Map auth_class to auth method and IKEv1 proposal attribute
[strongswan.git] / src / libstrongswan / credentials / auth_cfg.h
1 /*
2 * Copyright (C) 2007-2009 Martin Willi
3 * Copyright (C) 2008 Tobias Brunner
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup auth_cfg auth_cfg
19 * @{ @ingroup credentials
20 */
21
22 #ifndef AUTH_CFG_H_
23 #define AUTH_CFG_H_
24
25 #include <utils/enumerator.h>
26
27 typedef struct auth_cfg_t auth_cfg_t;
28 typedef enum auth_rule_t auth_rule_t;
29 typedef enum auth_class_t auth_class_t;
30
31 /**
32 * Class of authentication to use. This is different to auth_method_t in that
33 * it does not specify a method, but a class of acceptable methods. The found
34 * certificate finally dictates which method is used.
35 */
36 enum auth_class_t {
37 /** any class acceptable */
38 AUTH_CLASS_ANY = 0,
39 /** authentication using public keys (RSA, ECDSA) */
40 AUTH_CLASS_PUBKEY = 1,
41 /** authentication using a pre-shared secrets */
42 AUTH_CLASS_PSK = 2,
43 /** authentication using EAP */
44 AUTH_CLASS_EAP = 3,
45 /** authentication using pre-shared secrets in combination with XAuth */
46 AUTH_CLASS_XAUTH_PSK = 4,
47 /** authentication using public keys in combination with XAuth */
48 AUTH_CLASS_XAUTH_PUBKEY = 5,
49 };
50
51 /**
52 * enum strings for auth_class_t
53 */
54 extern enum_name_t *auth_class_names;
55
56 /**
57 * Authentication config to use during authentication process.
58 *
59 * Each authentication config contains a set of rules. These rule-sets are used
60 * in two ways:
61 * - For configs specifying local authentication behavior, the rules define
62 * which authentication method in which way.
63 * - For configs specifying remote peer authentication, the rules define
64 * constraints the peer has to fulfill.
65 *
66 * Additionally to the rules, there is a set of helper items. These are used
67 * to transport credentials during the authentication process.
68 */
69 enum auth_rule_t {
70
71 /** identity to use for IKEv2 authentication exchange, identification_t* */
72 AUTH_RULE_IDENTITY,
73 /** authentication class, auth_class_t */
74 AUTH_RULE_AUTH_CLASS,
75 /** AAA-backend identity for EAP methods supporting it, identification_t* */
76 AUTH_RULE_AAA_IDENTITY,
77 /** EAP identity to use within EAP-Identity exchange, identification_t* */
78 AUTH_RULE_EAP_IDENTITY,
79 /** EAP type to propose for peer authentication, eap_type_t */
80 AUTH_RULE_EAP_TYPE,
81 /** EAP vendor for vendor specific type, u_int32_t */
82 AUTH_RULE_EAP_VENDOR,
83 /** certificate authority, certificate_t* */
84 AUTH_RULE_CA_CERT,
85 /** intermediate certificate in trustchain, certificate_t* */
86 AUTH_RULE_IM_CERT,
87 /** subject certificate, certificate_t* */
88 AUTH_RULE_SUBJECT_CERT,
89 /** result of a CRL validation, cert_validation_t */
90 AUTH_RULE_CRL_VALIDATION,
91 /** result of a OCSP validation, cert_validation_t */
92 AUTH_RULE_OCSP_VALIDATION,
93 /** subject is member of a group, identification_t*
94 * The group membership constraint is fulfilled if the subject is member of
95 * one group defined in the constraints. */
96 AUTH_RULE_GROUP,
97 /** required RSA public key strength, u_int in bits */
98 AUTH_RULE_RSA_STRENGTH,
99 /** required ECDSA public key strength, u_int in bits */
100 AUTH_RULE_ECDSA_STRENGTH,
101 /** certificatePolicy constraint, numerical OID as char* */
102 AUTH_RULE_CERT_POLICY,
103
104 /** intermediate certificate, certificate_t* */
105 AUTH_HELPER_IM_CERT,
106 /** subject certificate, certificate_t* */
107 AUTH_HELPER_SUBJECT_CERT,
108 /** Hash and URL of a intermediate certificate, char* */
109 AUTH_HELPER_IM_HASH_URL,
110 /** Hash and URL of a end-entity certificate, char* */
111 AUTH_HELPER_SUBJECT_HASH_URL,
112 /** revocation certificate (CRL, OCSP), certificate_t* */
113 AUTH_HELPER_REVOCATION_CERT,
114 };
115
116 /**
117 * enum name for auth_rule_t.
