2 * Copyright (C) 2007-2009 Martin Willi
3 * Copyright (C) 2008 Tobias Brunner
4 * Hochschule fuer Technik Rapperswil
6 * This program is free software; you can redistribute it and/or modify it
7 * under the terms of the GNU General Public License as published by the
8 * Free Software Foundation; either version 2 of the License, or (at your
9 * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
11 * This program is distributed in the hope that it will be useful, but
12 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13 * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
18 * @defgroup auth_cfg auth_cfg
19 * @{ @ingroup credentials
25 #include <utils/enumerator.h>
27 typedef struct auth_cfg_t auth_cfg_t
;
28 typedef enum auth_rule_t auth_rule_t
;
29 typedef enum auth_class_t auth_class_t
;
32 * Class of authentication to use. This is different to auth_method_t in that
33 * it does not specify a method, but a class of acceptable methods. The found
34 * certificate finally dictates which method is used.
37 /** any class acceptable */
39 /** authentication using public keys (RSA, ECDSA) */
40 AUTH_CLASS_PUBKEY
= 1,
41 /** authentication using a pre-shared secrets */
43 /** authentication using EAP */
45 /** authentication using IKEv1 XAUTH */
50 * enum strings for auth_class_t
52 extern enum_name_t
*auth_class_names
;
55 * Authentication config to use during authentication process.
57 * Each authentication config contains a set of rules. These rule-sets are used
59 * - For configs specifying local authentication behavior, the rules define
60 * which authentication method in which way.
61 * - For configs specifying remote peer authentication, the rules define
62 * constraints the peer has to fulfill.
64 * Additionally to the rules, there is a set of helper items. These are used
65 * to transport credentials during the authentication process.
68 /** identity to use for IKEv2 authentication exchange, identification_t* */
70 /** authentication class, auth_class_t */
72 /** AAA-backend identity for EAP methods supporting it, identification_t* */
73 AUTH_RULE_AAA_IDENTITY
,
74 /** EAP identity to use within EAP-Identity exchange, identification_t* */
75 AUTH_RULE_EAP_IDENTITY
,
76 /** EAP type to propose for peer authentication, eap_type_t */
78 /** EAP vendor for vendor specific type, u_int32_t */
80 /** XAUTH backend name to use, char* */
81 AUTH_RULE_XAUTH_BACKEND
,
82 /** XAuth identity to use or require, identification_t* */
83 AUTH_RULE_XAUTH_IDENTITY
,
84 /** certificate authority, certificate_t* */
86 /** intermediate certificate in trustchain, certificate_t* */
88 /** subject certificate, certificate_t* */
89 AUTH_RULE_SUBJECT_CERT
,
90 /** result of a CRL validation, cert_validation_t */
91 AUTH_RULE_CRL_VALIDATION
,
92 /** result of a OCSP validation, cert_validation_t */
93 AUTH_RULE_OCSP_VALIDATION
,
94 /** subject is member of a group, identification_t*
95 * The group membership constraint is fulfilled if the subject is member of
96 * one group defined in the constraints. */
98 /** required RSA public key strength, u_int in bits */
99 AUTH_RULE_RSA_STRENGTH
,
100 /** required ECDSA public key strength, u_int in bits */
101 AUTH_RULE_ECDSA_STRENGTH
,
102 /** certificatePolicy constraint, numerical OID as char* */
103 AUTH_RULE_CERT_POLICY
,
105 /** intermediate certificate, certificate_t* */
107 /** subject certificate, certificate_t* */
108 AUTH_HELPER_SUBJECT_CERT
,
109 /** Hash and URL of a intermediate certificate, char* */
110 AUTH_HELPER_IM_HASH_URL
,
111 /** Hash and URL of a end-entity certificate, char* */
112 AUTH_HELPER_SUBJECT_HASH_URL
,
113 /** revocation certificate (CRL, OCSP), certificate_t* */
114 AUTH_HELPER_REVOCATION_CERT
,
118 * enum name for auth_rule_t.
120 extern enum_name_t
*auth_rule_names
;
123 * Authentication/Authorization round.
125 * RFC4739 defines multiple authentication rounds. This class defines such
126 * a round from a configuration perspective, either for the local or the remote
127 * peer. Local configs are called "rulesets". They define how we authenticate.
128 * Remote peer configs are called "constraits". They define what is needed to
129 * complete the authentication round successfully.
133 [Repeat for each configuration]
134 +--------------------------------------------------+
137 | +----------+ IKE_AUTH +--------- + |
138 | | config | -----------> | | |
140 | +----------+ [ <----------- ] | | |
141 | [ optional EAP ] | Peer | |
142 | +----------+ [ -----------> ] | | |
144 | | constr. | <----------- | | |
145 | +----------+ IKE_AUTH +--------- + |
148 +--------------------------------------------------+
152 * Values for each item are either pointers (casted to void*) or short
153 * integers (use uintptr_t cast).
158 * Add an rule to the set.
160 * @param rule rule type
161 * @param ... associated value to rule
163 void (*add
)(auth_cfg_t
*this, auth_rule_t rule
, ...);
168 * @param rule rule type
169 * @return bool if item has been found
171 void* (*get
)(auth_cfg_t
*this, auth_rule_t rule
);
174 * Create an enumerator over added rules.
176 * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
178 enumerator_t
* (*create_enumerator
)(auth_cfg_t
*this);
181 * Replace a rule at enumerator position.
183 * @param pos enumerator position
184 * @param rule rule type
185 * @param ... associated value to rule
187 void (*replace
)(auth_cfg_t
*this, enumerator_t
*pos
,
188 auth_rule_t rule
, ...);
191 * Check if a used config fulfills a set of configured constraints.
193 * @param constraints required authorization rules
194 * @param log_error whether to log compliance errors
195 * @return TRUE if this complies with constraints
197 bool (*complies
)(auth_cfg_t
*this, auth_cfg_t
*constraints
, bool log_error
);
200 * Merge items from other into this.
202 * @param other items to read for merge
203 * @param copy TRUE to copy items, FALSE to move them
205 void (*merge
)(auth_cfg_t
*this, auth_cfg_t
*other
, bool copy
);
208 * Purge all rules in a config.
210 * @param keep_ca whether to keep AUTH_RULE_CA_CERT entries
212 void (*purge
)(auth_cfg_t
*this, bool keep_ca
);
215 * Check two configs for equality.
217 * @param other other config to compare against this
218 * @return TRUE if auth infos identical
220 bool (*equals
)(auth_cfg_t
*this, auth_cfg_t
*other
);
223 * Clone an authentication config, including all rules.
225 * @return cloned configuration
227 auth_cfg_t
* (*clone
)(auth_cfg_t
*this);
230 * Destroy a config with all associated rules/values.
232 void (*destroy
)(auth_cfg_t
*this);
236 * Create a authentication config.
238 auth_cfg_t
*auth_cfg_create();
240 #endif /** AUTH_CFG_H_ @}*/