Annotation of embedaddon/strongswan/src/libstrongswan/credentials/auth_cfg.h, revision 1.1
1.1 ! misho 1: /*
! 2: * Copyright (C) 2008-2015 Tobias Brunner
! 3: * Copyright (C) 2007-2009 Martin Willi
! 4: * HSR Hochschule fuer Technik Rapperswil
! 5: *
! 6: * This program is free software; you can redistribute it and/or modify it
! 7: * under the terms of the GNU General Public License as published by the
! 8: * Free Software Foundation; either version 2 of the License, or (at your
! 9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
! 10: *
! 11: * This program is distributed in the hope that it will be useful, but
! 12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
! 13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
! 14: * for more details.
! 15: */
! 16:
! 17: /**
! 18: * @defgroup auth_cfg auth_cfg
! 19: * @{ @ingroup credentials
! 20: */
! 21:
! 22: #ifndef AUTH_CFG_H_
! 23: #define AUTH_CFG_H_
! 24:
! 25: #include <collections/enumerator.h>
! 26:
! 27: typedef struct auth_cfg_t auth_cfg_t;
! 28: typedef enum auth_rule_t auth_rule_t;
! 29: typedef enum auth_class_t auth_class_t;
! 30:
! 31: /**
! 32: * Class of authentication to use. This is different to auth_method_t in that
! 33: * it does not specify a method, but a class of acceptable methods. The found
! 34: * certificate finally dictates which method is used.
! 35: */
! 36: enum auth_class_t {
! 37: /** any class acceptable */
! 38: AUTH_CLASS_ANY = 0,
! 39: /** authentication using public keys (RSA, ECDSA) */
! 40: AUTH_CLASS_PUBKEY = 1,
! 41: /** authentication using a pre-shared secrets */
! 42: AUTH_CLASS_PSK = 2,
! 43: /** authentication using EAP */
! 44: AUTH_CLASS_EAP = 3,
! 45: /** authentication using IKEv1 XAUTH */
! 46: AUTH_CLASS_XAUTH = 4,
! 47: };
! 48:
! 49: /**
! 50: * enum strings for auth_class_t
! 51: */
! 52: extern enum_name_t *auth_class_names;
! 53:
! 54: /**
! 55: * Authentication config to use during authentication process.
! 56: *
! 57: * Each authentication config contains a set of rules. These rule-sets are used
! 58: * in two ways:
! 59: * - For configs specifying local authentication behavior, the rules define
! 60: * which authentication method in which way.
! 61: * - For configs specifying remote peer authentication, the rules define
! 62: * constraints the peer has to fulfill.
! 63: *
! 64: * Additionally to the rules, there is a set of helper items. These are used
! 65: * to transport credentials during the authentication process.
! 66: */
! 67: enum auth_rule_t {
! 68: /** identity to use for IKEv2 authentication exchange, identification_t* */
! 69: AUTH_RULE_IDENTITY,
! 70: /** if TRUE don't send IDr as initiator, but verify the identity after
! 71: * receiving IDr (but also verify it against subjectAltNames), bool */
! 72: AUTH_RULE_IDENTITY_LOOSE,
! 73: /** authentication class, auth_class_t */
! 74: AUTH_RULE_AUTH_CLASS,
! 75: /** AAA-backend identity for EAP methods supporting it, identification_t* */
! 76: AUTH_RULE_AAA_IDENTITY,
! 77: /** EAP identity to use within EAP-Identity exchange, identification_t* */
! 78: AUTH_RULE_EAP_IDENTITY,
! 79: /** EAP type to propose for peer authentication, eap_type_t */
! 80: AUTH_RULE_EAP_TYPE,
! 81: /** EAP vendor for vendor specific type, uint32_t */
! 82: AUTH_RULE_EAP_VENDOR,
! 83: /** XAUTH backend name to use, char* */
! 84: AUTH_RULE_XAUTH_BACKEND,
! 85: /** XAuth identity to use or require, identification_t* */
! 86: AUTH_RULE_XAUTH_IDENTITY,
