *kw;
133 u_int visit;
134 startup_t startup;
135 starter_state_t state;
136
137 keyexchange_t keyexchange;
138 char *eap_identity;
139 char *aaa_identity;
140 char *xauth_identity;
141 char *authby;
142 ipsec_mode_t mode;
143 bool proxy_mode;
144 sa_option_t options;
145 time_t sa_ike_life_seconds;
146 time_t sa_ipsec_life_seconds;
147 time_t sa_rekey_margin;
148 u_int64_t sa_ipsec_life_bytes;
149 u_int64_t sa_ipsec_margin_bytes;
150 u_int64_t sa_ipsec_life_packets;
151 u_int64_t sa_ipsec_margin_packets;
152 unsigned long sa_keying_tries;
153 unsigned long sa_rekey_fuzz;
154 u_int32_t reqid;
155 mark_t mark_in;
156 mark_t mark_out;
157 u_int32_t tfc;
158 bool install_policy;
159 bool aggressive;
160 starter_end_t left, right;
161
162 unsigned long id;
163
164 char *esp;
165 char *ike;
166
167 time_t dpd_delay;
168 time_t dpd_timeout;
169 dpd_action_t dpd_action;
170 int dpd_count;
171
172 dpd_action_t close_action;
173
174 time_t inactivity;
175
176 bool me_mediation;
177 char *me_mediated_by;
178 char *me_peerid;
179
180 starter_conn_t *next;
181 };
182
183 typedef struct starter_ca starter_ca_t;
184
185 struct starter_ca {
186 seen_t seen;
187 char *name;
188 also_t *also;
189 kw_list_t *kw;
190 u_int visit;
191 startup_t startup;
192 starter_state_t state;
193
194 char *cacert;
195 char *crluri;
196 char *crluri2;
197 char *ocspuri;
198 char *ocspuri2;
199 char *certuribase;
200
201 bool strict;
202
203 starter_ca_t *next;
204 };
205
206 typedef struct starter_config starter_config_t;
207
208 struct starter_config {
209 struct {
210 seen_t seen;
211 bool charonstart;
212 char *charondebug;
213 bool uniqueids;
214 bool cachecrls;
215 strict_t strictcrlpolicy;
216 } setup;
217
218 /* number of encountered parsing errors */
219 u_int err;
220 u_int non_fatal_err;
221
222 /* do we parse also statements */
223 bool parse_also;
224
225 /* ca %default */
226 starter_ca_t ca_default;
227
228 /* connections list (without %default) */
229 starter_ca_t *ca_first, *ca_last;
230
231 /* conn %default */
232 starter_conn_t conn_default;
233
234 /* connections list (without %default) */
235 starter_conn_t *conn_first, *conn_last;
236 };
237
238 extern starter_config_t *confread_load(const char *file);
239 extern void confread_free(starter_config_t *cfg);
240
241 #endif /* _IPSEC_CONFREAD_H_ */
242
strongSwan - IPsec VPN