src/libstrongswan/credentials/auth_cfg.h

   1 /*
   2  * Copyright (C) 2007-2009 Martin Willi
   3  * Copyright (C) 2008 Tobias Brunner
   4  * Hochschule fuer Technik Rapperswil
   5  *
   6  * This program is free software; you can redistribute it and/or modify it
   7  * under the terms of the GNU General Public License as published by the
   8  * Free Software Foundation; either version 2 of the License, or (at your
   9  * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
  10  *
  11  * This program is distributed in the hope that it will be useful, but
  12  * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
  13  * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
  14  * for more details.
  15  */
  16
  17 /**
  18  * @defgroup auth_cfg auth_cfg
  19  * @{ @ingroup credentials
  20  */
  21
  22 #ifndef AUTH_CFG_H_
  23 #define AUTH_CFG_H_
  24
  25 #include <utils/enumerator.h>
  26
  27 typedef struct auth_cfg_t auth_cfg_t;
  28 typedef enum auth_rule_t auth_rule_t;
  29 typedef enum auth_class_t auth_class_t;
  30
  31 /**
  32  * Class of authentication to use. This is different to auth_method_t in that
  33  * it does not specify a method, but a class of acceptable methods. The found
  34  * certificate finally dictates which method is used.
  35  */
  36 enum auth_class_t {
  37         /** any class acceptable */
  38         AUTH_CLASS_ANY = 0,
  39         /** authentication using public keys (RSA, ECDSA) */
  40         AUTH_CLASS_PUBKEY = 1,
  41         /** authentication using a pre-shared secrets */
  42         AUTH_CLASS_PSK = 2,
  43         /** authentication using EAP */
  44         AUTH_CLASS_EAP = 3,
  45         /** authentication using IKEv1 XAUTH */
  46         AUTH_CLASS_XAUTH = 4,
  47 };
  48
  49 /**
  50  * enum strings for auth_class_t
  51  */
  52 extern enum_name_t *auth_class_names;
  53
  54 /**
  55  * Authentication config to use during authentication process.
  56  *
  57  * Each authentication config contains a set of rules. These rule-sets are used
  58  * in two ways:
  59  * - For configs specifying local authentication behavior, the rules define
  60  *   which authentication method in which way.
  61  * - For configs specifying remote peer authentication, the rules define
  62  *   constraints the peer has to fulfill.
  63  *
  64  * Additionally to the rules, there is a set of helper items. These are used
  65  * to transport credentials during the authentication process.
  66  */
  67 enum auth_rule_t {
  68         /** identity to use for IKEv2 authentication exchange, identification_t* */
  69         AUTH_RULE_IDENTITY,
  70         /** authentication class, auth_class_t */
  71         AUTH_RULE_AUTH_CLASS,
  72         /** AAA-backend identity for EAP methods supporting it, identification_t* */
  73         AUTH_RULE_AAA_IDENTITY,
  74         /** EAP identity to use within EAP-Identity exchange, identification_t* */
  75         AUTH_RULE_EAP_IDENTITY,
  76         /** EAP type to propose for peer authentication, eap_type_t */
  77         AUTH_RULE_EAP_TYPE,
  78         /** EAP vendor for vendor specific type, u_int32_t */
  79         AUTH_RULE_EAP_VENDOR,
  80         /** XAUTH backend name to use, char* */
  81         AUTH_RULE_XAUTH_BACKEND,
  82         /** XAuth identity to use or require, identification_t* */
  83         AUTH_RULE_XAUTH_IDENTITY,
  84         /** certificate authority, certificate_t* */
  85         AUTH_RULE_CA_CERT,
  86         /** intermediate certificate in trustchain, certificate_t* */
  87         AUTH_RULE_IM_CERT,
  88         /** subject certificate, certificate_t* */
  89         AUTH_RULE_SUBJECT_CERT,
  90         /** result of a CRL validation, cert_validation_t */
  91         AUTH_RULE_CRL_VALIDATION,
  92         /** result of a OCSP validation, cert_validation_t */
  93         AUTH_RULE_OCSP_VALIDATION,
  94         /** subject is member of a group, identification_t*
  95          * The group membership constraint is fulfilled if the subject is member of
  96          * one group defined in the constraints. */
  97         AUTH_RULE_GROUP,
  98         /** required RSA public key strength, u_int in bits */
  99         AUTH_RULE_RSA_STRENGTH,
 100         /** required ECDSA public key strength, u_int in bits */
 101         AUTH_RULE_ECDSA_STRENGTH,
 102         /** certificatePolicy constraint, numerical OID as char* */
 103         AUTH_RULE_CERT_POLICY,
 104
 105         /** intermediate certificate, certificate_t* */
 106         AUTH_HELPER_IM_CERT,
 107         /** subject certificate, certificate_t* */
 108         AUTH_HELPER_SUBJECT_CERT,
 109         /** Hash and URL of a intermediate certificate, char* */
 110         AUTH_HELPER_IM_HASH_URL,
 111         /** Hash and URL of a end-entity certificate, char* */
 112         AUTH_HELPER_SUBJECT_HASH_URL,
 113         /** revocation certificate (CRL, OCSP), certificate_t* */
 114         AUTH_HELPER_REVOCATION_CERT,
 115 };
 116
 117 /**
 118  * enum name for auth_rule_t.
