Merge branch 'stroke-counters'
[strongswan.git] / src / libpttls / pt_tls.h
1 /*
2 * Copyright (C) 2012 Martin Willi
3 * Copyright (C) 2012 revosec AG
4 *
5 * This program is free software; you can redistribute it and/or modify it
6 * under the terms of the GNU General Public License as published by the
7 * Free Software Foundation; either version 2 of the License, or (at your
8 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
9 *
10 * This program is distributed in the hope that it will be useful, but
11 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
12 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
13 * for more details.
14 */
15
16 /**
17 * @defgroup pt_tls pt_tls
18 *
19 * @addtogroup pt_tls
20 * @{
21 */
22
23 #ifndef PT_TLS_H_
24 #define PT_TLS_H_
25
26 #include <bio/bio_reader.h>
27 #include <bio/bio_writer.h>
28 #include <tls_socket.h>
29
30 /**
31 * PT-TLS version we support
32 */
33 #define PT_TLS_VERSION 1
34
35 /**
36 * Length of a PT-TLS header
37 */
38 #define PT_TLS_HEADER_LEN 16
39
40 typedef enum pt_tls_message_type_t pt_tls_message_type_t;
41 typedef enum pt_tls_sasl_result_t pt_tls_sasl_result_t;
42 typedef enum pt_tls_auth_t pt_tls_auth_t;
43
44 /**
45 * Message types, as defined by NEA PT-TLS
46 */
47 enum pt_tls_message_type_t {
48 PT_TLS_EXPERIMENTAL = 0,
49 PT_TLS_VERSION_REQUEST = 1,
50 PT_TLS_VERSION_RESPONSE = 2,
51 PT_TLS_SASL_MECHS = 3,
52 PT_TLS_SASL_MECH_SELECTION = 4,
53 PT_TLS_SASL_AUTH_DATA = 5,
54 PT_TLS_SASL_RESULT = 6,
55 PT_TLS_PB_TNC_BATCH = 7,
56 PT_TLS_ERROR = 8,
57 };
58
59 /**
60 * Result code for a single SASL mechansim, as sent in PT_TLS_SASL_RESULT
61 */
62 enum pt_tls_sasl_result_t {
63 PT_TLS_SASL_RESULT_SUCCESS = 0,
64 PT_TLS_SASL_RESULT_FAILURE = 1,
65 PT_TLS_SASL_RESULT_ABORT = 2,
66 PT_TLS_SASL_RESULT_MECH_FAILURE = 3,
67 };
68
69 /**
70 * Client authentication to require as PT-TLS server.
71 */
72 enum pt_tls_auth_t {
73 /** don't require TLS client certificate or request SASL authentication */
74 PT_TLS_AUTH_NONE,
75 /** require TLS certificate authentication, no SASL */
76 PT_TLS_AUTH_TLS,
77 /** do SASL regardless of TLS certificate authentication */
78 PT_TLS_AUTH_SASL,
79 /* if client does not authenticate with a TLS certificate, request SASL */
80 PT_TLS_AUTH_TLS_OR_SASL,
81 /* require both, TLS certificate authentication and SASL */
82 PT_TLS_AUTH_TLS_AND_SASL,
83 };
84
85 /**
86 * Read a PT-TLS message, create reader over Message Value.
87 *
88 * @param tls TLS socket to read from
89 * @param vendor receives Message Type Vendor ID from header
90 * @param type receives Message Type from header
91 * @param identifier receives Message Identifer
92 * @return reader over message value, NULL on error
93 */
94 bio_reader_t* pt_tls_read(tls_socket_t *tls, u_int32_t *vendor,
95 u_int32_t *type, u_int32_t *identifier);
96
97 /**
98 * Prepend a PT-TLS header to a writer, send data, destroy writer.
99 *
100 * @param tls TLS socket to write to
101 * @param writer prepared Message value to write
102 * @param type Message Type to write
103 * @param identifier Message Identifier to write
104 * @return TRUE if data written successfully
105 */
106 bool pt_tls_write(tls_socket_t *tls, bio_writer_t *writer,
107 pt_tls_message_type_t type, u_int32_t identifier);
108
109 #endif /** PT_TLS_H_ @}*/