f088c1442c631d72dedcd4cc76ea4552246dfef6
[strongswan.git] / src / libstrongswan / credentials / auth_cfg.h
1 /*
2 * Copyright (C) 2007-2009 Martin Willi
3 * Copyright (C) 2008 Tobias Brunner
4 * Hochschule fuer Technik Rapperswil
5 *
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10 *
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14 * for more details.
15 */
16
17 /**
18 * @defgroup auth_cfg auth_cfg
19 * @{ @ingroup credentials
20 */
21
22 #ifndef AUTH_CFG_H_
23 #define AUTH_CFG_H_
24
25 #include <utils/enumerator.h>
26
27 typedef struct auth_cfg_t auth_cfg_t;
28 typedef enum auth_rule_t auth_rule_t;
29 typedef enum auth_class_t auth_class_t;
30 typedef enum eap_type_t eap_type_t;
31
32 /**
33 * Class of authentication to use. This is different to auth_method_t in that
34 * it does not specify a method, but a class of acceptable methods. The found
35 * certificate finally dictates wich method is used.
36 */
37 enum auth_class_t {
38 /** any class acceptable */
39 AUTH_CLASS_ANY = 0,
40 /** authentication using public keys (RSA, ECDSA) */
41 AUTH_CLASS_PUBKEY = 1,
42 /** authentication using a pre-shared secrets */
43 AUTH_CLASS_PSK = 2,
44 /** authentication using EAP */
45 AUTH_CLASS_EAP = 3,
46 };
47
48 /**
49 * enum strings for auth_class_t
50 */
51 extern enum_name_t *auth_class_names;
52
53 /**
54 * EAP types, defines the EAP method implementation
55 */
56 enum eap_type_t {
57 EAP_IDENTITY = 1,
58 EAP_NOTIFICATION = 2,
59 EAP_NAK = 3,
60 EAP_MD5 = 4,
61 EAP_OTP = 5,
62 EAP_GTC = 6,
63 EAP_TLS = 13,
64 EAP_SIM = 18,
65 EAP_TTLS = 21,
66 EAP_AKA = 23,
67 EAP_MSCHAPV2 = 26,
68 EAP_TNC = 38,
69 /** not a method, but an implementation providing different methods */
70 EAP_RADIUS = 253,
71 EAP_EXPANDED = 254,
72 EAP_EXPERIMENTAL = 255,
73 };
74
75 /**
76 * enum names for eap_type_t.
77 */
78 extern enum_name_t *eap_type_names;
79
80 /**
81 * short string enum names for eap_type_t.
82 */
83 extern enum_name_t *eap_type_short_names;
84
85 /**
86 * Lookup the EAP method type from a string.
87 *
88 * @param name EAP method name (such as "md5", "aka")
89 * @return method type, 0 if unkown
90 */
91 eap_type_t eap_type_from_string(char *name);
92
93 /**
94 * Authentication config to use during authentication process.
95 *
96 * Each authentication config contains a set of rules. These rule-sets are used
97 * in two ways:
98 * - For configs specifying local authentication behavior, the rules define
99 * which authentication method in which way.
100 * - For configs specifying remote peer authentication, the rules define
101 * constraints the peer has to fullfill.
102 *
103 * Additionally to the rules, there is a set of helper items. These are used
104 * to transport credentials during the authentication process.
105 */
106 enum auth_rule_t {
107
108 /** identity to use for IKEv2 authentication exchange, identification_t* */
109 AUTH_RULE_IDENTITY,
110 /** authentication class, auth_class_t */
111 AUTH_RULE_AUTH_CLASS,
112 /** EAP identity to use within EAP-Identity exchange, identification_t* */
113 AUTH_RULE_EAP_IDENTITY,
114 /** EAP type to propose for peer authentication, eap_type_t */
115 AUTH_RULE_EAP_TYPE,
116 /** EAP vendor for vendor specific type, u_int32_t */
117 AUTH_RULE_EAP_VENDOR,
118 /** certificate authority, certificate_t* */
119 AUTH_RULE_CA_CERT,
120 /** intermediate certificate in trustchain, certificate_t* */
121 AUTH_RULE_IM_CERT,
122 /** subject certificate, certificate_t* */
123 AUTH_RULE_SUBJECT_CERT,
124 /** result of a CRL validation, cert_validation_t */
125 AUTH_RULE_CRL_VALIDATION,
126 /** result of a OCSP validation, cert_validation_t */
127 AUTH_RULE_OCSP_VALIDATION,
128 /** subject is member of a group, identification_t*
129 * The group membership constraint is fulfilled if the subject is member of
130 * one group defined in the constraints. */
131 AUTH_RULE_GROUP,
132
133 /** intermediate certificate, certificate_t* */
134 AUTH_HELPER_IM_CERT,
135 /** subject certificate, certificate_t* */
136 AUTH_HELPER_SUBJECT_CERT,
137 /** Hash and URL of a intermediate certificate, char* */
138 AUTH_HELPER_IM_HASH_URL,
139 /** Hash and URL of a end-entity certificate, char* */
140 AUTH_HELPER_SUBJECT_HASH_URL,
141 };
142
143 /**
144 * enum name for auth_rule_t.