! 87: /** subject of certificate authority, identification_t* */
! 88: AUTH_RULE_CA_IDENTITY,
! 89: /** certificate authority, certificate_t* */
! 90: AUTH_RULE_CA_CERT,
! 91: /** intermediate certificate in trustchain, certificate_t* */
! 92: AUTH_RULE_IM_CERT,
! 93: /** subject certificate, certificate_t* */
! 94: AUTH_RULE_SUBJECT_CERT,
! 95: /** result of a CRL validation, cert_validation_t */
! 96: AUTH_RULE_CRL_VALIDATION,
! 97: /** result of a OCSP validation, cert_validation_t */
! 98: AUTH_RULE_OCSP_VALIDATION,
! 99: /** CRL/OCSP validation is disabled, bool */
! 100: AUTH_RULE_CERT_VALIDATION_SUSPENDED,
! 101: /** subject is member of a group, identification_t*
! 102: * The group membership constraint is fulfilled if the subject is member of
! 103: * one group defined in the constraints. */
! 104: AUTH_RULE_GROUP,
! 105: /** required RSA public key strength, u_int in bits */
! 106: AUTH_RULE_RSA_STRENGTH,
! 107: /** required ECDSA public key strength, u_int in bits */
! 108: AUTH_RULE_ECDSA_STRENGTH,
! 109: /** required BLISS public key strength, u_int in bits */
! 110: AUTH_RULE_BLISS_STRENGTH,
! 111: /** required signature scheme, signature_params_t* */
! 112: AUTH_RULE_SIGNATURE_SCHEME,
! 113: /** required signature scheme for IKE authentication, signature_params_t* */
! 114: AUTH_RULE_IKE_SIGNATURE_SCHEME,
! 115: /** certificatePolicy constraint, numerical OID as char* */
! 116: AUTH_RULE_CERT_POLICY,
! 117:
! 118: /** intermediate certificate, certificate_t* */
! 119: AUTH_HELPER_IM_CERT,
! 120: /** subject certificate, certificate_t* */
! 121: AUTH_HELPER_SUBJECT_CERT,
! 122: /** Hash and URL of a intermediate certificate, char* */
! 123: AUTH_HELPER_IM_HASH_URL,
! 124: /** Hash and URL of a end-entity certificate, char* */
! 125: AUTH_HELPER_SUBJECT_HASH_URL,
! 126: /** revocation certificate (CRL, OCSP), certificate_t* */
! 127: AUTH_HELPER_REVOCATION_CERT,
! 128: /** attribute certificate for authorization decisions, certificate_t */
! 129: AUTH_HELPER_AC_CERT,
! 130:
! 131: /** helper to determine the number of elements in this enum */
! 132: AUTH_RULE_MAX,
! 133: };
! 134:
! 135: /**
! 136: * enum name for auth_rule_t.
! 137: */
! 138: extern enum_name_t *auth_rule_names;
! 139:
! 140: /**
! 141: * Authentication/Authorization round.
! 142: *
! 143: * RFC4739 defines multiple authentication rounds. This class defines such
! 144: * a round from a configuration perspective, either for the local or the remote
! 145: * peer. Local configs are called "rulesets". They define how we authenticate.
! 146: * Remote peer configs are called "constraints". They define what is needed to
! 147: * complete the authentication round successfully.
! 148: *
! 149: * @verbatim
! 150:
! 151: [Repeat for each configuration]
! 152: +--------------------------------------------------+
! 153: | |
! 154: | |
! 155: | +----------+ IKE_AUTH +--------- + |
! 156: | | config | -----------> | | |
! 157: | | ruleset | | | |
! 158: | +----------+ [ <----------- ] | | |
! 159: | [ optional EAP ] | Peer | |
! 160: | +----------+ [ -----------> ] | | |
! 161: | | config | | | |
! 162: | | constr. | <----------- | | |
! 163: | +----------+ IKE_AUTH +--------- + |
! 164: | |
! 165: | |
! 166: +--------------------------------------------------+
! 167:
! 168: @endverbatim
! 169: *
! 170: * Values for each item are either pointers (casted to void*) or short
! 171: * integers (use uintptr_t cast).
