Support pseudonym RDN
[strongswan.git] / src / libstrongswan / utils / identification.h
1 /*
2 * Copyright (C) 2009-2015 Tobias Brunner
3 * Copyright (C) 2005-2009 Martin Willi
4 * Copyright (C) 2005 Jan Hutter
5 * Hochschule fuer Technik Rapperswil
6 *
7 * This program is free software; you can redistribute it and/or modify it
8 * under the terms of the GNU General Public License as published by the
9 * Free Software Foundation; either version 2 of the License, or (at your
10 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 *
12 * This program is distributed in the hope that it will be useful, but
13 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
14 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
15 * for more details.
16 */
17
18 /**
19 * @defgroup identification identification
20 * @{ @ingroup utils
21 */
22
23
24 #ifndef IDENTIFICATION_H_
25 #define IDENTIFICATION_H_
26
27 typedef enum id_type_t id_type_t;
28 typedef struct identification_t identification_t;
29 typedef enum id_match_t id_match_t;
30 typedef enum id_part_t id_part_t;
31
32 #include <utils/chunk.h>
33 #include <collections/enumerator.h>
34
35 /**
36 * Matches returned from identification_t.match
37 */
38 enum id_match_t {
39 /* no match */
40 ID_MATCH_NONE = 0,
41 /* match to %any ID */
42 ID_MATCH_ANY = 1,
43 /* match with maximum allowed wildcards */
44 ID_MATCH_MAX_WILDCARDS = 2,
45 /* match with only one wildcard */
46 ID_MATCH_ONE_WILDCARD = 19,
47 /* perfect match, won't get better */
48 ID_MATCH_PERFECT = 20,
49 };
50
51 /**
52 * enum names for id_match_t.
53 */
54 extern enum_name_t *id_match_names;
55
56 /**
57 * ID Types in a ID payload.
58 */
59 enum id_type_t {
60
61 /**
62 * private type which matches any other id.
63 */
64 ID_ANY = 0,
65
66 /**
67 * ID data is a single four (4) octet IPv4 address.
68 */
69 ID_IPV4_ADDR = 1,
70
71 /**
72 * ID data is a fully-qualified domain name string.
73 * An example of a ID_FQDN is "example.com".
74 * The string MUST not contain any terminators (e.g., NULL, CR, etc.).
75 */
76 ID_FQDN = 2,
77
78 /**
79 * ID data is a fully-qualified RFC822 email address string.
80 * An example of an ID_RFC822_ADDR is "jsmith@example.com".
81 * The string MUST NOT contain any terminators.
82 */
83 ID_USER_FQDN = 3, /* IKEv1 only */
84 ID_RFC822_ADDR = 3, /* IKEv2 only */
85
86 /**
87 * ID data is an IPv4 subnet (IKEv1 only)
88 */
89 ID_IPV4_ADDR_SUBNET = 4,
90
91 /**
92 * ID data is a single sixteen (16) octet IPv6 address.
93 */
94 ID_IPV6_ADDR = 5,
95
96 /**
97 * ID data is an IPv6 subnet (IKEv1 only)
98 */
99 ID_IPV6_ADDR_SUBNET = 6,
100
101 /**
102 * ID data is an IPv4 address range (IKEv1 only)
103 */
104 ID_IPV4_ADDR_RANGE = 7,
105
106 /**
107 * ID data is an IPv6 address range (IKEv1 only)
108 */
109 ID_IPV6_ADDR_RANGE = 8,
110
111 /**
112 * ID data is the binary DER encoding of an ASN.1 X.501 Distinguished Name
113 */
114 ID_DER_ASN1_DN = 9,
115
116 /**
117 * ID data is the binary DER encoding of an ASN.1 X.509 GeneralName
118 */
119 ID_DER_ASN1_GN = 10,
120
121 /**
122 * ID data is an opaque octet stream which may be used to pass vendor-
123 * specific information necessary to do certain proprietary
124 * types of identification.
125 */
126 ID_KEY_ID = 11,
127
128 /**
129 * Private ID type which represents a GeneralName of type URI
130 */
131 ID_DER_ASN1_GN_URI = 201,
132 };
133
134 /**
135 * enum names for id_type_t.
