Annotation of embedaddon/strongswan/src/libstrongswan/credentials/auth_cfg.h, revision 1.1.1.1
1.1 misho 1: /*
2: * Copyright (C) 2008-2015 Tobias Brunner
3: * Copyright (C) 2007-2009 Martin Willi
4: * HSR Hochschule fuer Technik Rapperswil
5: *
6: * This program is free software; you can redistribute it and/or modify it
7: * under the terms of the GNU General Public License as published by the
8: * Free Software Foundation; either version 2 of the License, or (at your
9: * option) any later version. See <http://www.fsf.org/copyleft/gpl.txt>.
10: *
11: * This program is distributed in the hope that it will be useful, but
12: * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
13: * or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
14: * for more details.
15: */
16:
17: /**
18: * @defgroup auth_cfg auth_cfg
19: * @{ @ingroup credentials
20: */
21:
22: #ifndef AUTH_CFG_H_
23: #define AUTH_CFG_H_
24:
25: #include <collections/enumerator.h>
26:
27: typedef struct auth_cfg_t auth_cfg_t;
28: typedef enum auth_rule_t auth_rule_t;
29: typedef enum auth_class_t auth_class_t;
30:
31: /**
32: * Class of authentication to use. This is different to auth_method_t in that
33: * it does not specify a method, but a class of acceptable methods. The found
34: * certificate finally dictates which method is used.
35: */
36: enum auth_class_t {
37: /** any class acceptable */
38: AUTH_CLASS_ANY = 0,
39: /** authentication using public keys (RSA, ECDSA) */
40: AUTH_CLASS_PUBKEY = 1,
41: /** authentication using a pre-shared secrets */
42: AUTH_CLASS_PSK = 2,
43: /** authentication using EAP */
44: AUTH_CLASS_EAP = 3,
45: /** authentication using IKEv1 XAUTH */
46: AUTH_CLASS_XAUTH = 4,
47: };
48:
49: /**
50: * enum strings for auth_class_t
51: */
52: extern enum_name_t *auth_class_names;
53:
54: /**
55: * Authentication config to use during authentication process.
56: *
57: * Each authentication config contains a set of rules. These rule-sets are used
58: * in two ways:
59: * - For configs specifying local authentication behavior, the rules define
60: * which authentication method in which way.
61: * - For configs specifying remote peer authentication, the rules define
62: * constraints the peer has to fulfill.
63: *
64: * Additionally to the rules, there is a set of helper items. These are used
65: * to transport credentials during the authentication process.
66: */
67: enum auth_rule_t {
68: /** identity to use for IKEv2 authentication exchange, identification_t* */
69: AUTH_RULE_IDENTITY,
70: /** if TRUE don't send IDr as initiator, but verify the identity after
71: * receiving IDr (but also verify it against subjectAltNames), bool */
72: AUTH_RULE_IDENTITY_LOOSE,
73: /** authentication class, auth_class_t */
74: AUTH_RULE_AUTH_CLASS,
75: /** AAA-backend identity for EAP methods supporting it, identification_t* */
76: AUTH_RULE_AAA_IDENTITY,
77: /** EAP identity to use within EAP-Identity exchange, identification_t* */
78: AUTH_RULE_EAP_IDENTITY,
79: /** EAP type to propose for peer authentication, eap_type_t */
80: AUTH_RULE_EAP_TYPE,
81: /** EAP vendor for vendor specific type, uint32_t */
82: AUTH_RULE_EAP_VENDOR,
83: /** XAUTH backend name to use, char* */
84: AUTH_RULE_XAUTH_BACKEND,
85: /** XAuth identity to use or require, identification_t* */
86: AUTH_RULE_XAUTH_IDENTITY,
87: /** subject of certificate authority, identification_t* */
88: AUTH_RULE_CA_IDENTITY,
89: /** certificate authority, certificate_t* */
90: AUTH_RULE_CA_CERT,
91: /** intermediate certificate in trustchain, certificate_t* */
92: AUTH_RULE_IM_CERT,
93: /** subject certificate, certificate_t* */
94: AUTH_RULE_SUBJECT_CERT,
95: /** result of a CRL validation, cert_validation_t */
96: AUTH_RULE_CRL_VALIDATION,
97: /** result of a OCSP validation, cert_validation_t */
98: AUTH_RULE_OCSP_VALIDATION,
99: /** CRL/OCSP validation is disabled, bool */
100: AUTH_RULE_CERT_VALIDATION_SUSPENDED,
101: /** subject is member of a group, identification_t*
102: * The group membership constraint is fulfilled if the subject is member of
103: * one group defined in the constraints. */
104: AUTH_RULE_GROUP,
105: /** required RSA public key strength, u_int in bits */
106: AUTH_RULE_RSA_STRENGTH,
107: /** required ECDSA public key strength, u_int in bits */
108: AUTH_RULE_ECDSA_STRENGTH,
109: /** required BLISS public key strength, u_int in bits */
110: AUTH_RULE_BLISS_STRENGTH,
111: /** required signature scheme, signature_params_t* */
112: AUTH_RULE_SIGNATURE_SCHEME,
113: /** required signature scheme for IKE authentication, signature_params_t* */
114: AUTH_RULE_IKE_SIGNATURE_SCHEME,
115: /** certificatePolicy constraint, numerical OID as char* */
116: AUTH_RULE_CERT_POLICY,
117:
118: /** intermediate certificate, certificate_t* */
119: AUTH_HELPER_IM_CERT,
120: /** subject certificate, certificate_t* */
121: AUTH_HELPER_SUBJECT_CERT,
122: /** Hash and URL of a intermediate certificate, char* */
123: AUTH_HELPER_IM_HASH_URL,
124: /** Hash and URL of a end-entity certificate, char* */
125: AUTH_HELPER_SUBJECT_HASH_URL,
126: /** revocation certificate (CRL, OCSP), certificate_t* */
127: AUTH_HELPER_REVOCATION_CERT,
128: /** attribute certificate for authorization decisions, certificate_t */
129: AUTH_HELPER_AC_CERT,
130:
131: /** helper to determine the number of elements in this enum */
132: AUTH_RULE_MAX,
133: };
134:
135: /**
136: * enum name for auth_rule_t.
