child-rekey: Don't change state to INSTALLED if it was already REKEYING
[strongswan.git] / src / libstrongswan / credentials / auth_cfg.h
1 /*
2 * Copyright (C) 2008-2015 Tobias Brunner
3 * Copyright (C) 2007-2009 Martin Willi
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup auth_cfg auth_cfg
19 * @{ @ingroup credentials
20 */
21
22 #ifndef AUTH_CFG_H_
23 #define AUTH_CFG_H_
24
25 #include <collections/enumerator.h>
26
27 typedef struct auth_cfg_t auth_cfg_t;
28 typedef enum auth_rule_t auth_rule_t;
29 typedef enum auth_class_t auth_class_t;
30
31 /**
32 * Class of authentication to use. This is different to auth_method_t in that
33 * it does not specify a method, but a class of acceptable methods. The found
34 * certificate finally dictates which method is used.
35 */
36 enum auth_class_t {
37 /** any class acceptable */
38 AUTH_CLASS_ANY = 0,
39 /** authentication using public keys (RSA, ECDSA) */
40 AUTH_CLASS_PUBKEY = 1,
41 /** authentication using a pre-shared secrets */
42 AUTH_CLASS_PSK = 2,
43 /** authentication using EAP */
44 AUTH_CLASS_EAP = 3,
45 /** authentication using IKEv1 XAUTH */
46 AUTH_CLASS_XAUTH = 4,
47 };
48
49 /**
50 * enum strings for auth_class_t
51 */
52 extern enum_name_t *auth_class_names;
53
54 /**
55 * Authentication config to use during authentication process.
56 *
57 * Each authentication config contains a set of rules. These rule-sets are used
58 * in two ways:
59 * - For configs specifying local authentication behavior, the rules define
60 * which authentication method in which way.
61 * - For configs specifying remote peer authentication, the rules define
62 * constraints the peer has to fulfill.
63 *
64 * Additionally to the rules, there is a set of helper items. These are used
65 * to transport credentials during the authentication process.
66 */
67 enum auth_rule_t {
68 /** identity to use for IKEv2 authentication exchange, identification_t* */
69 AUTH_RULE_IDENTITY,
70 /** if TRUE don't send IDr as initiator, but verify the identity after
71 * receiving IDr (but also verify it against subjectAltNames), bool */
72 AUTH_RULE_IDENTITY_LOOSE,
73 /** authentication class, auth_class_t */
74 AUTH_RULE_AUTH_CLASS,
75 /** AAA-backend identity for EAP methods supporting it, identification_t* */
76 AUTH_RULE_AAA_IDENTITY,
77 /** EAP identity to use within EAP-Identity exchange, identification_t* */
78 AUTH_RULE_EAP_IDENTITY,
79 /** EAP type to propose for peer authentication, eap_type_t */
80 AUTH_RULE_EAP_TYPE,
81 /** EAP vendor for vendor specific type, uint32_t */
82 AUTH_RULE_EAP_VENDOR,
83 /** XAUTH backend name to use, char* */
84 AUTH_RULE_XAUTH_BACKEND,
85 /** XAuth identity to use or require, identification_t* */
86 AUTH_RULE_XAUTH_IDENTITY,
87 /** certificate authority, certificate_t* */
88 AUTH_RULE_CA_CERT,
89 /** intermediate certificate in trustchain, certificate_t* */
90 AUTH_RULE_IM_CERT,
91 /** subject certificate, certificate_t* */
92 AUTH_RULE_SUBJECT_CERT,
93 /** result of a CRL validation, cert_validation_t */
94 AUTH_RULE_CRL_VALIDATION,
95 /** result of a OCSP validation, cert_validation_t */
96 AUTH_RULE_OCSP_VALIDATION,
97 /** CRL/OCSP validation is disabled, bool */
98 AUTH_RULE_CERT_VALIDATION_SUSPENDED,
99 /** subject is member of a group, identification_t*
100 * The group membership constraint is fulfilled if the subject is member of
101 * one group defined in the constraints. */
102 AUTH_RULE_GROUP,
103 /** required RSA public key strength, u_int in bits */
104 AUTH_RULE_RSA_STRENGTH,
105 /** required ECDSA public key strength, u_int in bits */
106 AUTH_RULE_ECDSA_STRENGTH,
107 /** required BLISS public key strength, u_int in bits */
108 AUTH_RULE_BLISS_STRENGTH,
109 /** required signature scheme, signature_scheme_t */
110 AUTH_RULE_SIGNATURE_SCHEME,
111 /** required signature scheme for IKE authentication, signature_scheme_t */
112 AUTH_RULE_IKE_SIGNATURE_SCHEME,
113 /** certificatePolicy constraint, numerical OID as char* */
114 AUTH_RULE_CERT_POLICY,
115
116 /** intermediate certificate, certificate_t* */
117 AUTH_HELPER_IM_CERT,
118 /** subject certificate, certificate_t* */
119 AUTH_HELPER_SUBJECT_CERT,
120 /** Hash and URL of a intermediate certificate, char* */
121 AUTH_HELPER_IM_HASH_URL,
122 /** Hash and URL of a end-entity certificate, char* */
123 AUTH_HELPER_SUBJECT_HASH_URL,
124 /** revocation certificate (CRL, OCSP), certificate_t* */
125 AUTH_HELPER_REVOCATION_CERT,
126 /** attribute certificate for authorization decisions, certificate_t */
127 AUTH_HELPER_AC_CERT,
128
129 /** helper to determine the number of elements in this enum */
130 AUTH_RULE_MAX,
131 };
132
133 /**
134 * enum name for auth_rule_t.
