Moving charon to libcharon.
[strongswan.git] / src / libcharon / config / auth_cfg.h
1 /*
2 * Copyright (C) 2007-2009 Martin Willi
3 * Copyright (C) 2008 Tobias Brunner
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup auth_cfg auth_cfg
19 * @{ @ingroup config
20 */
21
22 #ifndef AUTH_CFG_H_
23 #define AUTH_CFG_H_
24
25 #include <utils/enumerator.h>
26
27 typedef struct auth_cfg_t auth_cfg_t;
28 typedef enum auth_rule_t auth_rule_t;
29
30 /**
31 * Authentication config to use during authentication process.
32 *
33 * Each authentication config contains a set of rules. These rule-sets are used
34 * in two ways:
35 * - For configs specifying local authentication behavior, the rules define
36 * which authentication method in which way.
37 * - For configs specifying remote peer authentication, the rules define
38 * constraints the peer has to fullfill.
39 *
40 * Additionally to the rules, there is a set of helper items. These are used
41 * to transport credentials during the authentication process.
42 */
43 enum auth_rule_t {
44
45 /** identity to use for IKEv2 authentication exchange, identification_t* */
46 AUTH_RULE_IDENTITY,
47 /** authentication class, auth_class_t */
48 AUTH_RULE_AUTH_CLASS,
49 /** EAP identity to use within EAP-Identity exchange, identification_t* */
50 AUTH_RULE_EAP_IDENTITY,
51 /** EAP type to propose for peer authentication, eap_type_t */
52 AUTH_RULE_EAP_TYPE,
53 /** EAP vendor for vendor specific type, u_int32_t */
54 AUTH_RULE_EAP_VENDOR,
55 /** certificate authority, certificate_t* */
56 AUTH_RULE_CA_CERT,
57 /** intermediate certificate in trustchain, certificate_t* */
58 AUTH_RULE_IM_CERT,
59 /** subject certificate, certificate_t* */
60 AUTH_RULE_SUBJECT_CERT,
61 /** result of a CRL validation, cert_validation_t */
62 AUTH_RULE_CRL_VALIDATION,
63 /** result of a OCSP validation, cert_validation_t */
64 AUTH_RULE_OCSP_VALIDATION,
65 /** subject is in attribute certificate group, identification_t* */
66 AUTH_RULE_AC_GROUP,
67
68 /** intermediate certificate, certificate_t* */
69 AUTH_HELPER_IM_CERT,
70 /** subject certificate, certificate_t* */
71 AUTH_HELPER_SUBJECT_CERT,
72 /** Hash and URL of a intermediate certificate, char* */
73 AUTH_HELPER_IM_HASH_URL,
74 /** Hash and URL of a end-entity certificate, char* */
75 AUTH_HELPER_SUBJECT_HASH_URL,
76 };
77
78 /**
79 * enum name for auth_rule_t.
80 */
81 extern enum_name_t *auth_rule_names;
82
83 /**
84 * Authentication/Authorization round.
85 *
86 * RFC4739 defines multiple authentication rounds. This class defines such
87 * a round from a configuration perspective, either for the local or the remote
88 * peer. Local config are called "rulesets", as they define how we authenticate.
89 * Remote peer configs are called "constraits", they define what is needed to
90 * complete the authentication round successfully.
91 *
92 * @verbatim
93
94 [Repeat for each configuration]
95 +--------------------------------------------------+
96 | |
97 | |
98 | +----------+ IKE_AUTH +--------- + |
99 | | config | -----------> | | |
100 | | ruleset | | | |
101 | +----------+ [ <----------- ] | | |
102 | [ optional EAP ] | Peer | |
103 | +----------+ [ -----------> ] | | |
104 | | config | | | |
105 | | constr. | <----------- | | |
106 | +----------+ IKE_AUTH +--------- + |
107 | |
108 | |
109 +--------------------------------------------------+
110
111 @endverbatim
112 *
113 * Values for each items are either pointers (casted to void*) or short
114 * integers (use uintptr_t cast).
115 */
116 struct auth_cfg_t {
117
118 /**
119 * Add an rule to the set.
120 *
121 * @param rule rule type
122 * @param ... associated value to rule
123 */
124 void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
125
126 /**
127 * Get an rule value.
128 *
129 * @param rule rule type
130 * @return bool if item has been found
131 */
132 void* (*get)(auth_cfg_t *this, auth_rule_t rule);
133
134 /**
135 * Create an enumerator over added rules.
136 *
137 * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
138 */
139 enumerator_t* (*create_enumerator)(auth_cfg_t *this);
140
141 /**
142 * Replace an rule at enumerator position.
143 *
144 * @param pos enumerator position position
145 * @param rule rule type
146 * @param ... associated value to rule
147 */
148 void (*replace)(auth_cfg_t *this, enumerator_t *pos,
149 auth_rule_t rule, ...);
150
151 /**
152 * Check if a used config fulfills a set of configured constraints.
153 *
154 * @param constraints required authorization rules
155 * @param log_error wheter to log compliance errors
156 * @return TRUE if this complies with constraints
157 */
158 bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
159
160 /**
161 * Merge items from other into this.
162 *
163 * @param other items to read for merge
164 * @param copy TRUE to copy items, FALSE to move them
165 */
166 void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
167
168 /**
169 * Purge all rules in a config.
170 *
171 * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries
172 */
173 void (*purge)(auth_cfg_t *this, bool keep_ca);
174
175 /**
176 * Check two configs for equality.
177 *
178 * @param other other config to compaire against this
179 * @return TRUE if auth infos identical
180 */
181 bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
182
183 /**
184 * Clone a authentication config, including all rules.
185 *
186 * @return cloned configuration
187 */
188 auth_cfg_t* (*clone)(auth_cfg_t *this);
189
190 /**
191 * Destroy a config with all associated rules/values.
192 */
193 void (*destroy)(auth_cfg_t *this);
194 };
195
196 /**
197 * Create a authentication config.
198 */
199 auth_cfg_t *auth_cfg_create();
200
201 #endif /** AUTH_CFG_H_ @}*/