 119  */
 120 extern enum_name_t *auth_rule_names;
 121
 122 /**
 123  * Authentication/Authorization round.
 124  *
 125  * RFC4739 defines multiple authentication rounds. This class defines such
 126  * a round from a configuration perspective, either for the local or the remote
 127  * peer. Local configs are called "rulesets". They define how we authenticate.
 128  * Remote peer configs are called "constraits". They define what is needed to
 129  * complete the authentication round successfully.
 130  *
 131  * @verbatim
 132
 133    [Repeat for each configuration]
 134    +--------------------------------------------------+
 135    |                                                  |
 136    |                                                  |
 137    |   +----------+     IKE_AUTH       +--------- +   |
 138    |   |  config  |   ----------->     |          |   |
 139    |   |  ruleset |                    |          |   |
 140    |   +----------+ [ <----------- ]   |          |   |
 141    |                [ optional EAP ]   |   Peer   |   |
 142    |   +----------+ [ -----------> ]   |          |   |
 143    |   |  config  |                    |          |   |
 144    |   |  constr. |   <-----------     |          |   |
 145    |   +----------+     IKE_AUTH       +--------- +   |
 146    |                                                  |
 147    |                                                  |
 148    +--------------------------------------------------+
 149
 150    @endverbatim
 151  *
 152  * Values for each item are either pointers (casted to void*) or short
 153  * integers (use uintptr_t cast).
 154  */
 155 struct auth_cfg_t {
 156
 157         /**
 158          * Add an rule to the set.
 159          *
 160          * @param rule          rule type
 161          * @param ...           associated value to rule
 162          */
 163         void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
 164
 165         /**
 166          * Get a rule value.
 167          *
 168          * @param rule          rule type
 169          * @return                      bool if item has been found
 170          */
 171         void* (*get)(auth_cfg_t *this, auth_rule_t rule);
 172
 173         /**
 174          * Create an enumerator over added rules.
 175          *
 176          * @return                      enumerator over (auth_rule_t, union{void*,uintpr_t})
 177          */
 178         enumerator_t* (*create_enumerator)(auth_cfg_t *this);
 179
 180         /**
 181          * Replace a rule at enumerator position.
 182          *
 183          * @param pos           enumerator position
 184          * @param rule          rule type
 185          * @param ...           associated value to rule
 186          */
 187         void (*replace)(auth_cfg_t *this, enumerator_t *pos,
 188                                         auth_rule_t rule, ...);
 189
 190         /**
 191          * Check if a used config fulfills a set of configured constraints.
 192          *
 193          * @param constraints   required authorization rules
 194          * @param log_error             whether to log compliance errors
 195          * @return                              TRUE if this complies with constraints
 196          */
 197         bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
 198
 199         /**
 200          * Merge items from other into this.
 201          *
 202          * @param other         items to read for merge
 203          * @param copy          TRUE to copy items, FALSE to move them
 204          */
 205         void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
 206
 207         /**
 208          * Purge all rules in a config.
 209          *
 210          * @param keep_ca       whether to keep AUTH_RULE_CA_CERT entries
 211          */
 212         void (*purge)(auth_cfg_t *this, bool keep_ca);
 213
 214         /**
 215          * Check two configs for equality.
 216          *
 217          * @param other         other config to compare against this
 218          * @return                      TRUE if auth infos identical
 219          */
 220         bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
 221
 222         /**
 223          * Clone an authentication config, including all rules.
 224          *
 225          * @return                      cloned configuration
 226          */
 227         auth_cfg_t* (*clone)(auth_cfg_t *this);
 228
 229         /**
 230          * Destroy a config with all associated rules/values.
 231          */
 232         void (*destroy)(auth_cfg_t *this);
 233 };
 234
 235 /**
 236  * Create a authentication config.
 237  */
 238 auth_cfg_t *auth_cfg_create();
 239
 240 #endif /** AUTH_CFG_H_ @}*/