135 */
136 extern enum_name_t *auth_rule_names;
137
138 /**
139 * Authentication/Authorization round.
140 *
141 * RFC4739 defines multiple authentication rounds. This class defines such
142 * a round from a configuration perspective, either for the local or the remote
143 * peer. Local configs are called "rulesets". They define how we authenticate.
144 * Remote peer configs are called "constraits". They define what is needed to
145 * complete the authentication round successfully.
146 *
147 * @verbatim
148
149 [Repeat for each configuration]
150 +--------------------------------------------------+
151 | |
152 | |
153 | +----------+ IKE_AUTH +--------- + |
154 | | config | -----------> | | |
155 | | ruleset | | | |
156 | +----------+ [ <----------- ] | | |
157 | [ optional EAP ] | Peer | |
158 | +----------+ [ -----------> ] | | |
159 | | config | | | |
160 | | constr. | <----------- | | |
161 | +----------+ IKE_AUTH +--------- + |
162 | |
163 | |
164 +--------------------------------------------------+
165
166 @endverbatim
167 *
168 * Values for each item are either pointers (casted to void*) or short
169 * integers (use uintptr_t cast).
170 */
171 struct auth_cfg_t {
172
173 /**
174 * Add a rule to the set.
175 *
176 * Rules we expect only once (e.g. identities) implicitly replace previous
177 * rules of the same type (but pointers to previous values will remain
178 * valid until the auth_cfg_t object is destroyed).
179 * Rules that may occur multiple times (e.g. CA certificates) are inserted
180 * so that they can be enumerated in the order in which they were added.
181 * For these get() will return the value added first.
182 *
183 * @param rule rule type
184 * @param ... associated value to rule
185 */
186 void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
187
188 /**
189 * Add public key and signature scheme constraints to the set.
190 *
191 * @param constraints constraints string (e.g. "rsa-sha384")
192 * @param ike whether to add/parse constraints for IKE signatures
193 */
194 void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints,
195 bool ike);
196
197 /**
198 * Get a rule value.
199 *
200 * For rules we expect only once the latest value is returned.
201 *
202 * @param rule rule type
203 * @return rule or NULL (or an appropriate default) if not found
204 */
205 void* (*get)(auth_cfg_t *this, auth_rule_t rule);
206
207 /**
208 * Create an enumerator over added rules.
209 *
210 * Refer to add() regarding the order in which rules are enumerated.
211 * For rules we expect only once the latest value is enumerated only.
212 *
213 * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
214 */
215 enumerator_t* (*create_enumerator)(auth_cfg_t *this);
216
217 /**
218 * Replace a rule at enumerator position.
219 *
220 * @param pos enumerator position
221 * @param rule rule type
222 * @param ... associated value to rule
223 */
224 void (*replace)(auth_cfg_t *this, enumerator_t *pos,
225 auth_rule_t rule, ...);
226
227 /**
228 * Check if a used config fulfills a set of configured constraints.
229 *
230 * @param constraints required authorization rules
231 * @param log_error whether to log compliance errors
232 * @return TRUE if this complies with constraints
233 */
234 bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
235
236 /**
237 * Merge items from other into this.
238 *
239 * @param other items to read for merge
240 * @param copy TRUE to copy items, FALSE to move them
241 */
242 void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
243
244 /**
245 * Purge all rules in a config.
246 *
247 * @param keep_ca whether to keep AUTH_RULE_CA_CERT entries
248 */
249 void (*purge)(auth_cfg_t *this, bool keep_ca);
250
251 /**
252 * Check two configs for equality.
253 *
254 * For rules we expect only once the latest value is compared only.
255 *
256 * @param other other config to compare against this
257 * @return TRUE if auth infos identical
258 */
259 bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
260
261 /**
262 * Clone an authentication config, including all rules.
263 *
264 * @return cloned configuration
265 */
266 auth_cfg_t* (*clone)(auth_cfg_t *this);
267
268 /**
269 * Destroy a config with all associated rules/values.
270 */
271 void (*destroy)(auth_cfg_t *this);
272 };
273
274 /**
275 * Create a authentication config.
276 */
277 auth_cfg_t *auth_cfg_create();
278
279 #endif /** AUTH_CFG_H_ @}*/