145 */
146 extern enum_name_t *auth_rule_names;
147
148 /**
149 * Authentication/Authorization round.
150 *
151 * RFC4739 defines multiple authentication rounds. This class defines such
152 * a round from a configuration perspective, either for the local or the remote
153 * peer. Local config are called "rulesets", as they define how we authenticate.
154 * Remote peer configs are called "constraits", they define what is needed to
155 * complete the authentication round successfully.
156 *
157 * @verbatim
158
159 [Repeat for each configuration]
160 +--------------------------------------------------+
161 | |
162 | |
163 | +----------+ IKE_AUTH +--------- + |
164 | | config | -----------> | | |
165 | | ruleset | | | |
166 | +----------+ [ <----------- ] | | |
167 | [ optional EAP ] | Peer | |
168 | +----------+ [ -----------> ] | | |
169 | | config | | | |
170 | | constr. | <----------- | | |
171 | +----------+ IKE_AUTH +--------- + |
172 | |
173 | |
174 +--------------------------------------------------+
175
176 @endverbatim
177 *
178 * Values for each items are either pointers (casted to void*) or short
179 * integers (use uintptr_t cast).
180 */
181 struct auth_cfg_t {
182
183 /**
184 * Add an rule to the set.
185 *
186 * @param rule rule type
187 * @param ... associated value to rule
188 */
189 void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
190
191 /**
192 * Get an rule value.
193 *
194 * @param rule rule type
195 * @return bool if item has been found
196 */
197 void* (*get)(auth_cfg_t *this, auth_rule_t rule);
198
199 /**
200 * Create an enumerator over added rules.
201 *
202 * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
203 */
204 enumerator_t* (*create_enumerator)(auth_cfg_t *this);
205
206 /**
207 * Replace an rule at enumerator position.
208 *
209 * @param pos enumerator position position
210 * @param rule rule type
211 * @param ... associated value to rule
212 */
213 void (*replace)(auth_cfg_t *this, enumerator_t *pos,
214 auth_rule_t rule, ...);
215
216 /**
217 * Check if a used config fulfills a set of configured constraints.
218 *
219 * @param constraints required authorization rules
220 * @param log_error wheter to log compliance errors
221 * @return TRUE if this complies with constraints
222 */
223 bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
224
225 /**
226 * Merge items from other into this.
227 *
228 * @param other items to read for merge
229 * @param copy TRUE to copy items, FALSE to move them
230 */
231 void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
232
233 /**
234 * Purge all rules in a config.
235 *
236 * @param keep_ca wheter to keep AUTH_RULE_CA_CERT entries
237 */
238 void (*purge)(auth_cfg_t *this, bool keep_ca);
239
240 /**
241 * Check two configs for equality.
242 *
243 * @param other other config to compaire against this
244 * @return TRUE if auth infos identical
245 */
246 bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
247
248 /**
249 * Clone a authentication config, including all rules.
250 *
251 * @return cloned configuration
252 */
253 auth_cfg_t* (*clone)(auth_cfg_t *this);
254
255 /**
256 * Destroy a config with all associated rules/values.
257 */
258 void (*destroy)(auth_cfg_t *this);
259 };
260
261 /**
262 * Create a authentication config.
263 */
264 auth_cfg_t *auth_cfg_create();
265
266 #endif /** AUTH_CFG_H_ @}*/