! 172: */
! 173: struct auth_cfg_t {
! 174:
! 175: /**
! 176: * Add a rule to the set.
! 177: *
! 178: * Rules we expect only once (e.g. identities) implicitly replace previous
! 179: * rules of the same type (but pointers to previous values will remain
! 180: * valid until the auth_cfg_t object is destroyed).
! 181: * Rules that may occur multiple times (e.g. CA certificates) are inserted
! 182: * so that they can be enumerated in the order in which they were added.
! 183: * For these get() will return the value added first.
! 184: *
! 185: * @param rule rule type
! 186: * @param ... associated value to rule
! 187: */
! 188: void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
! 189:
! 190: /**
! 191: * Add public key and signature scheme constraints to the set.
! 192: *
! 193: * @param constraints constraints string (e.g. "rsa-sha384")
! 194: * @param ike whether to add/parse constraints for IKE signatures
! 195: */
! 196: void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints,
! 197: bool ike);
! 198:
! 199: /**
! 200: * Get a rule value.
! 201: *
! 202: * For rules we expect only once the latest value is returned.
! 203: *
! 204: * @param rule rule type
! 205: * @return rule or NULL (or an appropriate default) if not found
! 206: */
! 207: void* (*get)(auth_cfg_t *this, auth_rule_t rule);
! 208:
! 209: /**
! 210: * Create an enumerator over added rules.
! 211: *
! 212: * Refer to add() regarding the order in which rules are enumerated.
! 213: * For rules we expect only once the latest value is enumerated only.
! 214: *
! 215: * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
! 216: */
! 217: enumerator_t* (*create_enumerator)(auth_cfg_t *this);
! 218:
! 219: /**
! 220: * Replace a rule at enumerator position.
! 221: *
! 222: * @param pos enumerator position
! 223: * @param rule rule type
! 224: * @param ... associated value to rule
! 225: */
! 226: void (*replace)(auth_cfg_t *this, enumerator_t *pos,
! 227: auth_rule_t rule, ...);
! 228:
! 229: /**
! 230: * Check if a used config fulfills a set of configured constraints.
! 231: *
! 232: * @param constraints required authorization rules
! 233: * @param log_error whether to log compliance errors
! 234: * @return TRUE if this complies with constraints
! 235: */
! 236: bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
! 237:
! 238: /**
! 239: * Merge items from other into this.
! 240: *
! 241: * @param other items to read for merge
! 242: * @param copy TRUE to copy items, FALSE to move them
! 243: */
! 244: void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
! 245:
! 246: /**
! 247: * Purge all rules in a config.
! 248: *
! 249: * @param keep_ca whether to keep AUTH_RULE_CA_CERT entries
! 250: */
! 251: void (*purge)(auth_cfg_t *this, bool keep_ca);
! 252:
! 253: /**
! 254: * Check two configs for equality.
! 255: *
! 256: * For rules we expect only once the latest value is compared only.
! 257: *
! 258: * @param other other config to compare against this
! 259: * @return TRUE if auth infos identical
! 260: */
! 261: bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
! 262:
! 263: /**
! 264: * Clone an authentication config, including all rules.
! 265: *
! 266: * @return cloned configuration
! 267: */
! 268: auth_cfg_t* (*clone)(auth_cfg_t *this);
! 269:
! 270: /**
! 271: * Destroy a config with all associated rules/values.
! 272: */
! 273: void (*destroy)(auth_cfg_t *this);
! 274: };
! 275:
! 276: /**
! 277: * Create a authentication config.
! 278: */
! 279: auth_cfg_t *auth_cfg_create();
! 280:
! 281: #endif /** AUTH_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>