strongswan/src/libstrongswan/utils/identification.h

/*
 * Copyright (C) 2009-2015 Tobias Brunner
 * Copyright (C) 2005-2009 Martin Willi
 * Copyright (C) 2005 Jan Hutter
 * HSR Hochschule fuer Technik Rapperswil
 *
 * This program is free software; you can redistribute it and/or modify it
 * under the terms of the GNU General Public License as published by the
 * Free Software Foundation; either version 2 of the License, or (at your
 * option) any later version.  See <http://www.fsf.org/copyleft/gpl.txt>.
 *
 * This program is distributed in the hope that it will be useful, but
 * WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY
 * or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU General Public License
 * for more details.
 */

/**
 * @defgroup identification identification
 * @{ @ingroup utils
 */


#ifndef IDENTIFICATION_H_
#define IDENTIFICATION_H_

typedef enum id_type_t id_type_t;
typedef struct identification_t identification_t;
typedef enum id_match_t id_match_t;
typedef enum id_part_t id_part_t;

#include <utils/chunk.h>
#include <collections/enumerator.h>

/**
 * Matches returned from identification_t.match
 */
enum id_match_t {
	/* no match */
	ID_MATCH_NONE = 0,
	/* match to %any ID */
	ID_MATCH_ANY = 1,
	/* match with maximum allowed wildcards */
	ID_MATCH_MAX_WILDCARDS = 2,
	/* match with only one wildcard */
	ID_MATCH_ONE_WILDCARD = 19,
	/* perfect match, won't get better */
	ID_MATCH_PERFECT = 20,
};

/**
 * enum names for id_match_t.
 */
extern enum_name_t *id_match_names;

/**
 * ID Types in a ID payload.
 */
enum id_type_t {

	/**
	 * private type which matches any other id.
	 */
	ID_ANY = 0,

	/**
	 * ID data is a single four (4) octet IPv4 address.
	 */
	ID_IPV4_ADDR = 1,

	/**
	 * ID data is a fully-qualified domain name string.
	 * An example of a ID_FQDN is "example.com".
	 * The string MUST not contain any terminators (e.g., NULL, CR, etc.).
	 */
	ID_FQDN = 2,

	/**
	 * ID data is a fully-qualified RFC822 email address string.
	 * An example of an ID_RFC822_ADDR is "jsmith@example.com".
	 * The string MUST NOT contain any terminators.
	 */
	ID_USER_FQDN   = 3,	/* IKEv1 only */
	ID_RFC822_ADDR = 3,	/* IKEv2 only */

	/**
	 * ID data is an IPv4 subnet (IKEv1 only)
	 */
	ID_IPV4_ADDR_SUBNET = 4,

	/**
	 * ID data is a single sixteen (16) octet IPv6 address.
	 */
	ID_IPV6_ADDR = 5,

	/**
	 * ID data is an IPv6 subnet (IKEv1 only)
	 */
	ID_IPV6_ADDR_SUBNET = 6,

	/**
	 * ID data is an IPv4 address range (IKEv1 only)
	 */
	ID_IPV4_ADDR_RANGE = 7,

	/**
	 * ID data is an IPv6 address range (IKEv1 only)
	 */
	ID_IPV6_ADDR_RANGE = 8,

	/**
	 * ID data is the binary DER encoding of an ASN.1 X.501 Distinguished Name
	 */
	ID_DER_ASN1_DN = 9,

	/**
	 * ID data is the binary DER encoding of an ASN.1 X.509 GeneralName
	 */
	ID_DER_ASN1_GN = 10,

	/**
	 * ID data is an opaque octet stream which may be used to pass vendor-
	 * specific information necessary to do certain proprietary
	 * types of identification.
	 */
	ID_KEY_ID = 11,

	/**
	 * Private ID type which represents a GeneralName of type URI
	 */
	ID_DER_ASN1_GN_URI = 201,
};

/**
 * enum names for id_type_t.
 */
extern enum_name_t *id_type_names;