137: */
138: extern enum_name_t *auth_rule_names;
139:
140: /**
141: * Authentication/Authorization round.
142: *
143: * RFC4739 defines multiple authentication rounds. This class defines such
144: * a round from a configuration perspective, either for the local or the remote
145: * peer. Local configs are called "rulesets". They define how we authenticate.
146: * Remote peer configs are called "constraints". They define what is needed to
147: * complete the authentication round successfully.
148: *
149: * @verbatim
150:
151: [Repeat for each configuration]
152: +--------------------------------------------------+
153: | |
154: | |
155: | +----------+ IKE_AUTH +--------- + |
156: | | config | -----------> | | |
157: | | ruleset | | | |
158: | +----------+ [ <----------- ] | | |
159: | [ optional EAP ] | Peer | |
160: | +----------+ [ -----------> ] | | |
161: | | config | | | |
162: | | constr. | <----------- | | |
163: | +----------+ IKE_AUTH +--------- + |
164: | |
165: | |
166: +--------------------------------------------------+
167:
168: @endverbatim
169: *
170: * Values for each item are either pointers (casted to void*) or short
171: * integers (use uintptr_t cast).
172: */
173: struct auth_cfg_t {
174:
175: /**
176: * Add a rule to the set.
177: *
178: * Rules we expect only once (e.g. identities) implicitly replace previous
179: * rules of the same type (but pointers to previous values will remain
180: * valid until the auth_cfg_t object is destroyed).
181: * Rules that may occur multiple times (e.g. CA certificates) are inserted
182: * so that they can be enumerated in the order in which they were added.
183: * For these get() will return the value added first.
184: *
185: * @param rule rule type
186: * @param ... associated value to rule
187: */
188: void (*add)(auth_cfg_t *this, auth_rule_t rule, ...);
189:
190: /**
191: * Add public key and signature scheme constraints to the set.
192: *
193: * @param constraints constraints string (e.g. "rsa-sha384")
194: * @param ike whether to add/parse constraints for IKE signatures
195: */
196: void (*add_pubkey_constraints)(auth_cfg_t *this, char *constraints,
197: bool ike);
198:
199: /**
200: * Get a rule value.
201: *
202: * For rules we expect only once the latest value is returned.
203: *
204: * @param rule rule type
205: * @return rule or NULL (or an appropriate default) if not found
206: */
207: void* (*get)(auth_cfg_t *this, auth_rule_t rule);
208:
209: /**
210: * Create an enumerator over added rules.
211: *
212: * Refer to add() regarding the order in which rules are enumerated.
213: * For rules we expect only once the latest value is enumerated only.
214: *
215: * @return enumerator over (auth_rule_t, union{void*,uintpr_t})
216: */
217: enumerator_t* (*create_enumerator)(auth_cfg_t *this);
218:
219: /**
220: * Replace a rule at enumerator position.
221: *
222: * @param pos enumerator position
223: * @param rule rule type
224: * @param ... associated value to rule
225: */
226: void (*replace)(auth_cfg_t *this, enumerator_t *pos,
227: auth_rule_t rule, ...);
228:
229: /**
230: * Check if a used config fulfills a set of configured constraints.
231: *
232: * @param constraints required authorization rules
233: * @param log_error whether to log compliance errors
234: * @return TRUE if this complies with constraints
235: */
236: bool (*complies)(auth_cfg_t *this, auth_cfg_t *constraints, bool log_error);
237:
238: /**
239: * Merge items from other into this.
240: *
241: * @param other items to read for merge
242: * @param copy TRUE to copy items, FALSE to move them
243: */
244: void (*merge)(auth_cfg_t *this, auth_cfg_t *other, bool copy);
245:
246: /**
247: * Purge all rules in a config.
248: *
249: * @param keep_ca whether to keep AUTH_RULE_CA_CERT entries
250: */
251: void (*purge)(auth_cfg_t *this, bool keep_ca);
252:
253: /**
254: * Check two configs for equality.
255: *
256: * For rules we expect only once the latest value is compared only.
257: *
258: * @param other other config to compare against this
259: * @return TRUE if auth infos identical
260: */
261: bool (*equals)(auth_cfg_t *this, auth_cfg_t *other);
262:
263: /**
264: * Clone an authentication config, including all rules.
265: *
266: * @return cloned configuration
267: */
268: auth_cfg_t* (*clone)(auth_cfg_t *this);
269:
270: /**
271: * Destroy a config with all associated rules/values.
272: */
273: void (*destroy)(auth_cfg_t *this);
274: };
275:
276: /**
277: * Create a authentication config.
278: */
279: auth_cfg_t *auth_cfg_create();
280:
281: #endif /** AUTH_CFG_H_ @}*/
FreeBSD-CVSweb <freebsd-cvsweb@FreeBSD.org>