118 */
119 extern enum_name_t *auth_rule_names;
120
121 /**
122 * Authentication/Authorization round.
123 *
124 * RFC4739 defines multiple authentication rounds. This class defines such
125 * a round from a configuration perspective, either for the local or the remote
126 * peer. Local config are called "rulesets", as they define how we authenticate.
127 * Remote peer configs are called "constraits", they define what is needed to
128 * complete the authentication round successfully.
129 *
130 * @verbatim
131
132 [Repeat for each configuration]
133 +--------------------------------------------------+
134 | |
135 | |
136 | +----------+ IKE_AUTH +--------- + |
137 | | config | -----------> | | |
138 | | ruleset | | | |
139 | +----------+ [ <----------- ] | | |
140 | [ optional EAP ] | Peer | |
141 | +----------+ [ -----------> ] | | |
142 | | config | | | |
143 | | constr. | <----------- | | |
144 | +----------+ IKE_AUTH +--------- + |
145 | |
146 | |
147 +--------------------------------------------------+
148
149 @endverbatim
150 *
151 * Values for each items are either pointers (casted to void*) or short
152 * integers (use uintptr_t cast).
153 */
154 struct auth_cfg_t {
155
156 /**
157 * Add an rule to the set.
158 *
159 * @param rule rule type
160 * @param ... associated value to rule
161 */
162 void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
163
164 /**
165 * Get an rule value.
166 *
167 * @param rule rule type
168 * @return bool if item has been found
169 */
170 void* (*get)(auth_cfg_t *this, auth_rule_t rule);
171
172 /**
173 * Create an enumerator over added rules.
174 *
175 * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
176 */
177 enumerator_t* (*create_enumerator)(auth_cfg_t *this);
178
179 /**
180 * Replace an rule at enumerator position.
181 *
182 * @param pos enumerator position position
183 * @param rule rule type
184 * @param ... associated value to rule
185 */
186 void (*replace)(auth_cfg_t *this, enumerator_t *pos,
187 auth_rule_t rule, ...);
188
189 /**
190 * Check if a used config fulfills a set of configured constraints.
191 *
192 * @param constraints required authorization rules
193 * @param log_error wheter to log compliance errors
194 * @return TRUE if this complies with constraints
195 */
196 bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
197
198 /**
199 * Merge items from other into this.
200 *
201 * @param other items to read for merge
202 * @param copy TRUE to copy items, FALSE to move them
203 */
204 void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
205
206 /**
207 * Purge all rules in a config.
208 *
209 * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries
210 */
211 void (*purge)(auth_cfg_t *this, bool keep_ca);
212
213 /**
214 * Check two configs for equality.
215 *
216 * @param other other config to compaire against this
217 * @return TRUE if auth infos identical
218 */
219 bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
220
221 /**
222 * Clone a authentication config, including all rules.
223 *
224 * @return cloned configuration
225 */
226 auth_cfg_t* (*clone)(auth_cfg_t *this);
227
228 /**
229 * Destroy a config with all associated rules/values.
230 */
231 void (*destroy)(auth_cfg_t *this);
232 };
233
234 /**
235 * Create a authentication config.
236 */
237 auth_cfg_t *auth_cfg_create();
238
239 #endif /** AUTH_CFG_H_ @}*/