/**
 * Type of an ID sub part.
 */
enum id_part_t {
	/** Username part of an RFC822_ADDR */
	ID_PART_USERNAME,
	/** Domain part of an RFC822_ADDR */
	ID_PART_DOMAIN,

	/** Top-Level domain of a FQDN */
	ID_PART_TLD,
	/** Second-Level domain of a FQDN */
	ID_PART_SLD,
	/** Another Level domain of a FQDN */
	ID_PART_ALD,

	/** Country RDN of a DN */
	ID_PART_RDN_C,
	/** CommonName RDN of a DN */
	ID_PART_RDN_CN,
	/** Description RDN of a DN */
	ID_PART_RDN_D,
	/** Email RDN of a DN */
	ID_PART_RDN_E,
	/** EmployeeNumber RDN of a DN */
	ID_PART_RDN_EN,
	/** GivenName RDN of a DN */
	ID_PART_RDN_G,
	/** Initials RDN of a DN */
	ID_PART_RDN_I,
	/** DN Qualifier RDN of a DN */
	ID_PART_RDN_DNQ,
	/** dmdName RDN of a DN */
	ID_PART_RDN_DMDN,
	/** Pseudonym RDN of a DN */
	ID_PART_RDN_PN,
	/** UniqueIdentifier RDN of a DN */
	ID_PART_RDN_ID,
	/** Locality RDN of a DN */
	ID_PART_RDN_L,
	/** Name RDN of a DN */
	ID_PART_RDN_N,
	/** Organization RDN of a DN */
	ID_PART_RDN_O,
	/** OrganizationUnit RDN of a DN */
	ID_PART_RDN_OU,
	/** Surname RDN of a DN */
	ID_PART_RDN_SN,
	/** SerialNumber RDN of a DN */
	ID_PART_RDN_SERIAL_NUMBER,
	/** StateOrProvince RDN of a DN */
	ID_PART_RDN_ST,
	/** Title RDN of a DN */
	ID_PART_RDN_T,
};

/**
 * Generic identification, such as used in ID payload.
 *
 * @todo Support for ID_DER_ASN1_GN is minimal right now. Comparison
 * between them and ID_IPV4_ADDR/RFC822_ADDR would be nice.
 */
struct identification_t {

	/**
	 * Get the encoding of this id, to send over
	 * the network.
	 *
	 * Result points to internal data, do not free.
	 *
	 * @return 			a chunk containing the encoded bytes
	 */
	chunk_t (*get_encoding) (identification_t *this);

	/**
	 * Get the type of this identification.
	 *
	 * @return 			id_type_t
	 */
	id_type_t (*get_type) (identification_t *this);

	/**
	 * Create a hash value for this identification_t object.
	 *
	 * @param inc		optional value for incremental hashing
	 * @return			hash value
	 */
	u_int (*hash) (identification_t *this, u_int inc);

	/**
	 * Check if two identification_t objects are equal.
	 *
	 * @param other		other identification_t object
	 * @return 			TRUE if the IDs are equal
	 */
	bool (*equals) (identification_t *this, identification_t *other);

	/**
	 * Check if an ID matches a wildcard ID.
	 *
	 * An identification_t may contain wildcards, such as
	 * *.strongswan.org. This call checks if a given ID
	 * (e.g. tester.strongswan.org) belongs to a such wildcard
	 * ID. Returns > 0 if
	 * - IDs are identical
	 * - other is of type ID_ANY
	 * - other contains a wildcard and matches this
	 *
	 * The larger the return value is, the better is the match. Zero means
	 * no match at all, 1 means a bad match, and 2 a slightly better match.
	 *
	 * @param other		the ID containing one or more wildcards
	 * @return 			match value as described above
	 */
	id_match_t (*matches) (identification_t *this, identification_t *other);