136 */
137 extern enum_name_t *id_type_names;
138
139 /**
140 * Type of an ID sub part.
141 */
142 enum id_part_t {
143 /** Username part of an RFC822_ADDR */
144 ID_PART_USERNAME,
145 /** Domain part of an RFC822_ADDR */
146 ID_PART_DOMAIN,
147
148 /** Top-Level domain of a FQDN */
149 ID_PART_TLD,
150 /** Second-Level domain of a FQDN */
151 ID_PART_SLD,
152 /** Another Level domain of a FQDN */
153 ID_PART_ALD,
154
155 /** Country RDN of a DN */
156 ID_PART_RDN_C,
157 /** CommonName RDN of a DN */
158 ID_PART_RDN_CN,
159 /** Description RDN of a DN */
160 ID_PART_RDN_D,
161 /** Email RDN of a DN */
162 ID_PART_RDN_E,
163 /** EmployeeNumber RDN of a DN */
164 ID_PART_RDN_EN,
165 /** GivenName RDN of a DN */
166 ID_PART_RDN_G,
167 /** Initials RDN of a DN */
168 ID_PART_RDN_I,
169 /** DN Qualifier RDN of a DN */
170 ID_PART_RDN_DNQ,
171 /** Pseudonym RDN of a DN */
172 ID_PART_RDN_PN,
173 /** UniqueIdentifier RDN of a DN */
174 ID_PART_RDN_ID,
175 /** Locality RDN of a DN */
176 ID_PART_RDN_L,
177 /** Name RDN of a DN */
178 ID_PART_RDN_N,
179 /** Organization RDN of a DN */
180 ID_PART_RDN_O,
181 /** OrganizationUnit RDN of a DN */
182 ID_PART_RDN_OU,
183 /** Surname RDN of a DN */
184 ID_PART_RDN_S,
185 /** SerialNumber RDN of a DN */
186 ID_PART_RDN_SN,
187 /** StateOrProvince RDN of a DN */
188 ID_PART_RDN_ST,
189 /** Title RDN of a DN */
190 ID_PART_RDN_T,
191 };
192
193 /**
194 * Generic identification, such as used in ID payload.
195 *
196 * @todo Support for ID_DER_ASN1_GN is minimal right now. Comparison
197 * between them and ID_IPV4_ADDR/RFC822_ADDR would be nice.
198 */
199 struct identification_t {
200
201 /**
202 * Get the encoding of this id, to send over
203 * the network.
204 *
205 * Result points to internal data, do not free.
206 *
207 * @return a chunk containing the encoded bytes
208 */
209 chunk_t (*get_encoding) (identification_t *this);
210
211 /**
212 * Get the type of this identification.
213 *
214 * @return id_type_t
215 */
216 id_type_t (*get_type) (identification_t *this);
217
218 /**
219 * Create a hash value for this identification_t object.
220 *
221 * @param inc optional value for incremental hashing
222 * @return hash value
223 */
224 u_int (*hash) (identification_t *this, u_int inc);
225
226 /**
227 * Check if two identification_t objects are equal.
228 *
229 * @param other other identification_t object
230 * @return TRUE if the IDs are equal
231 */
232 bool (*equals) (identification_t *this, identification_t *other);
233
234 /**
235 * Check if an ID matches a wildcard ID.
236 *
237 * An identification_t may contain wildcards, such as
238 * *.strongswan.org. This call checks if a given ID
239 * (e.g. tester.strongswan.org) belongs to a such wildcard
240 * ID. Returns > 0 if
241 * - IDs are identical
242 * - other is of type ID_ANY
243 * - other contains a wildcard and matches this
244 *
245 * The larger the return value is, the better is the match. Zero means
246 * no match at all, 1 means a bad match, and 2 a slightly better match.
247 *
248 * @param other the ID containing one or more wildcards
249 * @return match value as described above
250 */
251 id_match_t (*matches) (identification_t *this, identification_t *other);
252
253 /**
254 * Check if an ID is a wildcard ID.
