travis: Enable caching for sonarcloud scan
[strongswan.git] / src / starter / confread.h
1 /* strongSwan IPsec config file parser
2 * Copyright (C) 2001-2002 Mathieu Lafon
3 * Arkoon Network Security
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 #ifndef _IPSEC_CONFREAD_H_
17 #define _IPSEC_CONFREAD_H_
18
19 #include <kernel/kernel_ipsec.h>
20
21 typedef enum {
22 STARTUP_NO,
23 STARTUP_ADD,
24 STARTUP_ROUTE,
25 STARTUP_START
26 } startup_t;
27
28 typedef enum {
29 STATE_IGNORE,
30 STATE_TO_ADD,
31 STATE_ADDED,
32 STATE_REPLACED,
33 STATE_INVALID
34 } starter_state_t;
35
36 typedef enum {
37 /* shared with ike_version_t */
38 KEY_EXCHANGE_IKE = 0,
39 KEY_EXCHANGE_IKEV1 = 1,
40 KEY_EXCHANGE_IKEV2 = 2,
41 } keyexchange_t;
42
43 typedef enum {
44 STRICT_NO,
45 STRICT_YES,
46 STRICT_IFURI,
47 } strict_t;
48
49 typedef enum {
50 CERT_ALWAYS_SEND,
51 CERT_SEND_IF_ASKED,
52 CERT_NEVER_SEND,
53 CERT_YES_SEND, /* synonym for CERT_ALWAYS_SEND */
54 CERT_NO_SEND, /* synonym for CERT_NEVER_SEND */
55 } certpolicy_t;
56
57 typedef enum {
58 DPD_ACTION_NONE,
59 DPD_ACTION_CLEAR,
60 DPD_ACTION_HOLD,
61 DPD_ACTION_RESTART,
62 DPD_ACTION_UNKNOWN,
63 } dpd_action_t;
64
65 typedef enum {
66 /* same as in ike_cfg.h */
67 FRAGMENTATION_NO,
68 FRAGMENTATION_ACCEPT,
69 FRAGMENTATION_YES,
70 FRAGMENTATION_FORCE,
71 } fragmentation_t;
72
73 typedef enum {
74 /* IPsec options */
75 SA_OPTION_COMPRESS = 1 << 1, /* use IPComp */
76
77 /* IKE and other other options */
78 SA_OPTION_DONT_REKEY = 1 << 2, /* don't rekey state either Phase */
79 SA_OPTION_DONT_REAUTH = 1 << 3, /* don't reauthenticate on rekeying, IKEv2 only */
80 SA_OPTION_MODECFG_PUSH = 1 << 4, /* is modecfg pushed by server? */
81 SA_OPTION_XAUTH_SERVER = 1 << 5, /* are we an XAUTH server? */
82 SA_OPTION_MOBIKE = 1 << 6, /* enable MOBIKE for IKEv2 */
83 SA_OPTION_FORCE_ENCAP = 1 << 7, /* force UDP encapsulation */
84 } sa_option_t;
85
86 typedef struct starter_end starter_end_t;
87
88 struct starter_end {
89 char *auth;
90 char *auth2;
91 char *id;
92 char *id2;
93 char *rsakey;
94 char *cert;
95 char *cert2;
96 char *ca;
97 char *ca2;
98 char *groups;
99 char *groups2;
100 char *cert_policy;
101 char *host;
102 u_int ikeport;
103 char *subnet;
104 bool modecfg;
105 certpolicy_t sendcert;
106 bool firewall;
107 bool hostaccess;
108 bool allow_any;
109 char *updown;
110 uint16_t from_port;
111 uint16_t to_port;
112 uint8_t protocol;
113 char *sourceip;
114 char *dns;
115 };
116
117 typedef struct starter_conn starter_conn_t;
118
119 struct starter_conn {
120 char *name;
121 startup_t startup;
122 starter_state_t state;
123
124 keyexchange_t keyexchange;
125 char *eap_identity;
126 char *aaa_identity;
127 char *xauth_identity;
128 char *authby;
129 ipsec_mode_t mode;
130 bool proxy_mode;
131 fragmentation_t fragmentation;
132 u_int ikedscp;
133 sa_option_t options;
134 time_t sa_ike_life_seconds;
135 time_t sa_ipsec_life_seconds;
136 time_t sa_rekey_margin;
137 uint64_t sa_ipsec_life_bytes;
138 uint64_t sa_ipsec_margin_bytes;
139 uint64_t sa_ipsec_life_packets;
140 uint64_t sa_ipsec_margin_packets;
141 unsigned long sa_keying_tries;
142 unsigned long sa_rekey_fuzz;
143 uint32_t reqid;
144 mark_t mark_in;
145 mark_t mark_out;
146 uint32_t replay_window;
147 uint32_t tfc;
148 bool install_policy;
149 bool aggressive;
150 starter_end_t left, right;
151
152 unsigned long id;
153
154 char *esp;
155 char *ah;
156 char *ike;
157
158 time_t dpd_delay;
159 time_t dpd_timeout;
160 dpd_action_t dpd_action;
161 int dpd_count;
162
163 dpd_action_t close_action;
164
165 bool sha256_96;
166
167 time_t inactivity;
168
169 bool me_mediation;
170 char *me_mediated_by;
171 char *me_peerid;
172
173 starter_conn_t *next;
174 };
175
176 typedef struct starter_ca starter_ca_t;
177
178 struct starter_ca {
179 char *name;
180 startup_t startup;
181 starter_state_t state;
182
183 char *cacert;
184 char *crluri;
185 char *crluri2;
186 char *ocspuri;
187 char *ocspuri2;
188 char *certuribase;
189
190 bool strict;
191
192 starter_ca_t *next;
193 };
194
195 typedef struct starter_config starter_config_t;
196
197 struct starter_config {
198 struct {
199 char *charondebug;
200 bool uniqueids;
201 bool cachecrls;
202 strict_t strictcrlpolicy;
203 } setup;
204
205 /* number of encountered parsing errors */
206 u_int err;
207 u_int non_fatal_err;
208
209 /* connections list */
210 starter_ca_t *ca_first, *ca_last;
211
212 /* connections list */
213 starter_conn_t *conn_first, *conn_last;
214 };
215
216 starter_config_t *confread_load(const char *file);
217 void confread_free(starter_config_t *cfg);
218
219 #endif /* _IPSEC_CONFREAD_H_ */