	/**
	 * Check if an ID is a wildcard ID.
	 *
	 * If the ID represents multiple IDs (with wildcards, or
	 * as the type ID_ANY), TRUE is returned. If it is unique,
	 * FALSE is returned.
	 *
	 * @return 			TRUE if ID contains wildcards
	 */
	bool (*contains_wildcards) (identification_t *this);

	/**
	 * Create an enumerator over subparts of an identity.
	 *
	 * Some identities are built from several parts, e.g. an E-Mail consists
	 * of a username and a domain part, or a DistinguishedName contains several
	 * RDNs.
	 * For identity without subtypes (support), an empty enumerator is
	 * returned.
	 *
	 * @return			an enumerator over (id_part_t type, chunk_t data)
	 */
	enumerator_t* (*create_part_enumerator)(identification_t *this);

	/**
	 * Clone a identification_t instance.
	 *
	 * @return 			clone of this
	 */
	identification_t *(*clone) (identification_t *this);

	/**
	 * Destroys a identification_t object.
	 */
	void (*destroy) (identification_t *this);
};

/**
 * Creates an identification_t object from a string.
 *
 * The input string may be e.g. one of the following:
 * - ID_IPV4_ADDR:		192.168.0.1
 * - ID_IPV6_ADDR:		2001:0db8:85a3:08d3:1319:8a2e:0370:7345
 * - ID_FQDN:			www.strongswan.org (optionally with a prepended @)
 * - ID_RFC822_ADDR:	alice@wonderland.org
 * - ID_DER_ASN1_DN:	C=CH, O=Linux strongSwan, CN=bob
 *
 * In favor of pluto, domainnames are prepended with an @, since
 * pluto resolves domainnames without an @ to IPv4 addresses. Since
 * we use a separate host_t class for addresses, this doesn't
 * make sense for us.
 *
 * A distinguished name may contain one or more of the following RDNs:
 * ND, UID, DC, CN, S, SN, serialNumber, C, L, ST, O, OU, T, D,
 * N, G, I, dnQualifier, ID, EN, EmployeeNumber, E, Email, emailAddress, UN,
 * unstructuredName, TCGID.
 *
 * To skip automatic type detection the following prefixes may be used to
 * enforce a specific type: ipv4:, ipv6:, rfc822:, email:, userfqdn:, fqdn:,
 * dns:, asn1dn:, asn1gn: and keyid:. If a # follows the :, the remaining data
 * is interpreted as hex encoded binary data for that ID, otherwise the raw
 * string following the prefix is used as identity data, without conversion.
 * To specify a non-standard ID type, the numerical type may be prefixed
 * between curly brackets, building a prefix. For instance the "{1}:" prefix
 * defines an ID_IPV4_ADDR type.
 *
 * This constructor never returns NULL. If it does not find a suitable
 * conversion function, it will copy the string to an ID_KEY_ID.
 *
 * @param string	input string, which will be converted
 * @return			identification_t
 */
identification_t * identification_create_from_string(char *string);

/**
 * Creates an identification from a chunk of data, guessing its type.
 *
 * @param data		identification data
 * @return			identification_t
 */
identification_t * identification_create_from_data(chunk_t data);

/**
 * Creates an identification_t object from an encoded chunk.
 *
 * @param type		type of this id, such as ID_IPV4_ADDR
 * @param encoded	encoded bytes, such as from identification_t.get_encoding
 * @return			identification_t
 */
identification_t * identification_create_from_encoding(id_type_t type, chunk_t encoded);

/**
 * Creates an identification_t object from a sockaddr struct
 *
 * @param sockaddr		sockaddr struct which contains family and address
 * @return 				identification_t
 */
identification_t * identification_create_from_sockaddr(sockaddr_t *sockaddr);

/**
 * printf hook function for identification_t.
 *
 * Arguments are:
 *	identification_t *identification
 */
int identification_printf_hook(printf_hook_data_t *data,
							printf_hook_spec_t *spec, const void *const *args);

#endif /** IDENTIFICATION_H_ @}*/