255 *
256 * If the ID represents multiple IDs (with wildcards, or
257 * as the type ID_ANY), TRUE is returned. If it is unique,
258 * FALSE is returned.
259 *
260 * @return TRUE if ID contains wildcards
261 */
262 bool (*contains_wildcards) (identification_t *this);
263
264 /**
265 * Create an enumerator over subparts of an identity.
266 *
267 * Some identities are built from several parts, e.g. an E-Mail consists
268 * of a username and a domain part, or a DistinguishedName contains several
269 * RDNs.
270 * For identity without subtypes (support), an empty enumerator is
271 * returned.
272 *
273 * @return an enumerator over (id_part_t type, chunk_t data)
274 */
275 enumerator_t* (*create_part_enumerator)(identification_t *this);
276
277 /**
278 * Clone a identification_t instance.
279 *
280 * @return clone of this
281 */
282 identification_t *(*clone) (identification_t *this);
283
284 /**
285 * Destroys a identification_t object.
286 */
287 void (*destroy) (identification_t *this);
288 };
289
290 /**
291 * Creates an identification_t object from a string.
292 *
293 * The input string may be e.g. one of the following:
294 * - ID_IPV4_ADDR: 192.168.0.1
295 * - ID_IPV6_ADDR: 2001:0db8:85a3:08d3:1319:8a2e:0370:7345
296 * - ID_FQDN: www.strongswan.org (optionally with a prepended @)
297 * - ID_RFC822_ADDR: alice@wonderland.org
298 * - ID_DER_ASN1_DN: C=CH, O=Linux strongSwan, CN=bob
299 *
300 * In favour of pluto, domainnames are prepended with an @, since
301 * pluto resolves domainnames without an @ to IPv4 addresses. Since
302 * we use a separate host_t class for addresses, this doesn't
303 * make sense for us.
304 *
305 * A distinguished name may contain one or more of the following RDNs:
306 * ND, UID, DC, CN, S, SN, serialNumber, C, L, ST, O, OU, T, D,
307 * N, G, I, dnQualifier, ID, EN, EmployeeNumber, E, Email, emailAddress, UN,
308 * unstructuredName, TCGID.
309 *
310 * To skip automatic type detection the following prefixes may be used to
311 * enforce a specific type: ipv4:, ipv6:, rfc822:, email:, userfqdn:, fqdn:,
312 * dns:, asn1dn:, asn1gn: and keyid:. If a # follows the :, the remaining data
313 * is interpreted as hex encoded binary data for that ID, otherwise the raw
314 * string following the prefix is used as identity data, without conversion.
315 * To specify a non-standard ID type, the numerical type may be prefixed
316 * between curly backets, building a prefix. For instance the "{1}:" prefix
317 * defines an ID_IPV4_ADDR type.
318 *
319 * This constructor never returns NULL. If it does not find a suitable
320 * conversion function, it will copy the string to an ID_KEY_ID.
321 *
322 * @param string input string, which will be converted
323 * @return identification_t
324 */
325 identification_t * identification_create_from_string(char *string);
326
327 /**
328 * Creates an identification from a chunk of data, guessing its type.
329 *
330 * @param data identification data
331 * @return identification_t
332 */
333 identification_t * identification_create_from_data(chunk_t data);
334
335 /**
336 * Creates an identification_t object from an encoded chunk.
337 *
338 * @param type type of this id, such as ID_IPV4_ADDR
339 * @param encoded encoded bytes, such as from identification_t.get_encoding
340 * @return identification_t
341 */
342 identification_t * identification_create_from_encoding(id_type_t type, chunk_t encoded);
343
344 /**
345 * Creates an identification_t object from a sockaddr struct
346 *
347 * @param sockaddr sockaddr struct which contains family and address
348 * @return identification_t
349 */
350 identification_t * identification_create_from_sockaddr(sockaddr_t *sockaddr);
351
352 /**
353 * printf hook function for identification_t.
354 *
355 * Arguments are:
356 * identification_t *identification
357 */
358 int identification_printf_hook(printf_hook_data_t *data,
359 printf_hook_spec_t *spec, const void *const *args);
360
361 #endif /** IDENTIFICATION_H_ @}*/